520 likes | 700 Views
LAUR-04-7823. Improving Tamper & Counterfeit Detection. Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Los Alamos National Laboratory 505-667-7414 rogerj@lanl.gov http://pearl1.lanl.gov/seals/default.htm. LANL Vulnerability Assessment Team. Physical Security
E N D
LAUR-04-7823 Improving Tamper &Counterfeit Detection Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Los Alamos National Laboratory 505-667-7414 rogerj@lanl.gov http://pearl1.lanl.gov/seals/default.htm
LANL Vulnerability Assessment Team Physical Security • consulting • cargo security • tamper detection • nuclear safeguards • training & curricula • vulnerability assessments • novel security approaches • new tags & seals (patents) • unique vuln. assessment lab The VAT has done detailed vulnerability assessments on hundreds of different security devices, systems, & programs. The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881)
Terminology intrusion detection: immediate (real-time) detection of unauthorized access. tamper detection: delayed (after the fact) detection of unauthorized access.
Terminology (con’t) lock: a device to delay, complicate, and/or discourage unauthorized entry. seal: a tamper-indicating device (TID) designed to leave non-erasable, unambig- uous evidence of unauthorized entry or tampering. Unlike locks, seals are not necessarily meant to resist access, just record that it took place.
Terminology (con’t) tag: an applied or intrinsic feature that uniquely identifies an object or container. types of tags inventory tag (no malicious adversary) security tag (counterfeiting & lifting are issues) buddy tag or token (only counterfeiting is an issue) anti-counterfeiting (AC) tag (only counterfeiting is an issue) lifting: removing a tag from one object or container and placing it on another, without being detected.
Tags & Seals Tags: Uniquely identify an object Applications • customs • cargo security • non-proliferation • treaty verification • counter-terrorism • counter-espionage • banking & couriers • drug accountability • records & ballot integrity • evidence chain of custody • weapons & ammo security • tamper-evident packaging • anti-product counterfeiting • protecting instrument calibration • protecting medical sterilization • waste management & hazardous materials accountability Seals: Detect tampering or unauthorized access Some of the 5000+ commercial seals
Warning 1: Existing Tamper-Evident Packaging isn’t very effective, yet product tampering (by insiders or outsiders) is inevitable.* On a bag of Fritos: You could be a winner! No purchase necessary. Details inside.
Product Tampering Tamper-Evident Packaging Model of how to effectively deal with product tampering: J&J
Problems with Consumer Tamper-Evident Packaging • Mostly about Displacement, Due Diligence, Compliance, & Reducing Jury Awards--not effective Tamper Detection • No meaningful FDA Standards, Guideline, or Definitions • Consumers lack sufficient information to use properly • Euphemisms (e.g., “freshness seal”) & manufacturer obscurations • Relatively unimaginative, cost-driven designs • Few useful vulnerability assessments • Not proactive to the threat
Warning 2: Existing tamper-indicating seals (at least the way they are typically used) aren’t very effective for cargo security. In theory there is no difference between theory and practice. In practice there is. -- Yogi Berra
Terminology (con’t) defeating a seal: opening a seal, then resealing (using the original seal or a counterfeit) without being detected. attacking a seal: undertaking a sequence of actions designed to defeat it. Defeating seals is mostly about fooling people, not beating hardware (unlike defeating locks, safes, or vaults)!
(Yanking a seal off a container is not defeating it, because it will be noted at the time of inspection that the seal is damaged or missing.)
Seals Vulnerability Assessment We studied 213 different seals in detail: •government & commercial • mechanical & electronic • low-tech through high-tech • cost varies by a factor of 10,000 Over half are in use for critical applications, and 16% play a role in nuclear safeguards.
Percent of seals that can be defeated in less than a given amount of time by 1 person using only low-tech methods 213 seals
Defeat Time vs. Seal Cost linear LS fit r = 0.14 slope: 1.6 sec/$ 307 attacks
Results for 213 Seals parameter mean median
The Good News: Countermeasures • Most of the attacks have simple and inexpensive countermeasures, but the seal installers & inspectors must understand the seal vulnerabilities, look for likely attacks, and have hands-on training. • Also: better seals are possible!
20+ New “Anti-Evidence” Seals • better security • no hasp required • no tools to install or remove seal • no hardware outside the container • 100% reusable, even if mechanical • can monitor volumes or areas, not just portals • can automatically verify the seal inspector actually checked the seal MagTag, Tie-Dye Seal, Magic Slate Seal, Glass & Powder Seal, Triboluminescence Seal, Plug Seal, Talking Truck Cargo Seal, Blinking Lights Seal, Time Trap…
Warning 3: Counterfeiting tags & seals is easier than one might imagine. Sincerity is everything. If you can fake that, you've got it made. -- Comedian George Burns (1896-1996)
Counterfeiting Tags & Seals Often overlooked: Counterfeiters usually only need to counterfeit the superficial appearance & apparent performance, not the actual tag/seal or its real performance. It's better to be looked over than overlooked. -- Mae West, Belle of the Nineties, 1934
The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious. -- Dr. Who in The Pirate Planet (1978) Warning 4: Too often, high-technology is wrongly thought to guarantee high-security. If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. -- Bruce Schneier
Why High-Tech Devices Are Usually Vulnerable To Simple Attacks • Still must be physically coupled to the real world • Still depend on the loyalty & effectiveness of user’s personnel • The increased standoff distance decreases the user’s attention to detail • Many more legs to attack
Why High-Tech Devices Are Usually Vulnerable To Simple Attacks (con’t) • The high-tech features often fail to address the critical vulnerability issues • Users don’t understand the device • Developers & users have the wrong expertise and focus on the wrong issues • The “Titanic Effect”: high-tech arrogance
Warning 5: Too often, inventory is confused with security. Not everything that can be counted counts, and not everything that counts can be counted. -- attributed to Albert Einstein (1879-1955)
Inventory • Counting and locating our stuff. • No nefarious adversary. • Will detect innocent errors by insiders, but not surreptitious attacks by insiders or outsiders.
Security • Meant to counter nefarious adversaries, typically both insiders & outsiders. • Watch out for mission creep: inventory systems that come to be viewed as security systems!
High-Tech Tags: Classic examples of confusing Inventory & Security, High-Tech & High-Security • bar codes • rf transponders (RFIDs) • contact memory buttons Usually easy to: * lift * counterfeit * spoof the reader These are excellent for inventory, but problematic for security!
GPS: Another classic example of confusing Inventory & Security, High-Tech & High-Security • The private sector, foreigners, and 90+% of the federal government must use the civilian GPS satellite signals. • These are unencrypted and unauthenticated. • They were never meant for critical or security applications, yet GPS is being used that way (e.g., cargo security).
Attacking Civilian GPS Receivers Blocking: just break off the antenna, or shield it with metal; not surreptitious. Jamming: easy to build a noisy rf transmitter from plans on the Internet; not surreptitious. Spoofing: surreptitious & (as we’ve demonstrated) surprisingly easy for even unsophisticated adversaries. There are, however, simple countermeasures. Physical attacks: appear to be easy, too.
GPS Cargo Tracking GPS Satellite Tracking Information Sent to HQ (perhaps encrypted/authenticated) GPS Signal GPS is great for navigation, but it does not provide high security. (vulnerable here)
Time Vulnerabilities • Many national networks (computer, utility, financial, & telecommunications) are somewhat prepared for loss of time synchronization due to GPS jamming. But they are not prepared for spoofing, which is easy and could crash them. • The alternate time standard (NIST atomic clock) is also not authenticated or encrypted.
Warning 6: Practical & effective AC Tags don’t currently exist. The Holy Grail: a practical, inexpensive AC Tag that is easy to verify, but difficult & expensive to counterfeit.Is this even possible? The handwriting on the wall may be a forgery. -- Ralph Hodgson (1871-1962)
Potential High-Tech Tag Technologies (though little R&D is underway) • thin films • ferrofluids • ultrasonics • liquid crystals • biological materials • micro- & nano-particles • novel glasses/ceramics • transport & diffusion phenomena • advanced polymers & composites • exotic organics & macromolecules • nonlinear optical & electrooptic materials
If we don't succeed, we run the risk of failure. -- Dan Quayle CNT Technique: In the absence of effective AC Tags, this is one method to impede & detect product counterfeiting. Honesty may be the best policy, but it's important to remember that apparently, by elimination, dishonesty is the second-best policy. -- George Carlin
“Call-In the Numeric Token” (CNT) Technique Lot: 4ZB1026 Exp: 04/06 Bottle ID: MPD709 Bottle ID • unique • random, non-sequential • at least 1000 times more possible ‘Bottle’ ID numbers per Lot than actual bottles (“Bottle” can really mean bottle, tube, box, container, pallet, truck-load, etc.)
CNT Technique (con’t) • Print “Bottle” ID on bottles, or other packaging at the factory, or attach printed adhesive labels later. • Keep secure computer list (database) of valid Bottle IDs for each Lot. • ~ 3 MB required per million containers.
CNT Technique (con’t) • “Calling in”: Customers log into a web site, or call an automated phone line to quickly check if their Bottle ID is valid for the given Lot number. (Yes/No response.) • May or may not be required to identify themselves. (Pros & Cons). • Useful even if only a small fraction of customers participate.
Counterfeits are spotted by… Invalid Bottle IDs that are called-in will be immediately recognized as counterfeits. Wholesalers, re-packagers, and other handlers of large quantities can spot counterfeits even without calling-in by finding duplicate Bottle IDs in their own stock. Any duplicate valid Bottle IDs that are called-in will be flagged as counterfeits with fairly high reliability.
Counterfeiters • The bad guys are hampered by • these problems: • Guessing valid ID numbers isn’t practical. • Getting large numbers of valid IDs is challenging. • Making counterfeit products with duplicate IDs may lead to detection via the call-in process.
Notes • Putting the Bottle ID inside the tamper-evident packaging will make it more difficult for counterfeiters to covertly obtaining valid IDs. • Bar code (or RFID) the Lot & Bottle ID numbers so wholesalers, re-packagers, and high-volume customers can automate the process. • Provide free readers & automated call-in software to major customers. • Resale of drugs can be handled multiple ways, including raising the minimum threshold for declaring counterfeiting when duplicate Bottle IDs are called in.
Repackagers & Pharmacies • If consolidating: Re-use some of the original Bottle IDs & destroy the rest (perhaps reporting this to the manufacturer). • If subdividing, do one of the following: • Notify manufacturer so corrections can be applied to the database. • Obtain new Bottle IDs from manufacturer. • If trusted, generate own new Bottle IDs & report them to database. • Easiest: manufacturer packs multiple (unique) IDs inside the original tamper-evident packaging, about one per new “bottle” to be created.
CNT Impact • Invisible to customers who don’t care. • May want to limit CNT to one level: wholesalers, pharmacies, or consumers (or run independent CNT systems for each level). • Roll out the CNT technique only temporarily when there is a public counterfeit scare?
CNT Impact (con’t) • Information provided by callers can help pharmaceutical companies understand the market & demonstrate a proactive approach to counterfeiting. • Might help trace counterfeiters, especially if callers identify themselves. • Getting consumers to take responsibility for checking authenticity of their own medicines may have multiple benefits.
Costs: Low to Moderate • Real-time printing of bottles or labels: inexpensive • Maintain ‘database’: inexpensive (single PC) • Software web site for callers: inexpensive (just a big LUT) • Automated, voice recognition phone line: moderate • Publicity & education to encourage participation & effective usage: moderate Run as a third party service?
LANL Time Trap • A more sophisticated approach: Let the Bottle ID (keyed “hash”) vary in time. • Tag has a microprocessor with 5-year battery and internal tamper detection. • Some tamper detection capabilities • Cost: few $ in quantity • Volume: < 1 cc • Reusable
He that wrestles with us strengthens our skill. Our antagonist is our helper. -- Edmund Burke (1729-1797) Warning 7: You need to conduct Adversarial Vulnerability Assessments (thinking like the bad guys). Traditional tools for improving security are not enough. It is sometimes expedient to forget who we are. -- Publilius Syrus (~42 BC)
Major Tools for Improving Security 1. Security Survey 2. Risk Management (“Design Basis Threat”) 3. Adversarial Vulnerability Assessment
Real vulnerability assessments… • Find vulnerabilities--because they always exist. • Treat finding vulnerabilities as good news, not bad news-- because finding them means you can do something about them. • Are meant to improve security--not to “certify” it, or make us feel confident. • View security from the perspective of the bad guys--not the good guys.
The LANL Vulnerability Assessment Team We have a CD containing related papers & reports. Available today or request a copy at rogerj@lanl.gov Ring the bells that still can ring. Forget your perfect offering. There is a crack in everything. That's how the light gets in. -- Anonymous Roger Johnston, Ph.D., CPP, Ron Martinez, Leon Lopez, Sonia Trujillo, Adam Pacheco, Anthony Garcia, Jon Warner, Ph.D., Alicia Herrera, Eddie Bitzer, M.A. http://pearl1.lanl.gov/seals/default.htm
The End He that will not apply new remedies must expect new evils; for time is the greatest innovator. -- Francis Bacon (1561-1626)