HomeHomeAbout UsBrowseBack IssueNews DispatchesSubscribing to Army SustainmentWriting For Army SustainmentContactLinksBottom

Current Issues
Cover of Issue
 


How to Choose and Use Seals

Seals are designed to show if a container has been opened.
But research demonstrates that seals are vulnerable to attack
and require careful selection, use, and inspection.

Tamper-indicating seals have been in use for well over 7,000 years.1, 2 Today, seals are widely used for a variety of applications, including cargo security, nuclear safeguards, counterintelligence, theft detection, loss prevention, records security, employee drug testing, and election integrity.3−11 They protect money, transportation containers, footlockers, courier bags, filing cabinets, utility meters, hazardous materials, instrument calibrations, drugs, weapons, computer media, warehoused goods, and other critical items.

Despite their antiquity and widespread modern use, quite a few misconceptions, poor practices, and misleading terminology remain when it comes to seals and seal use.12−16 This article is a brief primer on how to choose and use seals. It is based on two decades of research by the Vulnerability Assessment Team at Argonne National Laboratory in Illinois.17−22

What Is, and Is Not, a Seal
First off, it is important to be clear on what a seal is and what it is not. (See the photo at right for examples of seals.) Unlike a lock, a seal is not intended to delay or discourage unauthorized entry (except possibly in a vague psychological sense). Instead, a seal is meant to leave behind unambiguous, nonerasable evidence of unauthorized access. Complicating the issue is the fact that there are “barrier” seals, which are devices that are part lock and part seal. Barrier seals have their uses, but the downside is that they cause a lot of confusion for users and tend to be a compromise, being neither the optimal lock nor the optimal seal for a given application.

Barrier seals are sometimes misleadingly called “security seals” in contrast to “indicative seals,” but this is sloppy terminology. Other terms to avoid include “tamper-proof seal” and “tamper-resistant” seal. There is no such thing as a seal that cannot be spoofed, and the idea of “tamper resistance” applies more properly to locks, not seals.

Defeating a Seal
Unlike a lock, cutting a seal off a container is not defeating it because the fact that the seal
is damaged or missing will be noted at the time of inspection. “Defeating” or “spoofing” a
seal means to open the seal and then reseal the container it is used on without being detected
by the inspection process being used.18−22 “Attacking” a seal means undertaking a sequence
of actions intended to try to defeat the seal.

Seal manufacturers, vendors, and users typically overestimate the difficulty of defeating
their seals. At least 105 different generic methods are available for potentially defeating a
seal.23 These include, for example, picking the seal open without leaving evidence, counterfeiting
the seal, replicating the seal at the factory, changing the serial number, tampering with
the database of seal serial numbers, drilling into the seal to allow interior manipulation and then repairing the hole, cutting the seal and repairing the damage, and not installing the correct seal in the first place and then later replacing it with the correct seal. Full counterfeiting is usually not the most likely attack on a seal unless the adversary is perhaps attacking a large number of seals or has very limited time to access the seal and its container.

These are examples of the more than 5,000 tamper-indicating seals that are commercially available.

A fundamental fact about tamper detection is that a seal is no better than its “seal use protocol.”
1−6, 10−12, 18 The protocol comprises the official and unofficial procedures for seal procurement, shipping, storage, checkout, installation, inspection, training, reporting, disposal, securing of seal data (such as the recorded seal serial numbers), and securing of the seal reader, if there is one. (Typically, 15 seconds of access to either the seal database or the seal reader allows an adversary to defeat one or many seals in one quick effort.) Modest seals used with a good seal use protocol can potentially provide good tamper detection. Sophisticated seals used poorly will not.2, 13, 19−22

Choosing and Procuring Seals
In choosing a seal, it is important to realize that no seal is unspoofable (just as no lock is undefeatable). There is also no one “best” seal. The optimal choice of a seal depends on the details of your security goals, threats, and adversaries and your personnel and their training; it alsodepends on the nature of your containers, doors, hasps, physical facilities, and time and budget constraints.

Generally, seals that are complex, difficult to use, or present significant ergonomic problems will be resisted by seal installers and inspectors and will not provide good security.

Every seal needs a unique identifier, such as a serial number, so that an adversary cannot easily swap one seal for another. Independent parts of a seal should have the same serial number if at all possible. Serial numbers should not be easy to erase, dissolve, or buff out (although they often are).

Seal vendors and manufacturers ideally should agree contractually not to sell duplicate serial numbers or replicate logos for anybody (even within your organization) who is not on your rganization’s short list of authorized seal buyers. Seal users should test if this agreement is honored. Often it is not.

If the seal is frangible [easily broken], be sure to consider environmental conditions and any rough handling the seal may receive. Also bear in mind that robust seals on moving containers can be a safety hazard in that they can gouge eyes or skin or entrap clothing.

Seals should not be chosen based solely on cost per unit. Much higher costs often are associated with seal installation, inspection, removal, and training. With reusable (typically electronic) seals, be sure to factor in the cost of unit failures, battery replacement, and theft, loss, or vandalism of the seal, as well as the costs of protecting and returning the seals for possible reuse.

Seal Installation
Unused seals must be carefully protected before they are used, not, for example, just left lying around a loading dock. Seals should be assigned to specific individuals who are responsible for protecting and returning unused seals. Unused seals are potentially very useful to an adversary
during an attack or for practicing attacks.

At inspection time, a seal should be compared side by side with a similar, unused seal that has been protected from tampering.

Before a seal is installed, it should be checked for manufacturing defects and for evidence of pre-installation tampering (a “backdoor attack”), which can make it easier for an adversary to open the seal later without leaving evidence.

The door, hasp, or locking mechanism and all sides (including the top and bottom) of the container must be inspected. It makes little sense to seal a container with gaping holes in it or to apply a seal to a door, hasp, or locking mechanism that is faulty. (It is surprising how often people do this.)

Seal Inspection and Removal
The common misconception that unless a seal is either missing or blatantly smashed open, no unauthorized access or tampering has occurred could not be more wrong.9, 14, 21 In fact, even amateurs can attack seals in a way that leaves little (and sometimes no) evidence.9, 14, 20 Seal inspectors can detect tampering with full reliability only if they have some idea of the most likely attack scenarios and know what specifically to look for on a given seal.

Simply checking to see if the seal is intact and has the right serial number is of limited usefulness unless you are sure no potential adversary has an interest in attacking surreptitiously. A seal is called a “flag seal” when there is no concern about a surreptitious attack. A flag seal is often used to signal an employee not to unnecessarily reprocess a container. It differs from a “tamper-ndicating
seal,” which is meant to show covert tampering or intrusion attempts.

Seal inspectors should have training on the vulnerabilities and most likely attack scenarios for the seals they are using in the context in which they are used. They should have hands-on practice detecting both blatant and subtle attacks on seals. Without this training, they cannot do the
best job of detecting tampering.

A seal must be inspected carefully both before and after it is removed. Before removing the seal, the seal inspector should also check to see if the seal displays the right amount of movement, or “play,” between any two mated parts.

Seal inspectors should always compare a seal side by side with a protected, unused (“control”) seal of the same kind. (See the photo above.) This is true even for seals read at a distance with an automated reader. People are fairly proficient at side-by-side comparisons but not very good at remembering exact details, even for familiar objects. The seal inspector should compare the seal color, gloss, surface finish, size, and morphology and also check the serial number size, font, feel, and character alignment.

Seals should be inspected for evidence of repair or cosmetic coverups of holes or cuts. Smelling the seal—especially as it is being opened—is often remarkably effective in detecting the presence of epoxies, adhesives, paints, inks, solvents, or coatings that an adversary applied to the seal even months earlier to hide an attack. Alternately, relatively inexpensive, hand-held electronic sensors can detect many of the same chemicals. If time is available during the inspection, rubbing the seal with a wire brush or solvent can be very effective at detecting certain kinds of counterfeit seals or seals that have been repaired.

The door, hasp, or locking mechanism of the container, as well as its sides, top, bottom, and if possible its insides, must be inspected as well to reliably detect tampering.

After a seal is removed, used seal parts must be protected or thoroughly destroyed so that they cannot be used by an adversary for practicing or executing seal attacks. Ideally, the used seals and seal parts should be saved for some period of time to support a forensic examination if questions arise.

The best seal inspectors seem to have an uncanny sense that something is suspicious about a seal without necessarily knowing what. Such intuition should never be discounted. Security managers should also make sure that seal inspectors are not hesitant to report their concerns. Sometimes the consternation and delays that a suspicious seal creates for superiors, security personnel, and logistics managers make front-line employees reluctant to raise their concerns.

Seal inspectors should be tested occasionally with deliberately attacked seals and then heartily rewarded if they detect them. The tests should include both seals that have been blatantly attacked and seals that have been attacked with more subtle methods.

Pressure-Sensitive Adhesive Label Seals
After having studied hundreds of pressure-sensitive adhesive label seals, we have concluded that they do not generally provide reliable tamper detection. People like using these “sticky labels” because they are inexpensive and appear to be easy to install and inspect. However, they typically are easy even for amateurs to defect. If you insist on using adhesive label seals anyway, here are some suggestions.

  1. Match the type of adhesive to the surface. The best adhesive for bare metal is not necessarily the best for painted metal, plastic, wood, cardboard, paper, or glass.
  2. Feel the surface to which the seal will be applied so that you can detect any substances an adversary might have added to reduce adhesion. Precleaning of the surface with a solvent or detergent water is strongly recommended. Residue from previous adhesive label seals must be fully removed.
  3. The surface should not be cold, wet, corroded, or peeling.
  4. Full adhesion requires a wait of more than 48 hours. This often makes it easy for someone to lift the seal during the first 2 days without causing damage or evidence of tampering. Heat can help speed up the adhesion process. For safety reasons, be careful not to heat any cleaning solvent that has not yet fully evaporated.
  5. Ideally, the adhesive, substrate, and ink should be made of the same material, or at least they should dissolve in exactly the same solvent. However, few, if any, adhesive label seals are designed this way.
  6. Consider covering the label seal with a plastic protective sheet or clear protective spray while it is in use.
  7. During seal inspection, carefully examine the surface area outside of the perimeter of the seal to look for evidence of attack.
  8. The best way to detect tampering with an adhesive label seal is to observe (and smell) as the seal is being removed. The seal inspector, however, must understand how the seal is ordinarily supposed to behave and smell.
  9. A blink comparator used with a kinematic mount (to exactly reposition the camera without any necessary adjustment) is an excellent way to compare before and after images of seals to look for tampering. (Contact us for more information.)
  10. Manufacturers and vendors often emphasize the unique features of adhesive label seals that they claim are difficult or impossible to replicate. In our experience, these claims usually are quite untrue. However, it usually does not matter since most adhesive label seals will be attacked by reusing the original seal, perhaps with some artistic, cosmetic, or repair work
  11. Seals that reveal words like “OPENED” or “VOID” when removed from a surface are largely gimmicks that do not represent serious challenges to an adversary. On the other hand, this feature can be quite effective for flag seals.

ISO 17712
In our view, existing standards for tamper-indicating seals are not very helpful. We believe that ISO [International Organization for Standardization] 17712, the new international standard for freight seals, does a particularly serious disservice to effective tamper detection.24 ISO 17712 formalizes flawed concepts, encourages misleading terminology, oversimplifies critical seal issues, and compromises cargo and homeland security. We are preparing a detailed critique of this standard, but our advice in the meantime is not to be overly confident about seals that meet the ISO 17712 standard.

Better Seal Training
Because of the shortage of good training materials on how to use seals effectively, we are in the process of preparing a training video that discusses and demonstrates good seal use protocols in general. This video was scheduled to be available on the Internet in June. (See endnote 17.) The best advice and training for tamper detection, however, is always specific to the relevant seals and the security application of interest. We are available to provide seal and cargo security advice for legitimate organizations that face security and tampering issues.

If used effectively (that is, with a good use protocol) and with a realistic understanding of their capabilities and vulnerabilities, seals can provide fairly reliable tamper detection. But they are not a simple-minded, silver bullet for tamper detection or logistics security. We believe that much better seal designs are possible.2, 5, 11, 17

Roger G. Johnston, Ph.D., Certified Protection Professional, is leader of the Vulnerability Assessment Team at Argonne National Laboratory in Illinois. He was the founder and head of the Vulnerability Assessment Team at Los Alamos National Laboratory in New Mexico from 1992 to 2007. He has a bachelor’s degree from Carleton College and M.S. and Ph.D. degrees in physics from the University of Colorado.

Jon S. Warner, Ph.D., is a systems engineer with the Vulnerability Assessment Team at Argonne National Laboratory. He previously serv ed as a technical staff member with the Vulnerability Assessment Team at Los Alamos National Laboratory. He holds a B.S. degree in physics and business management from Southern Oregon University and M.S. and Ph.D. degrees in physics
from Portland State University.

Dr. Johnston and Dr. Warner have published more than 185 technical papers, given over 90 invited talks (including 6 keynote addresses at national and international security conferences), and hold 10 U.S. patents.

1. Roger G. Johnston, Debbie D. Martinez, and Anthony R.E. Garcia, “Were Ancient Seals Secure?” Antiquity, Vol. 75, No. 288, 2001, pp. 299−305.

2. Roger G. Johnston, “Tamper-Indicating Seals,” American Scientist, Vol. 94, No. 6, 2006, pp. 515−523.

3. Naval Facilities Engineering Command, “Department of Defense Lock Program: Security Seals,” https://portal.navfac.navy.mil/portal/page/portal/navfac/navfac_ww_pp/
navfac_nfesc_pp/locks/SEALS_INFO/TAB_SEALS_INTRO
.

4. Roger G. Johnston, “The Real Deal on Seals,” Security Management, Vol. 41, 1997, pp. 93−100.

5. Roger G. Johnston, “The ‘Anti-Evidence’ Approach to Tamper-Detection,” Packaging, Tranport, Storage & Securtiy of Radioactive Material, Vol. 16, No. 2, 2005, pp. 135−144.

6. Roger G. Johnston, “New Research on Tamper-Indicating Seals,” International Utilities Revenue Protection Association News, , Vol. 16, No. 1, 2006, pp. 17−18.

7. Lou Tyska, ed., “Seals,” Guidlines for Cargo Security & Loss Control, National Cargo Security Council, Washington, D.C., 1999, pp. 29−38.

8. U.S. Nuclear Regulatory Commission, “Pressure-Sensitive and Tamper-Indicating Device Seals for Material Control and Accounting of Special Nuclear Material,” Regulatory Guide 5.80, December 2010, http://pbadupws.nrc.gov/docs/ML1018/ML101800504.pdf.

9. Andrew W. Appel, “Security Seals on Voting Machines: A Case Study,”ACM Transactions on Information and System Security, Vol. 14, No. 2, September 2011, http://dl.acm.org/citation.cfm?id=2019603&CFID=63720906&CFTOKEN=32687086.

10. Roger G. Johnston, Eric C. Michaud, and Jon S. Warner, “The Security of Urine Drug Testing,” Journal of Drug Issues, Vol. 39, No. 4, 2009, pp. 1015−1028.

11. Roger G. Johnston, “Tamper-Indicating Seals for Nuclear Disarmament and Hazardous Waste Management,” Science and Global Security, Vol. 9, 2001, pp. 93−112.

12. Roger G. Johnston, “Tamper Detection for Safeguards and Treaty Monitoring: Fantasies, Realities, and Potentials,” Nonproliferation Review, Vol. 8, 2001, pp. 102−115.

13. Roger G. Johnston and Jon S. Warner, “The Doctor Who Conundrum: Why Placing Too Much Faith in Technology Leads to Failure,” Security Management, Vol. 49, No. 9, 2005, pp. 112−121.

14. Andrew W. Appel, “The Trick to Defeating Tamper-Indicating Seals,” https://freedom-to-tinker.com/blog/appel/trick-defeating-tamper-indicatingseals.

15. Phil Rogers, “Most Security Measures Easy to Breach,” http://www.
youtube.com/watch?v=frBBGJqkz9E
.

16. Jon S. Warner and Roger G. Johnston, “Why RFID Tags Offer Poor Security,” Proceedings of the 51st Annual INMM Meeting, Baltimore, MD, 11−15 July 2010.

17. Argonne National Laboratory, “Vulnerability Assessment Team,” http:// www.ne.anl.gov/capabilities/vat.

18. Roger G. Johnston, Anthony R.E. Garcia, and Adam N. Pacheco, “Efficacy of Tamper-Indicating Devices,” Journal of Homeland Security, 16 April 2002, http://www.homelandsecurity.org/journal/Articles/displayarticle.asp?article=50.

19. Roger G. Johnston and Anthony R.E. Garcia, “Vulnerability Assessment
of Security Seals,” Journal of Security Administration, Vol. 20, 1997, pp. 15−27.

20. Roger G. Johnston, “Effective Vulnerability Assessment of Tamper-Indicating Seals,” Journal of Testing and Evaluation, Vol. 25, 1997, pp. 451−455.

21. Roger G. Johnston, Anthony R.E. Garcia, and W. Kevin Grace, “Vulnerability Assessment of Passive Tamper-Indicating Seals,” Journal of Nuclear Materials Management, Vol. 224, 1995, pp. 24−29.

22. Roger G. Johnston, “Assessing the Vulnerability of Tamper-Indicting Seals,” Port Technology International, Vol. 25, 2005, pp. 155−157.

23. Roger G. Johnston and Anthony R.E. Garcia, “An Annotated Taxonomy of Tag and Seal Vulnerabilities,” Journal of Nuclear Materials Management, Vol. 229, 2000, pp. 23−30.

24. International Standards Organization, “Freight Containers–Mechanical Seals,” ISO 17712, 1 September 2011.

 

The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or the U.S. Department of Energy.

© 2012 UChicago Argonne, LLC, Operator of Argonne National Laboratory. Reproduction for personal and educational purposes is authorized.


Google
WWW Army Sustainment