How to Choose and Use Seals
by Dr. Roger G. Johnston and Dr. Jon S. Warner
Tamper-indicating seals have been in use for well over 7,000 years. Today, seals are
widely used for a variety of applications, including cargo security, nuclear safeguards,
counterintelligence, theft detection, loss prevention, records security, employee drug
testing, and election integrity. They protect money, transportation containers, footlockers,
courier bags, filing cabinets, utility meters, hazardous materials, instrument calibrations,
drugs, weapons, computer media, warehoused goods, and other critical items.
Despite their antiquity and widespread modern use, quite a few misconceptions, poor practices,
and misleading terminology remain when it comes to seals and seal use. This article
is a brief primer on how to choose and use seals. It is based on two decades of research
by the Vulnerability Assessment Team at Argonne National Laboratory in Illinois.
What Is, and Is Not, a Seal
First off, it is important to be clear on what a seal is and what it is not. (See the photo
at right for examples of seals.) Unlike a lock, a seal is not intended to delay or discourage
unauthorized entry (except possibly in a vague psychological sense). Instead, a seal is meant
to leave behind unambiguous, nonerasable evidence of unauthorized access. Complicating
the issue is the fact that there are “barrier” seals, which are devices that are part lock and part
seal. Barrier seals have their uses, but the downside is that they cause a lot of confusion for
users and tend to be a compromise, being neither the optimal lock nor the optimal seal for a
Barrier seals are sometimes misleadingly called “security seals” in contrast to “indicative
seals,” but this is sloppy terminology. Other terms to avoid include “tamper-proof seal” and “tamper-resistant” seal. There is no such thing as a seal that cannot be spoofed, and the idea
of “tamper resistance” applies more properly to locks, not seals.
Defeating a Seal
Unlike a lock, cutting a seal off a container is not defeating it because the fact that the seal
is damaged or missing will be noted at the time of inspection. “Defeating” or “spoofing” a
seal means to open the seal and then reseal the container it is used on without being detected
by the inspection process being used. “Attacking” a seal means undertaking a sequence
of actions intended to try to defeat the seal.
Seal manufacturers, vendors, and users typically overestimate the difficulty of defeating
their seals. At least 105 different generic methods are available for potentially defeating a
seal. These include, for example, picking the seal open without leaving evidence, counterfeiting
the seal, replicating the seal at the factory, changing the serial number, tampering with
the database of seal serial numbers, drilling into the seal to allow interior manipulation and then repairing the hole, cutting the
seal and repairing the damage, and
not installing the correct seal in the
first place and then later replacing it
with the correct seal. Full counterfeiting
is usually not the most likely
attack on a seal unless the adversary
is perhaps attacking a large number
of seals or has very limited time to
access the seal and its container.
|These are examples of the more
than 5,000 tamper-indicating seals
that are commercially available.
A fundamental fact about tamper
detection is that a seal is no better than its “seal use protocol.”
The protocol comprises the official and unofficial
procedures for seal procurement, shipping, storage,
checkout, installation, inspection, training, reporting,
disposal, securing of seal data (such as the recorded seal
serial numbers), and securing of the seal reader, if there
is one. (Typically, 15 seconds of access to either the seal
database or the seal reader allows an adversary to defeat
one or many seals in one quick effort.) Modest seals used
with a good seal use protocol can potentially provide
good tamper detection. Sophisticated seals used poorly
Choosing and Procuring Seals
In choosing a seal, it is important to realize that no seal
is unspoofable (just as no lock is undefeatable). There
is also no one “best” seal. The optimal choice of a seal
depends on the details of your security goals, threats, and
adversaries and your personnel and their training; it alsodepends on the nature of your containers, doors, hasps,
physical facilities, and time and budget constraints.
Generally, seals that are complex, difficult to use, or
present significant ergonomic problems will be resisted
by seal installers and inspectors and will not provide
Every seal needs a unique identifier, such as a serial
number, so that an adversary cannot easily swap one
seal for another. Independent parts of a seal should have
the same serial number if at all possible. Serial numbers
should not be easy to erase, dissolve, or buff out (although
they often are).
Seal vendors and manufacturers ideally should agree
contractually not to sell duplicate serial numbers or replicate
logos for anybody (even within your organization)
who is not on your rganization’s short list of authorized
seal buyers. Seal users should test if this agreement is
honored. Often it is not.
If the seal is frangible [easily broken], be sure to consider environmental conditions and any rough handling
the seal may receive. Also bear in mind that robust seals
on moving containers can be a safety hazard in that they
can gouge eyes or skin or entrap clothing.
Seals should not be chosen based solely on cost per
unit. Much higher costs often are associated with seal
installation, inspection, removal, and training. With reusable
(typically electronic) seals, be sure to factor in the
cost of unit failures, battery replacement, and theft, loss,
or vandalism of the seal, as well as the costs of protecting
and returning the seals for possible reuse.
Unused seals must be carefully protected before they
are used, not, for example, just left lying around a loading
dock. Seals should be assigned to specific individuals
who are responsible for protecting and returning unused
seals. Unused seals are potentially very useful to an adversary
during an attack or for practicing attacks.
|At inspection time, a seal should be
compared side by side with a similar,
unused seal that has been protected
Before a seal is installed, it should be checked for
manufacturing defects and for evidence of pre-installation
tampering (a “backdoor attack”), which can make it
easier for an adversary to open the seal later without leaving
The door, hasp, or locking mechanism and all sides
(including the top and bottom) of the container must be
inspected. It makes little sense to seal a container with
gaping holes in it or to apply a seal to a door, hasp, or
locking mechanism that is faulty. (It is surprising how
often people do this.)
Seal Inspection and Removal
The common misconception that unless a seal is either
missing or blatantly smashed open, no unauthorized
access or tampering has occurred could not be more
wrong. In fact, even amateurs can attack seals in a
way that leaves little (and sometimes no) evidence. Seal inspectors can detect tampering with full
reliability only if they have some idea of the most likely attack scenarios
and know what specifically to look for on a given
Simply checking to see if the seal is intact and has the
right serial number is of limited usefulness unless you are
sure no potential adversary has an interest in attacking
surreptitiously. A seal is called a “flag seal” when there
is no concern about a surreptitious attack. A flag seal is
often used to signal an employee not to unnecessarily
reprocess a container. It differs from a “tamper-ndicating
seal,” which is meant to show covert tampering or intrusion
Seal inspectors should have training on the vulnerabilities
and most likely attack scenarios for the seals they are
using in the context in which they are used. They should
have hands-on practice detecting both blatant and subtle
attacks on seals. Without this training, they cannot do the
best job of detecting tampering.
A seal must be inspected carefully both before and after
it is removed. Before removing the seal, the seal inspector
should also check to see if the seal displays the right
amount of movement, or “play,” between any two mated
Seal inspectors should always compare a seal side by
side with a protected, unused (“control”) seal of the same
kind. (See the photo above.) This is true even for seals
read at a distance with an automated reader. People are
fairly proficient at side-by-side comparisons but not very
good at remembering exact details, even for familiar
objects. The seal inspector should compare the seal color, gloss, surface finish, size, and morphology
and also check the serial number
size, font, feel, and character alignment.
Seals should be inspected for evidence
of repair or cosmetic coverups of holes
or cuts. Smelling the seal—especially as
it is being opened—is often remarkably
effective in detecting the presence of epoxies,
adhesives, paints, inks, solvents,
or coatings that an adversary applied to
the seal even months earlier to hide an
attack. Alternately, relatively inexpensive,
hand-held electronic sensors can
detect many of the same chemicals. If
time is available during the inspection,
rubbing the seal with a wire brush or
solvent can be very effective at detecting
certain kinds of counterfeit seals or seals
that have been repaired.
The door, hasp, or locking mechanism of the container,
as well as its sides, top, bottom, and if possible its insides,
must be inspected as well to reliably detect tampering.
After a seal is removed, used seal parts must be protected
or thoroughly destroyed so that they cannot be used
by an adversary for practicing or executing seal attacks.
Ideally, the used seals and seal parts should be saved for
some period of time to support a forensic examination if
The best seal inspectors seem to have an uncanny sense
that something is suspicious about a seal without necessarily
knowing what. Such intuition should never be
discounted. Security managers should also make sure that
seal inspectors are not hesitant to report their concerns.
Sometimes the consternation and delays that a suspicious
seal creates for superiors, security personnel, and logistics
managers make front-line employees reluctant to raise
Seal inspectors should be tested occasionally with
deliberately attacked seals and then heartily rewarded if
they detect them. The tests should include both seals that
have been blatantly attacked and seals that have been attacked
with more subtle methods.
Pressure-Sensitive Adhesive Label Seals
After having studied hundreds of pressure-sensitive
adhesive label seals, we have concluded that they do not
generally provide reliable tamper detection. People like
using these “sticky labels” because they are inexpensive
and appear to be easy to install and inspect.
However, they typically are easy even for amateurs to defect. If you
insist on using adhesive label seals anyway, here are some
- Match the type of adhesive to the surface. The best
adhesive for bare metal is not necessarily the best
for painted metal, plastic, wood, cardboard, paper, or
- Feel the surface to which the seal will be applied
so that you can detect any substances an adversary
might have added to reduce adhesion. Precleaning
of the surface with a solvent or detergent water is
strongly recommended. Residue from previous adhesive
label seals must be fully removed.
- The surface should not be cold, wet, corroded, or
- Full adhesion requires a wait of more than 48 hours.
This often makes it easy for someone to lift the seal
during the first 2 days without causing damage or
evidence of tampering. Heat can help speed up the
adhesion process. For safety reasons, be careful not
to heat any cleaning solvent that has not yet fully
- Ideally, the adhesive, substrate, and ink should be
made of the same material, or at least they should dissolve
in exactly the same solvent. However, few, if
any, adhesive label seals are designed this way.
- Consider covering the label seal with a plastic protective
sheet or clear protective spray while it is in use.
- During seal inspection, carefully examine the surface
area outside of the perimeter of the seal to look for
evidence of attack.
- The best way to detect tampering with an adhesive
label seal is to observe (and smell) as the seal is being
removed. The seal inspector, however, must understand
how the seal is ordinarily supposed to behave
- A blink comparator used with a kinematic mount (to
exactly reposition the camera without any necessary
adjustment) is an excellent way to compare before
and after images of seals to look for tampering. (Contact
us for more information.)
- Manufacturers and vendors often emphasize the
unique features of adhesive label seals that they claim
are difficult or impossible to replicate. In our experience,
these claims usually are quite untrue. However,
it usually does not matter since most adhesive label
seals will be attacked by reusing the original seal,
perhaps with some artistic, cosmetic, or repair work
- Seals that reveal words like “OPENED” or “VOID” when removed from a surface are largely gimmicks
that do not represent serious challenges to an adversary.
On the other hand, this feature can be quite
effective for flag seals.
In our view, existing standards for tamper-indicating
seals are not very helpful. We believe that ISO [International
Organization for Standardization] 17712, the new
international standard for freight seals, does a particularly
serious disservice to effective tamper detection. ISO
17712 formalizes flawed concepts, encourages misleading
terminology, oversimplifies critical seal issues, and
compromises cargo and homeland security. We are preparing
a detailed critique of this standard, but our advice
in the meantime is not to be overly confident about seals
that meet the ISO 17712 standard.
Better Seal Training
Because of the shortage of good training materials
on how to use seals effectively, we are in the process
of preparing a training video that discusses and demonstrates
good seal use protocols in general. This video was
scheduled to be available on the Internet in June. (See
endnote 17.) The best advice and training for tamper
detection, however, is always specific to the relevant seals
and the security application of interest. We are available
to provide seal and cargo security advice for legitimate
organizations that face security and tampering issues.
If used effectively (that is, with a good use protocol)
and with a realistic understanding of their capabilities and
vulnerabilities, seals can provide fairly reliable tamper
detection. But they are not a simple-minded, silver bullet
for tamper detection or logistics security. We believe that
much better seal designs are possible.
Roger G. Johnston, Debbie D. Martinez, and Anthony R.E. Garcia, “Were
Ancient Seals Secure?” Antiquity, Vol. 75, No. 288, 2001, pp. 299−305.
Roger G. Johnston, “Tamper-Indicating Seals,” American Scientist, Vol.
94, No. 6, 2006, pp. 515−523.
Naval Facilities Engineering Command, “Department of Defense Lock
Program: Security Seals,” https://portal.navfac.navy.mil/portal/page/portal/navfac/navfac_ww_pp/
Roger G. Johnston, “The Real Deal on Seals,” Security Management,
Vol. 41, 1997, pp. 93−100.
Roger G. Johnston, “The ‘Anti-Evidence’ Approach to Tamper-Detection,” Packaging, Tranport, Storage & Securtiy of Radioactive Material, Vol.
16, No. 2, 2005, pp. 135−144.
Roger G. Johnston, “New Research on Tamper-Indicating Seals,” International Utilities Revenue Protection Association News,
, Vol. 16, No. 1, 2006,
Lou Tyska, ed., “Seals,” Guidlines for Cargo Security & Loss Control,
National Cargo Security Council, Washington, D.C., 1999, pp. 29−38.
U.S. Nuclear Regulatory Commission, “Pressure-Sensitive and Tamper-Indicating Device Seals for Material Control and Accounting of Special
Nuclear Material,” Regulatory Guide 5.80, December 2010, http://pbadupws.nrc.gov/docs/ML1018/ML101800504.pdf.
Andrew W. Appel, “Security Seals on Voting Machines: A Case Study,”ACM Transactions on Information and System Security, Vol. 14, No. 2, September
Roger G. Johnston, Eric C. Michaud, and Jon S. Warner, “The Security
of Urine Drug Testing,” Journal of Drug Issues, Vol. 39, No. 4, 2009, pp.
Roger G. Johnston, “Tamper-Indicating Seals for Nuclear Disarmament
and Hazardous Waste Management,” Science and Global Security, Vol. 9,
2001, pp. 93−112.
Roger G. Johnston, “Tamper Detection for Safeguards and Treaty Monitoring:
Fantasies, Realities, and Potentials,” Nonproliferation Review, Vol. 8,
2001, pp. 102−115.
Roger G. Johnston and Jon S. Warner, “The Doctor Who Conundrum:
Why Placing Too Much Faith in Technology Leads to Failure,” Security Management, Vol. 49, No. 9, 2005, pp. 112−121.
Andrew W. Appel, “The Trick to Defeating Tamper-Indicating Seals,” https://freedom-to-tinker.com/blog/appel/trick-defeating-tamper-indicatingseals.
Phil Rogers, “Most Security Measures Easy to Breach,” http://www.
Jon S. Warner and Roger G. Johnston, “Why RFID Tags Offer Poor
Security,” Proceedings of the 51st Annual INMM Meeting, Baltimore, MD,
11−15 July 2010.
Argonne National Laboratory, “Vulnerability Assessment Team,” http://
Roger G. Johnston, Anthony R.E. Garcia, and Adam N. Pacheco, “Efficacy
of Tamper-Indicating Devices,” Journal of Homeland Security, 16
April 2002, http://www.homelandsecurity.org/journal/Articles/displayarticle.asp?article=50.
Roger G. Johnston and Anthony R.E. Garcia, “Vulnerability Assessment
of Security Seals,” Journal of Security Administration, Vol. 20, 1997, pp.
Roger G. Johnston, “Effective Vulnerability Assessment of Tamper-Indicating
Seals,” Journal of Testing and Evaluation, Vol. 25, 1997, pp. 451−455.
Roger G. Johnston, Anthony R.E. Garcia, and W. Kevin Grace, “Vulnerability
Assessment of Passive Tamper-Indicating Seals,” Journal of Nuclear Materials Management, Vol. 224, 1995, pp. 24−29.
Roger G. Johnston, “Assessing the Vulnerability of Tamper-Indicting
Seals,” Port Technology International, Vol. 25, 2005, pp. 155−157.
Roger G. Johnston and Anthony R.E. Garcia, “An Annotated Taxonomy
of Tag and Seal Vulnerabilities,” Journal of Nuclear Materials Management,
Vol. 229, 2000, pp. 23−30.
International Standards Organization, “Freight Containers–Mechanical
Seals,” ISO 17712, 1 September 2011.
The views expressed here are those of the authors and should not necessarily be ascribed to Argonne National Laboratory
or the U.S. Department of Energy.
© 2012 UChicago Argonne, LLC, Operator of Argonne National Laboratory. Reproduction for personal and educational purposes is authorized.