This article needs additional citations for verification. (January 2009)
Tamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings, or other techniques may be tamper indicating.
Tampering involves the deliberate altering or adulteration of information, a product, a package, or system. Solutions may involve all phases of product production, distribution, logistics, sale, and use. No single solution can be considered as "tamper proof". Often multiple levels of security need to be addressed to reduce the risk of tampering.
Some considerations might include:
- Identify who a potential tamperer might be and what level of knowledge, materials, tools, etc. might they have.
- Identify all feasible methods of unauthorized access into a product, package, or system. In addition to the primary means of entry, also consider secondary or "back door" methods.
- Control or limit access to products or systems of interest.
- Improve the tamper resistance by making tampering more difficult, time-consuming, etc.
- Add tamper-evident features to help indicate the existence of tampering.
- Educate people to watch for evidence of tampering.
- Length of time available for tampering. Particularly in transit, anyone intending to tamper with tamper-evident-protected goods, valuables, cash and confidential documents generally only has a window of opportunity of a few minutes before discovery is likely. This makes it both difficult and unlikely that they will have time to open the packaging, examine or remove the items, and restore the packaging to its original untampered condition.
Seals and signatures
Tamper-evident designs have been a feature of letters since ancient times, often using wax, clay, or metal seals to signify that the letter had not been opened since it was written. Roman signet rings for example, were unique to the person who owned them, and the ring was pressed into the hot wax seal forming a signature which could not be easily duplicated by somebody attempting to re-seal the letter.
Similar practices continue today, from examples such as envelopes to carefully designed packaging for payslips. In modern contract law, it is common to see each page of a contract individually initialled and numbered, so that any addition or removal of pages can be detected. Meanwhile, most checks have a variety of features to defeat both tampering and duplication (these are often listed on the back of the check).
Security seals are commonly employed on devices like electronic voting machines in an attempt to detect tampering. However, testing by Argonne National Laboratory and others demonstrates that existing seals can usually be quickly defeated by a trained person using low-tech methods. They offer ideas on countermeasures, and are exploring the promising option of "anti-evidence" seals.
Tamper-evident design is perhaps most visible in the process of product packaging and labeling, where it can be vital to know that the product has not been altered since it left the manufacturer.
Cans of baby food were among the first high-profile cases, where manufacturers were extorted by persons claiming to have added various poisons to baby food and replaced them on supermarket shelves. The amount of stock which needed to be destroyed (because it was impossible to tell if a given item had been tampered with), and the threat of public fear, meant that tamper-evident design principles had the potential to save a lot of money in the future.
Jars of food items soon started appearing with a lid with a metal bubble in the center, commonly known as a "safety button", pulled down by vacuum in the top of the container, which—like the lid of a Mason jar—popped out if the jar had ever been opened and stayed flat if the jar was in pristine condition. These lids would also pop out if the jar was contaminated by potentially dangerous gas-producing bacteria. Customers were advised to never buy a product with a popped lid. In addition to the visible flat "button", an intact lid makes an audible "pop" when opened.
Newer jars of food tend to come with a plastic wrap around the edge of the lid, which is removed when opening, although the springy-cap designs are still in common use.
Tamper-evident packaging also extends to protect stores; there are some scale labels for meats and deli products that will tear if removed.
The 1982 Chicago Tylenol murders involved over-the-counter medications. Due to FDA regulations, many manufacturers of food and medicine (as well as other products) now use induction sealing and other special means to help provide evidence of tampering. Break-away components which cannot be reattached are useful. Custom seals, security tapes, labels, RFID tags, etc. are sometimes added.
The current epidemic of opioid abuse and drug abuse has led to a search for tamper-evident strategies to protect central vascular lines. Drug users who shoot drugs into their veins often acquire infections of the heart valves (endocarditis), liver, bones, lungs, and other organs. Treatment of these infections requires several weeks of intravenous antibiotics. During the treatment period, these patients can use the central intravenous line or peripherally inserted central line (PICC) to inject narcotics or other illicit drugs. Evidence exists that applying a tamper-evident device to the central line can deter illicit use of the line.
Security packaging is needed to contain evidence of crimes. Items must be kept in an unaltered state until they are submitted in a legal proceeding.
Packaging that tears open raggedly or otherwise cannot readily be resealed is sometimes used to help indicate tampering.
Often, multiple layers or redundant indicators are used because no single layer or device is "tamper-proof". Consideration should be given to unique custom indicators (which should be changed regularly because these are subject to counterfeiting).
People who open secure packaging can look out for signs of tampering, both at the primary means of entrance and at secondary or "back door" locations on a package.
Credit cards, money, stamps, coupons
Postage stamps, for example, may contain a layer of ultraviolet-reflective ink which changes state under pressure. The impact from a postmarking machine then leaves a UV-visible mark as well as an ink mark which identifies attempts to reuse stamps.
In a similar vein, asset-numbering labels on corporate equipment (PCs and the like) are often designed to leave an imprint of either the serial number, or the word "VOID" if the label is peeled off. However, this can easily be defeated by warming up the label using a blow dryer so it will be more flexible and forgiving to removal (and reapplication).
Road tax vignettes and price tags are often tamper-evident in the sense that they cannot be removed in one piece. This makes it difficult to move a vignette from one car to another, or to peel off a price tag from a cheaper article and reapply it to a more expensive one.
Money is tamper-evident in the sense that it should be difficult to produce a financial token without authorization, even if starting from a token of lower value. For example, forgers may attempt to clean the ink from a banknote and print the image of a higher-denomination note on it, giving them the carefully guarded "banknote paper" which is otherwise very difficult to obtain. This may be one of the reasons why many countries use banknotes of different size in ascending order of value. A British £5 banknote issued by Bank of England is much smaller than a £50 banknote, and therefore can't be used to create a £50 note.
Tamper-evident physical devices are common in sensitive computer installations, for example network cabling is often run down transparent conduit in plain view and switches located in glass-fronted cabinets, where any unusual device attached to the network can easily be seen.
Despite the easy availability of miniature key loggers, tamper-evident design is not often used in personal computers. While transparent computer cases and keyboards are common, they are mainly used for the decorative effect rather than security. Many PCs do have a switch to detect opening of the case, and this provides a visual notification when the computer is next turned on that the case has recently been opened. In any case, it has long been possible to complicate the task of tampering with electronic devices by sealing them with tamper-evident tape or sealing wax. Alternatively, radio-controlled alarm-devices (which transmit a silent alarm) can be installed, or cases can be glued shut in such a manner that tampering attempts will distort or fracture the casing.
Fire alarms and other emergency switches are typically non-reversible, using a piece of glass which must be broken to activate the alarm. For example, Panic buttons in burglar alarm systems might require a plastic key to reset the switch.
In very much the same manner as with fire alarms, many emergency handles and levers, or handles that are not meant to be opened regularly, are enclosed in a thin metal or plastic security seal. The seal is thin, so as not to prevent the handle from being used (in due time), but only to alert maintenance/security personnel that the handle was indeed used. Many times, large sea-going shipping containers have such a metal ring or seal attached to them at the source port. After traveling at sea (and perhaps by land as well), the containers reach their destination, where each container is checked to have the seal properly in place (against a list of doublets - container/seal).
In police work, tamper-evident techniques must often be used to guard access to evidence, providing means of storing items and samples in a way which can be used to prove that they were not altered after their collection. It could be argued that CCTV systems perform a similar function in the handling of suspects. Video systems of course, can be given tamper-evident features by the use of timestamps generated by a suitably trusted clock.
Hardware-encrypted full disk drives utilise tamper-evident cases, so when it is retrieved the owner can be assured that the data has not been compromised, thus preventing costly further actions such as notifying the data owners.
The document, email, or file to be protected is used to generate a signed hash, a number generated from the contents of the document. Any change to the document, no matter how trivial, such as changing a single bit from a 1 to a 0, will cause it to have a different hash, which will make the signature invalid. To alter a document while purposely maintaining the same hash, assuming the hash function and the program implementing it are properly designed, is extremely difficult. See Avalanche effect and Hash collision.
- Active packaging
- 1982 Chicago Tylenol murders
- Dye pack
- Hardware-based full disk encryption
- Ink tag
- Package pilferage
- Packaging and labeling
- Sealing wax
- Security printing
- Security seal
- Johnston (2003). Tamper-Indicating Seals: Practices, Problems, and Standards. World Customs Organization, Security. Brussels. Retrieved 7 April 2019.
- Johnston, R.G. (July 1997). "Effective Vulnerability Assessment of Tamper-Indicating Seals". J. Testing and Evaluation. 25 (4).
- Sharon A. Maneki. "Learning from the Enemy: The GUNMAN Project". 2012. p. 26.
- "Defeating Existing Tamper-Indicating Seals". Argonne National Laboratory. Archived from the original on 7 October 2008.
- Rosette, J L (2009), "Tamper-Evident Packaging", in Yam, K L (ed.), Encyclopedia of Packaging Technology, Wiley (published 2010), ISBN 978-0-470-08704-6
- Dallas, Martin (1 October 2014), "Anticounterfeiting Packaging 101", PharmTech, retrieved 21 January 2018
- Nationwide wrote to all customers
- FDA Compliance Policy Guides – CPG Sec. 450.500 Tamper-Resistant Packaging Requirements for Certain Over-the-Counter Human Drug Products
- "Improving Tamper-Evident Packaging: Problems, Tests and Solutions", Jack L. Rosette, 1992
- "Tamper Evident Microprocessors", Adam Waksman and Simha Sethumadhavan, 2010
- Ho; et al. (2010). "Safe and Successful Treatment of Intravenous Drug Users with a Peripherally Inserted Central Catheter in an Outpatient Parenteral Antibiotic Treatment Service". J Antimicrob Chemother. 65 (12): 2641–44. doi:10.1093/jac/dkq355. PMID 20864497.