From Securing Industry March 8th 2018
I first started in the brand protection industry sometime in 2003, helping secure watch companies from counterfeit and diversion issues. In February 2004, a report was sent out by the FDA, Combating Counterfeit Drugs (1), all but mandating the use of reliable RFID track and trace technology to create pedigree for products down to the individual unit; they envisioned that by 2007 pharmaceutical companies would be tagging units at the item level. I took a backseat in industry for a few years and when I came back in 2015, the pharmaceutical industry still hadn’t implemented serialization with track and trace and certainly hadn’t adopted RFID on an item level.
Now its 2018 and less than 10 per cent of meds in the US have compliant DSCSA 2D barcodes(2) and companies continue to be confused on the specifications necessary to meet the mandate set by the DSCSA, the Drug Supply Chain Security Act(3). Yes, this has been going on for a long time and we’re still not there yet.
To meet these serialization requirements most companies have chosen the humble datamatrix or barcode as the symbology of choice to be the data carrier for their unique identifier (UID) track and trace data. These data codes will uniquely identify each unit and allow a pedigree to be built about that individual item to help with authentication. Simple and secure right?
Unfortunately, the hackers move way faster than the organizations implementing these technologies and are already using them with malicious intent. Replacement or fake 2D codes have now been created that will enable hackers to gain access to systems and devices used by the unsuspecting scanners of these 2D symbols. In 2012, Kaspersky Security discovered the first malicious QR-code in the wild, and since then these codes have been found on ketchup bottles redirecting consumers to porn sites, they’ve been copied and reproduced to counterfeit AMD’s high power Rayzen processors and they have even enabled hacker backdoors to be installed on Android devices. It’s estimated that over 23 per cent of trojans and viruses are now spread by QR Codes. It won’t be long before we find QR-codes that force a system to mine crypto-currency unbeknownst to the user.
A 2D datamatrix code, just like the ones being used for serialization by the pharmaceutical industry, acts just like someone typing on a PC keyboard when scanned with the typical desktop scanner. That’s allowing direct access to the machine the scanner is connected to with direct input just like someone typing on the keyboard. Imagine the possibilities for hackers to abuse the open source datamatrix codes being applied to track and trace pharmaceuticals. Imagine the data and information that they could gain access to with this simple and anonymous attack vector.
Some examples of these attacks are as follows, these are real attacks and not just lab experiments.
- Malware – apps scanning 2D codes promising “free” anything can carry trojans and viruses that steal personal information or transact in the background;
- QR-jacking – apps that use login with QR-codes can be recreated by hackers to take control of a users account;
- Phishing – QR codes can easily be produced that take people to similar looking login pages to steal login information; and
- Scam codes – criminals generate open source 2D code copies to gain access to users private data or request sensitive personally identifiable information (PII).
It’s hard to imagine that these kind of attacks were envisioned when the requirements for DSCSA were being written, but its seems that the criminals are able to move much faster than the organizations implementing these solutions. It may be too late to rethink this approach to pharmaceutical track and trace, but companies should be aware that their systems and users are going to be vulnerable to many different attacks as these systems come online.
These kinds of attack vectors and vulnerabilities are not just limited to the pharmaceutical supply chain, just look at all the brands that are using standard QR-Codes to engage with their consumers every day. We have already seen attacks launched with these codes and they haven’t really hit mainstream yet.
As the DSCSA implementations look towards blockchain as a potential distributed transaction ledger, its going to become even more important that the link between the actual product and the Blockchain be secure in the most economical way possible; there is little point in having an irrefutable and immutable database of transactions if the link between the product and the database is weak.
The big question for the pharmaceutical industry and brand engagement teams around the World is: Should an open-source technology be applied for security and consumer engagement with their brand? And do the companies have an obligation to protect their users and partners from criminals, crypto-currency miners and hackers?
The playing field has changed beyond anything imagined 15 years ago and it looks like many of these companies are still trying to play by the old rules with the old 2D codes. Hopefully it doesn’t take another 15 years to figure out these vulnerabilities and implement a system that’s secure, protected and fit for the purpose.
1 – Combating Counterfeit Drugs (2004), A Report of the Food and Drug Administration
2 – Just 6.6 percent of meds have DSCSA-compliant 2d barcodes,
3 – https://en.wikipedia.org/wiki/Drug_Quality_and_Security_Act
Mark Manning is a serial entrepreneur, having started or been involved in founding multiple companies and is currently the Founder and CEO of iTRACE Technologies, a Silicon Valley company specializing in anti-diversion and anti-counterfeit technologies.
Prior to iTRACE Mark was Senior VP of Operations at Vorstack Corporation a company specializing in developing Cyber Security tools for early intrusion detection.