A troubling new development in India’s QR code saga

The Ministry of Health and Family Welfare introduced a new mandate for the top 300 drugs in India to carry a QR code, which upon scanning by an inspector or consumer would provide instant details of that medicine and its manufacturer. The objective of this program is to protect consumers by detecting counterfeit medicines in the market. As I have argued however, the program rests on the false notion that QR codes represent a suitable data carrier for this program when in fact they are highly susceptible to being replicated and placed on fake drugs. As a result, the Health Ministry has created a highly flawed program that I have dubbed a gift to the counterfeiters [1].

Despite inherent weaknesses in the regulation, those manufacturers affected by it had an opening now to fortify their products in supplementary ways. For years, Indian drug makers had neglected to put in place worthy solutions that could protect their patients, but were now handed an excellent opportunity to take seriously the counterfeit threat on their own brands. Instead of meeting the moment, most drug companies complied with the new mandate in the feeblest way possible by cutting corners to actually make their products even more susceptible to falsification [2].

One company that did stand out for the diligence with which it deployed the coding program was Sun Pharma. However, a new discovery of fake versions of one of its products shows just how crafty counterfeiters have become, and in a very troubling new way.

The discovery

Sun Pharma fulfilled its compliance requirement in ways that security specialists view as a best-practices approach. The QR code, which appears on its consumer-facing packages (usually a blister pack), contains a serial number thereby conferring a unique digital identity to each package. Any effort to duplicate a genuine code and place that upon large numbers of fake products would lead to quick discovery because the same code should be not authenticated in multiple places at different times.

Despite the relative merit of its compliance, counterfeit versions of Sun Pharma’s anti-epileptic drug Levipil 500 have now been discovered in Gujarat by its Food and Drugs Control Administration (FDCA). This regulatory body is ably led by Dr. Hemant Koshia, a national figure who has long been a fierce advocate of anti-counterfeiting efforts to protect the people of his state. Commissioner Koshia is now undertaking a thorough investigation of this alarming development and has kindly shared many details contained here to instill greater transparency and community awareness.

The figure below shows a fake Levipil blister pack alongside a genuine one. The immediate impression one gets is that the entity behind this act has created a faithful reproduction of the original artwork. In fact, an analysis by Sun Pharma revealed the care taken in meticulously reproducing all text matter, with the exception of some barely perceptible deviations [3]. This level of attention is not uncommon because the goal is to evade visual suspicion, even by long-term users of the drug.

It is however presence of the QR code on fake blisters that reinforces the commitment to precision made in this case. As the figure shows, the QR code on a fake version was indeed active and generated the same response to my scan of it as from an original product, with the remarkable false declaration that “This is a Genuine Pack”.

QR codes are now appearing with increasing frequency on fake medicines, further demonstrating the Health Ministry’s facile approach to consumer protection by adopting this solution. In the Levipil case, it is the specific nature of the QR codes seen on fake packages that is especially alarming and which represents an entirely new level of threat, as discussed next.

The disquiet

Let’s start with a simple question — how do counterfeiters procure active QR codes and place them on fake products in the first place? The most common tactic I have seen in nearly two decades of work in this field is alarmingly simple — obtain a genuine product from the market and then use its QR code to place an exact replica on multiple fake packages, sometimes even in the thousands. A more crafty approach would be to obtain a few genuine products so that there is mixture of multiple original copies floating around. I expected to see something similar in the Levipil case.

Instead, I made a stunning discovery after reviewing 35 fake blisters. In all cases, the counterfeit product had a different active code. In other words, each QR code had its own unique serial number and there were no instances where two different blisters had the exact same code. This approach has the devious advantage of creating a one-to-one digital correspondence between the product and its buyer. Because no two fake products will have the same serial number, there will not be any instances of the same QR being authenticated all over the place, which in turn provides excellent cover to the counterfeiters.

There are two ways a counterfeiter can create so many fake products with each having an active code. The first is having managed to crack the serial number generator being used by Sun Pharma’s solution provider for the program, which in this case is PharmaSecure, Inc., an IT company based out of Delhi. It is possible to hijack an entire program by using this approach because all codes applied on fake products will pass authentication. The act of reverse engineering a code generator is no longer as challenging as it once was due to computing advances and emergence of artificial intelligence software.

The more likely explanation in this case, however, is that the counterfeiter was simply able to obtain a bank of batch-specific active codes through old-fashioned theft. Given that the fake samples for my analysis were taken at random from a large cohort, there is enough statistical power to assert with high confidence that the counterfeiter succeeded in placing a unique active code on every fake package, and that each counterfeit variant will therefore be successfully authenticated in the hands of a consumer.

The origin of the digital leakage could be either the code generating source (PharmaSecure) or the code application site (Sun Pharma plant in Assam). The origin could also be a large distribution node (C&F or stockist), but that is much less likely because of the physical effort needed to capture data from a large set of genuine packages. The scale, breadth and nature of attack on this product are highly suggestive of digital theft. A table with the results of my analysis can be downloaded from an online portal [4].

The dilemma

It is now clear that a sophisticated digital attack has taken place on an important neurological drug whose counterfeit version is likely to cause serious harm. As noted above, a scan of the QR code on each fake sample returned a message that the product is genuine, thereby giving false reassurance through the illusion of authenticity. Both Sun Pharma and PharmaSecure have remarkably failed to learn an elementary lesson in product security — never announce that a product is genuine after a scan because you will then mislead patients in case the code has been compromised. And even though there is a button on the verification site in case of an adversity, my test of that system on another Sun Pharma product a month back has still not yielded a response.

The dilemma for drug regulators now is what to do in this case. Despite the sterling work by the Gujarat FDCA, it remains unclear how many fake products may have escaped into the market and are now being sold in pharmacies across India. According to Commissioner Koshia, this particular incident arose at the very least through wholesalers located in MP, UP and Delhi NCR. This is undoubtedly a national case. The criminals behind this atrocity did not spend vast sums of money to create a near-perfect replica of an original pack, both blister and its secondary container, along with sophisticated digital reproduction to then only restrict their distribution activity to one state.

It is also clear that multiple batches of Levipil 500 have been compromised, but exactly how many is still unclear. If currently-unfolding interdiction efforts can quickly expose the full breadth of the attack and identify exactly which compromised batches have been distributed, then the harm may be confined and a limited recall could be sufficient to protect patients on this drug. If however this attack turns out to be more expansive involving multiple states and a larger cohort of batches, then a full-scale national recall of the drug would be warranted.

One thing is for certain — the QR coding program introduced with much fanfare by the Health Ministry for the sole purpose of identifying fake drugs will be absolutely useless in protecting patients here, and in fact its continued use will actually cause more harm.

References

[1] https://www.securingindustry.com/pharmaceuticals/india-s-drug-qr-coding-programme-anatomy-of-a-debacle/s40/a16877/

[2] https://www.securingindustry.com/pharmaceuticals/india-s-qr-code-programme-part-2-rating-the-drug-makers/s40/a16919/

[3] https://app.box.com/s/4fw6d14g6f1hg03s70w2s1m36aegflcp

[4] https://app.box.com/s/8fymvhvnlqhlr6b8o3ilwsrd3ec5f2w4