jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Finish the rest of leo's annotations

Browse source
This commit is contained in:
jaseg 2025-11-28 18:10:56 +01:00
parent 75c0da19d8
commit 18956ffe75
5 changed files with 223 additions and 177 deletions
Download patch file Download diff file Expand all files Collapse all files

65
chapter-epa/chapter.tex
View file

@ -36,13 +36,13 @@ only having access to a subset of patient's medical records. Data in scope for t
laboratory results, and medical imaging files.
Due to Germany's mandatory health insurance laws, the system's user base encompasses the majority of all German
residents, approximately 90\textpercent. People who have replaced their public health insurance with private insurance
as of now are not subject to the system. In Germany, by law private health insurance is only available to people from
the top 10th percentile of household income. This means that the system disproportionally affects people who have low
income, creating an equity issue. While it is possible to opt out from the use of the new digital record, the process of
opting out is difficult. Additionally, the government and health insurance providers have publically depicted the system
in a one-sidedly positive way, meaning that it is unlikely the majority of people subject to the system have a
comprehensive understanding of the system's benefits and risks that would be necessary for an informed decision.
residents, approximately 90\%. People who have replaced their public health insurance with private insurance as of now
are not subject to the system. In Germany, by law private health insurance is only available to people from the top 10th
percentile of household income. This means that the system disproportionally affects people who have low income,
creating an equity issue. While it is possible to opt out from the use of the new digital record, the process of opting
out is difficult. Additionally, the government and health insurance providers have publically depicted the system in a
one-sidedly positive way, meaning that it is unlikely the majority of people subject to the system have a comprehensive
understanding of the system's benefits and risks that would be necessary for an informed decision.
While there has been loud criticism of the system's security from civil society organizations such as digital rights
nonprofit organization Chaos Computer Club (CCC) \cite{kochMoreMoreExperts2025} and several severe security flaws have
@ -118,19 +118,20 @@ records can be accessed.
\subsection{Related Work}
The state-owned company specifying the system commissioned several security assessments of the system relating to the
key escrow service. \textcite{fischlinKryptographischeAnalyseSpezifikation2021} focuses on the cryptographic
dimension of the key escrow service used in an older version of the standard, and is now obsolete.
\textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a higher level, and focuses on the
cryptography of the inner protocol layers spoken between the system's components. Industry research organization
\emph{gematik}, the state-owned company specifying the system, commissioned several security assessments of the system
relating to the key escrow service.
\citeauthor{fischlinKryptographischeAnalyseSpezifikation2021}~\cite{fischlinKryptographischeAnalyseSpezifikation2021}
focuses on the cryptographic dimension of the key escrow service used in an older version of the standard, and is now
obsolete. \textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a higher level, and focuses on
the cryptography of the inner protocol layers spoken between the system's components. Industry research organization
Fraunhofer SIT was comissioned for a structured, theoretical assessment of attack paths to the system
\cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of
independent academic security research on the system.
\cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of independent
academic security research on the system.
The design and operation of the system have been independently described in detail by civil society activists, who have
demonstrated several successful attacks on the system. \textcite{tschirsichHackerHinOder0100} demonstrated how they
demonstrated several successful attacks on the system. \textcite{tschirsichHackerHinOder2019} demonstrated how they
could trivially acquire each of the smartcards as well as the Konnektor necessary for accessing the system.
\textcite{tschirsichKonnteBisherNoch0100} summarize the history of attacks demonstrated on the system and show multiple
\textcite{tschirsichKonnteBisherNoch2024} summarize the history of attacks demonstrated on the system and show multiple
practical attacks on various parts of the system's implementation.
\section{Concerning Cryptographic Engineering Choices}
@ -140,11 +141,11 @@ by no means an exhaustive list, and is only meant to underscore why we believe t
\subsection{Use of Key Escrow}
First, the system's general approach of using a key escrow service instead of securely storing the keys inside the
system's already existing smart card infrastructure is concerning, given that this key escrow service poses a
centralized security risk. The system's designers made this decision since it was deemed important that access to an
encrypted record can be restored quickly after an insurance ID card is lost, without requiring the cooperation of the
healthcare providers holding the primary copies of the person's medical records.
Key escrow describes a concept that was originally devised during the 1990ies out of a fear that the widespread
availability of strong encryption would stifle the ability of law enforcement agencies to wiretap communications in the
prosecution of crime. At the core of the concept rests the idea that a trusted \emph{key escrow} service should hold a
copy of every private key in use. In case the government wants to access one of these keys, the key escrow service can
provide this access\textcite{andersonSecurityEngineeringGuide2020,jarvisCryptoWarsFight2020}.
While key escrow services have been a topic of political debate in decades past, in the cryptographic community,
consensus generally is that they are a bad idea since they pose a centralized target for attack, and increase attack
@ -155,6 +156,12 @@ surface \cite{
rogawayMoralCharacterCryptographic2015,
}.
Our first concern is the system's general approach of using a key escrow service instead of securely storing the keys
inside the system's already existing smart card infrastructure. Like any other key escrow system, this key escrow
service poses a centralized security risk. The system's designers made this decision since it was deemed important that
access to an encrypted record can be restored quickly after an insurance ID card is lost, without requiring the
cooperation of the healthcare providers holding the primary copies of the person's medical records.
\subsection{Cryptographic Design}
The system's overall cryptographic design is intentionally kept simple. The standard explicitly mentions that symmetric
@ -178,21 +185,21 @@ the key escrow service in an identifiable way.
We observe that the system as a whole does not appear to be designed to defend against well-resourced adversaries. The
series of practical attacks that have been demonstrated on the system confirm this impression. In
\textcite{tschirsichKonnteBisherNoch0100} summarize a series of successful attacks. Attacks include social engineering
\textcite{tschirsichKonnteBisherNoch2024} summarize a series of successful attacks. Attacks include social engineering
resulting in access to copies of smartcards enabling accessing patient records, using misconfigured Konnektor VPN
appliances with their LAN DMZ and authentication interface exposed on the public internet, circumventing video-based
authentication processes resulting in duplicate file keys being provided, classis SQL injection on a backend service
maintaining an authentication database, accessing all national patient records through brute-force enumeration of weak
identifiers, and several more.
We believe that a system like this must be designed to withstand well-resourced adversaries such as enemy secret
We believe that a system like this must be designed to withstand well-resourced adversaries such as foreign secret
services, since the medical data stored in such as information on chronic illness, sexually transmittable disease or
severe food allergies has intelligence value. Repeated breaches of national digital infrastructure such as the 2015
breach of the US Office of Personnel Management \cite{barrettUSSuspectsHackers2015} or the 2024 compromise of US
telecommunications wiretapping systems \cite{mennChineseGovernmentHackers2024} demonstrate that such state-sponsored
attacks on national digital infrastructure are a realistic concern. A possible scenario in the ePA system would be an
enemy secret service gaining access to one of the HSMs storing the systems' root secrets, extracting the root secret by
an advanced physical attack, then being able to decrypt captured encrypted health records at will. Similarly, a
foreign secret service gaining access to one of the HSMs storing the systems' root secrets, extracting the root secret
by an advanced physical attack, then being able to decrypt captured encrypted health records at will. Similarly, a
nation-state adversary might have access to an exploit allowing the compromise of the system's TEEs, which would enable
the extraction of any patient records being processed in plaintext inside these TEEs.
@ -203,8 +210,8 @@ for authentication. Second, Hardware Security Modules are used in key locations
cryptographic secrets. The core of the system's key escrow service is implemented inside an HSM. However, it is notable
that the actual security level required for this HSM is only FIPS 140-2 level 3
\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}. FIPS 140-2 is a US government
standard that used to be popular for the specification of HSMs. However, not only has FIPS 140-2 been superseded by FIPS
140-3 since 2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security
standard that used to be popular for the specification of HSMs. However, not only has FIPS 140-2 been made obsolete by
FIPS 140-3 in 2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security
level 3 mostly provides logical separation of cryptographic functions from other logic and is not very meaningful in the
context of physical attacks. The only physical requirement of FIPS 140-2 level 3 is that the HSM has a hard, opaque
coating. This coating is specified to be tamper-evident, but notably no active tamper detection or response features are
@ -239,5 +246,7 @@ that better accomodate real-world use cases.
We believe that Inertial HSMs can address this use case by cleanly separating the physical security primitive into a
retargetable design that can be applied to entire servers if needed, and augment or replace technology like conventional
HSMs or trusted execution environments to provide high-level hardware security.
HSMs or trusted execution environments to provide high-level hardware security. Before introducing IHSMs in
Chapter~\ref{chapter-ihsm}, in the following chapter, we will first complement this chapter's outlook on the state of
the art in hardware security with a survey of tamper sensing meshes in a wide range of real world devices.

224
chapter-hsms/chapter.tex
View file

@ -14,7 +14,7 @@ being used in the late 19\textsuperscript{th} century, around the widespread com
active tamper sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs.
In this chapter, we will start with a brief history of tamper sensing meshes. Complementing our historical analysis, we
will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will analyze
will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will examine
their implementation. We will analyze the gaps left by the current state of the art in commercial practice, and evaluate
how Inertial HSMs could close these gaps to make secure hardware accessible to a wider range of applications. The
contributions in this chapter are as follows:
@ -27,8 +27,8 @@ contributions in this chapter are as follows:
illustrating them.
\item From our sample, we extract several design patterns that can be applied to increase the security of a design.
\item We note security flaws in several of our samples.
\item We provide the results of CT measurements of multiple samples, and we evaluate their impact on tamper sensing
mesh security.
\item We provide the results of Computed Tomography (CT) imaging of multiple samples, and we evaluate their impact
on tamper sensing mesh security.
\end{itemize}
\section{The History of Tamper Sensing Meshes}
@ -70,9 +70,9 @@ the widespread adoption of cryptography in commercial applications~\cite{
One early practical uses of tamper sensing meshes for information security as opposed to the security of some physical
good is documented in notes on a series of lectures given by Dr.~David~G. Boak, a specialist in communications security
and signal intelligence at the US National Security
Agency~\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
Agency~\cite{boakHistoryUSCommunications1981,boakHistoryUSCommunications1973}. In this lecture series, Boak mentions
that around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time
were large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
@ -111,24 +111,29 @@ history of nuclear material passing through these facilities.
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
bright color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
that drilling or cutting into something like a metal enclosure will leave detectable traces, and that perfectly
replicating an object including features such as minute surface imperfections is infeasible even to a nation
state~\cite{iaea2011}.
extensive use of tamper-indicating enclosures and of seals\footnote{
Note that in IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper
indication''. The IAEA distinguishes between active tamper indication, which we conventionally call tamper
detection, and passive tamper indication, which we conventionally call tamper evidence. Tamper indicating devices
include seals, but also the aforementioned uniquely characterizable enclosures, which IAEA terminology calls
intrinsically tamper-indicating. An example for an active tamper indicating device would be a seismic sensor at the
bottom of a borehole that has been back-filled with concrete such that any attempt to reach the sensor would be
well-visible in the sensor's own readings~\cite{simmonsHowInsureThat1988}.
}. In both systems, the approach taken is that the enclosure or seal is treated similarly to what these days, in
computing we call a Physically Unclonable Function (PUF). The concept of a PUF centers on electronic component
manufactured such that random manufacturing variations can later be measured by the finished circuit. The core idea is
that since these manufacturing variations are random, they can be used as a source for cryptographic entropy.
Furthermore, the concept is based on the assumption that these manufacturing variations cannot be controlled, hence
making the device \emph{unclonable}.
In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
readings~\cite{simmonsHowInsureThat1988}.
Similar to a PUF, in the IAEA's application an enclosure or seal is manufactured in a process that leaves an
unpredictable and uncontrollable pattern of manufacturing variations such as surface imperfections. A process used in
the IAEA is to package devices in aluminium enclosures passivated in a bright color, which leaves a random, microscopic
pattern of pits in the surface from the etching step. Before such a device is deployed in the field, it is precisely
measured from all sides. Later on, after field deployment, its integrity can then be checked by comparing its current
state to these initial measurements. The underlying assumption is that drilling or cutting into something like a metal
enclosure will leave detectable traces, and that perfectly replicating an object including features such as minute
surface imperfections is infeasible even to a nation state~\cite{iaea2011}.
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
@ -148,12 +153,12 @@ and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right
of card payment terminals.
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
hampered by their high cost. These applications include key management in the TLS certificate infrastructure. In this
chapter, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
Other applications include mail franking machines, where they are used to protect the credit counter and franking data,
with one such unit analyzed in this chapter. Furthermore, we have identified several models of key safes that in Germany
are mounted externally on public buildings to provide keys to emergency services, and which include tamper sensing
meshes on their door and interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
hampered by their high cost. In this chapter, we will analyze a commercial HSM that was used in the key management
infrastructure of a premium TV provider as one example of such uses. Examples of other applications include mail
franking machines, where they are used to protect the credit counter and franking data, with one such unit analyzed in
this chapter. Furthermore, we have identified several models of key safes that in Germany are mounted externally on
public buildings to provide keys to emergency services, and which include tamper sensing meshes on their door and
interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
krusesicherheitssystemeDatenblattKRUSEFWSchlusseldepot2018}. Finally, we have found a processing unit used in a series
of mid-2000s era slot machines in Germany that includes a tamper sensing mesh, presumably to prevent modification or
cloning. This device will also be analyzed later in this chapter.
@ -213,7 +218,7 @@ To achieve low power consumption, a popular technique known since at least
1902~\cite{suttonElectricallyprotectedStructure1902} and still used
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's
end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a
mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Bridge circuits were already used
mesh trace's resistance with a reference resistor, or using a Wheatstone bridge. Bridge circuits were already used
in early tamper sensing mesh implementations~\cite{
ElektrischeSicherheitseinrichtungSchutze1932,
hamPrintedcircuitTypeSecurity1971,
@ -228,10 +233,7 @@ within its nominal operating environment, tampering can be made less convenient.
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other
sensors have been proposed, including humidity sensors, vibration sensors, light sensors, magnetometers, and radiation
sensors such as X-ray sensors have been proposed. While the implementation cost of most sensor types is low, each
additional environmental sensor comes with an increased false alarm rate. Anecdotally, we have heard of light sensors
being removed from a datacenter HSM product because they caused frequent false alarms despite extensive efforts like
custom injection-molded plastic light baffles at all air vents of the device designed to prevent ingress of outside
light.
additional environmental sensor comes with an increased false alarm rate.
% FIXME citations?
\section{A Survey of Meshes in the Wild}
@ -250,9 +252,9 @@ terminals, which represent the most varied class of device incorporating such me
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
this survey, we chose 30 total devices including 23 different models of card payment terminals, and 7 other devices.
Some devices were procured by dumpster diving, while most were sourced from ebay. The majority of these were sold by
electronic waste recycling companies. A complete list of our specimens can be found in
Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Some devices were procured by intercepting electronic waste, while most were sourced from ebay in Februrary and March
2025. The majority of these were sold by electronic waste recycling companies. A complete list of our specimens can be
found in Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Figure~\ref{fig_hsm_survey_sample_pics} and internal photos are shown in
Figure~\ref{fig_hsm_survey_sample_internal_pics}. In the following sections, we will go into detail on the classes of
devices we selected for this study.
@ -353,12 +355,11 @@ skimming that aim to exfiltrate card data and PINs entered by the customer. The
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
standardization organization in the card payment space. Due to the international scale of the large credit card
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
of security than one might expect from an industry association.
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well.
One reason for the high level of physical security standards in card payment applications both on the client side
(payment terminals) and on the server side (HSM appliances) is that the finance industry has been reluctant to adopt
modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or
modern cryptography. Not only are modern cryptographic protocols like secure Multiparty Computation (MPC) or
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
ancient ciphers such as Triple DES are still commonly referenced in industry
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is
@ -376,8 +377,8 @@ and are used across application domains. Depending on the application, these HSM
can be used as coprocessors through an API. In practice, the standalone appliances are just low-end computers in a
rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we obtained two
devices labelled as HSMs. We were only able to procure two such devices since they are expensive, and even used
specimens of older models are usually listed for several hundreds to several thousands of EUR. Unfortunately, one of the
devices we obtained did not contain any security meshes in its case, and thus would not provide adequate protection
specimens of older models are usually listed for several hundreds to several thousands of Euro. Unfortunately, one of
the devices we obtained did not contain any security meshes in its case, and thus would not provide adequate protection
against advanced attacks. The other specimen we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a
white-label variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce
cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on
@ -607,6 +608,7 @@ list, we will address several common structural features that we observed across
\label{hsm_fig_materials}
\end{figure}
\todo{FIXME: Add scale / structure size to photos?}
Regular Printed Circuit Boards are frequently used to implement tamper sensing meshes as shown in
Figure~\ref{hsm_fig_materials_pcb_rigid}. PCB production is a highly advanced, large-scale industry and PCBs are
inexpensive, commodity products. PCBs can be manufactured with many layers, at almost arbitrary total thickness, and
@ -700,11 +702,11 @@ across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but t
soldering. Hand soldering increases unit cost over mechanized soldering techniques such as wave soldering or reflow
soldering.
FPCs are suitable for use with standard Zero Insertion Force (ZIF) FPC connectors as shown in
Figure~\ref{hsm_fig_connector_fpc} that directly mate to a contact area, called \emph{gold fingers} in industry terms,
on the FPC. Both FPCs and rigid PCBs can be used with standard board-to-board stacking connectors such as the one
visible in the center of Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's
back side to ensure the solder joints don't break from mechanical stress when connecting or disconnecting.
FPCs are suitable for use with standard FPC connectors as shown in Figure~\ref{hsm_fig_connector_fpc}. These connectors
mate directly to a contact area on the FPC, called \emph{gold fingers} in industry terms. Both FPCs and rigid PCBs can
be used with standard board-to-board stacking connectors such as the one visible in the center of
Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's back side to ensure the
solder joints don't break from mechanical stress when connecting or disconnecting.
In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper sensing mesh
assemblies. Elastomeric connectors such as the one shown in the center of Figure~\ref{hsm_fig_connector_elastomeric} are
@ -802,7 +804,7 @@ Thermoforming is a cheap industry standard process, but applied to flexible circ
only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet
cannot be cut or contain slots or large holes before forming since it needs to be kept under a constant tension from all
sides to ensure it evenly stretches into the mold. Finally, the depth achievable in such a process is rather limited,
with no sample in our survey exceeding \qty{2}{\milli\meter}\todo{Get proper number}. Higher depths would require
with no sample in our survey exceeding \qty{2}{\milli\meter}.\todo{Get proper number} Higher depths would require
extensive deformation of the mesh circuit's plastic substrate, which could lead to tears in the mesh traces since the
particle-based conductive inks used for screen-printed electronics are inelastic. Among our samples, we saw two
instances of thermoformed meshes. First, all recent Ingenico terminals (\sampleno{H06,H13,H23,H24}) integrated an ink
@ -840,7 +842,7 @@ access by probes.
\label{fig_ingenico_forming}
\end{figure}
specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
Specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
shown does not extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a
PCB to protect components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the
PCB surface, through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry.
@ -928,15 +930,69 @@ terminal. While a similar result could also be achieved by milling a slot into t
PCB, the economics of PCB manufacturing are such that it may be more cost-effective to bond two standard-thickness PCBs
on top of one another instead.
Figure~\ref{hsm_fig_3d_sandwich_lid} finally shows an advanced construction technique that uses a custom PCB with a
large indent milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base
PCB. This PCB lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A
ground plane filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the
cavity. Below this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
Figure~\ref{hsm_fig_3d_sandwich_lid} shows an advanced construction technique that uses a custom PCB with a large indent
milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base PCB. This PCB
lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A ground plane
filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the cavity. Below
this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
Figure~\ref{hsm_fig_3d_sandwich_via_fence} in an attempt to protect the sides around the central cavity. Below these two
via fence layers, at the bottom of the PCB is one more layer containing the pads connecting it to the base PCB.
\subsubsection{Tabular results}
\subsubsection{CT Imaging}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
\caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.}
\label{hsm_fig_ingenico_potted_ct_cut}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_geom.pdf}
\caption{CT 3D reconstruction of the mesh's trace geometry.}
\label{hsm_fig_ingenico_potted_ct_3d}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(specimen~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
% FIXME put the CT people in the acknowledgements! Also the microwave people!
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\
specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is
to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we
experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an
industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the
resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In
this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil,
and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this
information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that
the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through
one of the mesh's traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
mesh.
\subsubsection{Results summary}
Below is a table representing which features discussed in the sections above we found in which of our samples. Overall,
we commonly found a combination of a rigid PCB mesh in the specimen's main PCB and and flexible meshes formed into a lid
@ -969,7 +1025,7 @@ reverse engineering.
\newcolumntype{M}{>{\centering\arraybackslash}p{4mm}}
\setlength{\tabcolsep}{0pt}
\begin{tabular}{ll|MMMMM|MMMM|MMMMM|MMMMM|MMMMM|MMM|MM}
&&\multicolumn{29}{c}{\textbf{Mesh}}\\
&&\multicolumn{29}{c}{\textbf{Specimen}}\\
\textbf{Feature} & \textbf{Figures} &
1 & 2 & 3 & 4 & 5 & 6 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 27 & 28 & 30 & 31 & 32
\\\hline
@ -1135,64 +1191,12 @@ Integrated contact pads & \ref{hsm_fig_connector_fpc}
& & & \\ % 30 - 32
\end{tabular}
\caption{Feature matrix of all specimens analyzed.}
\caption[Feature matrix of all specimens analyzed.]{Feature matrix of all specimens analyzed. Dots indicate presence
of a feature. The figures column lists which figures above contain examples of a particular feature.}
\label{tab_hsm_survey_sample_results}
\end{table}
\end{landscape}
\subsubsection{CT Imaging}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
\caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.}
\label{hsm_fig_ingenico_potted_ct_cut}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_geom.pdf}
\caption{CT 3D reconstruction of the mesh's trace geometry.}
\label{hsm_fig_ingenico_potted_ct_3d}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(specimen~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
% FIXME put the CT people in the acknowledgements! Also the microwave people!
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\
specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is
to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we
experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an
industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the
resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In
this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil,
and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this
information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that
the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through
one of the mesh's traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
mesh.
\section{Discussion}
In our survey, we have seen the technological state of the art to which tamper-sensing meshes have evolved since the

9
chapter-introduction/chapter.tex
View file

@ -134,10 +134,11 @@ existing HSM tamper sensing designs require bespoke manufacturing methods or cus
obermaierPUFfilmMethodProducing2023,
immler2019,
garbTamperSensitiveDesignPUFBased,
immlerBTREPIDBatterylessTamperresistant2018}.
This creates a single point of failure in the manufacturer, and opens up an opportunity for a hardware supply-chain
attack~\cite{harrisonSoKSecurityArchitects2025}. Such supply chain attacks can be mitigated by independently
manufacturing our design.
immlerBTREPIDBatterylessTamperresistant2018}. Custom ICs require a large up-front financial commitment to produce.
Bespoke manufacturing methods may require custom machines, training, and specialty materials, also incurring a high
startup cost. This creates a single point of failure in the manufacturer, and opens up an opportunity for a hardware
supply-chain attack~\cite{harrisonSoKSecurityArchitects2025}. Such supply chain attacks can be mitigated by
independently manufacturing our design.
%%%
\section{A Note on Hardware Security Module Terminology}

34
common-defs.tex
View file

@ -7,11 +7,13 @@
\usepackage[
backend=biber,
style=numeric,
backref=true,
natbib=true,
url=false,
doi=true,
eprint=false,
refsegment=chapter,
date=iso,
]{biblatex}
\addbibresource{main.bib}
\DeclareSourcemap{
@ -173,6 +175,38 @@
\printbibliography[nottype={online},nottype={patent},heading=subbibliography,resetnumbers=false,segment=\therefsegment]
}
% Fix for random mixed date formats, generated with claude.ai
% Redefine the date printing macro
\renewbibmacro*{date}{%
\iffieldundef{year}
{}
{\printtext{%
\thefield{year}%
\iffieldundef{month}
{}
{-\mkdatezeros{\thefield{month}}%
\iffieldundef{day}
{}
{-\mkdatezeros{\thefield{day}}}}%
}}%
}
% Redefine urldate printing
\renewbibmacro*{urldate}{%
\iffieldundef{urlyear}
{}
{\printtext[urldate]{%
\thefield{urlyear}%
\iffieldundef{urlmonth}
{}
{-\mkdatezeros{\thefield{urlmonth}}%
\iffieldundef{urlday}
{}
{-\mkdatezeros{\thefield{urlday}}}}%
}}%
}
% end fix
\newrefcontext{defref}
\hyphenation{a-me-na-ble}

68
main.bib
View file

@ -844,6 +844,30 @@
organization = {US National Security Agency (NSA)}
}
@book{boakHistoryUSCommunications1973,
title = {A {{History}} of {{U}}.{{S}}. {{Communications Security}} ({{The David G}}. {{Boak Lectures}}), {{Volume I}}},
author = {Boak, David G.},
date = {1973},
publisher = {(US) National Security Agency},
url = {http://archive.org/details/history_comsec-nsa},
urldate = {2025-02-18},
langid = {english},
keywords = {NSA},
annotation = {2015 re-declassified version contains more material}
}
@book{boakHistoryUSCommunications1981,
title = {A {{History}} of {{U}}.{{S}}. {{Communications Security}} ({{The David G}}. {{Boak Lectures}}), {{Volume II}}},
author = {Boak, David G.},
date = {1981},
publisher = {(US) National Security Agency},
url = {http://archive.org/details/history_comsec_ii-nsa},
urldate = {2025-02-18},
langid = {english},
keywords = {NSA},
annotation = {2015 re-declassified version contains more material}
}
@book{bogatinSignalPowerIntegrity2018,
title = {Signal and Power Integrity, Simplified},
author = {Bogatin, Eric},
@ -1868,7 +1892,7 @@
@patent{droegeSicherheitsmodulMitEinteiliger1997,
type = {patentde},
title = {Sicherheitsmodul Mit Einteiliger {{Sicherheitsfolie}}},
author = {Droege, Hartmut Dipl Ing and Fischer, Ludwig Dipl Ing and Scheibel, Markus Dipl Ing and Sonnentag, Dieter Dipl Ing},
author = {Droege, Hartmut and Fischer, Ludwig and Scheibel, Markus and Sonnentag, Dieter},
holder = {{International Business Machines Corp}},
date = {1997-07-17},
number = {19600769A1},
@ -3130,7 +3154,7 @@
@book{huangHardwareHackerAdventures2019,
title = {The {{Hardware Hacker}}: {{Adventures}} in {{Making}} and {{Breaking Hardware}}},
shorttitle = {The {{Hardware Hacker}}},
author = {Huang, Andrew "bunnie"},
author = {Huang, Andrew ``bunnie''},
date = {2019},
publisher = {No Starch Press},
location = {San Francisco},
@ -5432,32 +5456,6 @@
keywords = {twisted-inductors}
}
@book{nsaHistoryUSCommunications1973,
title = {A {{History}} of {{U}}.{{S}}. {{Communications Security}} ({{The David G}}. {{Boak Lectures}}), {{Volume I}}},
author = {{NSA}},
namea = {{Michael Best}},
nameatype = {collaborator},
date = {1973},
url = {http://archive.org/details/history_comsec-nsa},
urldate = {2025-02-18},
langid = {english},
keywords = {NSA},
annotation = {2015 re-declassified version contains more material}
}
@book{nsaHistoryUSCommunications1981,
title = {A {{History}} of {{U}}.{{S}}. {{Communications Security}} ({{The David G}}. {{Boak Lecture}}), {{Volume II}}},
author = {{NSA}},
namea = {{Michael Best}},
nameatype = {collaborator},
date = {1981},
url = {http://archive.org/details/history_comsec_ii-nsa},
urldate = {2025-02-18},
langid = {english},
keywords = {NSA},
annotation = {2015 re-declassified version contains more material}
}
@article{obermaier2018,
title = {The Past, Present, and Future of Physical Security Enclosures: {{From}} Battery-Backed Monitoring to {{PUF-based}} Inherent Security and Beyond},
author = {Obermaier, Johannes and Immler, Vincent},
@ -5501,7 +5499,7 @@
@patent{obermaierPUFfilmMethodProducing2023,
type = {patentus},
title = {{{PUF-film}} and Method for Producing the Same},
author = {Obermaier, Johannes and Immler, Vincent and HESSELBARTH, Robert},
author = {Obermaier, Johannes and Immler, Vincent and Hesselbarth, Robert},
holder = {{Fraunhofer Gesellschaft zur Foerderung der Angewandten Forschung eV}},
date = {2023-02-21},
number = {11586780B2},
@ -7233,22 +7231,22 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
keywords = {Benchmark testing,Computer architecture,Computer performance,Conferences,Energy efficiency,Focusing,Hardware,High performance computing,Market research,Performance analysis,Power demand,Processor energy efficiency,Servers,Software}
}
@online{tschirsichHackerHinOder0100,
@online{tschirsichHackerHinOder2019,
title = {"{{Hacker}} Hin Oder Her": {{Die}} Elektronische {{Patientenakte}} Kommt!},
shorttitle = {"{{Hacker}} Hin Oder Her"},
author = {Tschirsich, Martin and Brodowski, cbro-Dr med Christian and Zilch, Dr André},
year = {01:00:00 +0100},
author = {Tschirsich, Martin and Brodowski, Dr med Christian and Zilch, Dr André},
date = {2019-12-27},
url = {https://media.ccc.de/v/36c3-10595-hacker_hin_oder_her_die_elektronische_patientenakte_kommt},
urldate = {2025-05-15},
abstract = {Herzstück der digitalen Gesundheitsversorgung für 73 Millionen Versicherte ist die hochsichere, kritische Telematik-Infrastruktur mit ber...},
langid = {english}
}
@online{tschirsichKonnteBisherNoch0100,
@online{tschirsichKonnteBisherNoch2024,
title = {„{{Konnte}} Bisher Noch Nie Gehackt Werden“: {{Die}} Elektronische {{Patientenakte}} Kommt - Jetzt Für Alle!},
shorttitle = {„{{Konnte}} Bisher Noch Nie Gehackt Werden“},
author = {Tschirsich, Martin and Kastl, Bianca},
year = {00:00:00 +0100},
date = {2024-12-27},
url = {https://media.ccc.de/v/38c3-konnte-bisher-noch-nie-gehackt-werden-die-elektronische-patientenakte-kommt-jetzt-fr-alle},
urldate = {2025-05-15},
abstract = {In wenigen Wochen werden die Gesundheitsdaten von rund 73 Millionen in Deutschland Krankenversicherten ohne deren Zutun über Praxis- und ...},
@ -7768,7 +7766,7 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
@patent{weidnerHardwareschutzFormHalbschalen2007,
type = {patent},
title = {Hardwareschutz in form von zu halbschalen tiefgezogenen leiterplatten},
title = {Hardwareschutz in Form von zu Halbschalen tiefgezogenen Leiterplatten},
author = {Weidner, Karl and Wimmer, Anton},
holder = {{Siemens Aktiengesellschaft}},
date = {2007-01-11},