jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Finish the rest of leo's annotations

Browse source
This commit is contained in:
jaseg 2025-11-28 18:10:56 +01:00
parent 75c0da19d8
commit 18956ffe75
5 changed files with 223 additions and 177 deletions
Download patch file Download diff file Expand all files Collapse all files

224
chapter-hsms/chapter.tex
View file

@ -14,7 +14,7 @@ being used in the late 19\textsuperscript{th} century, around the widespread com
active tamper sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs.
In this chapter, we will start with a brief history of tamper sensing meshes. Complementing our historical analysis, we
will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will analyze
will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will examine
their implementation. We will analyze the gaps left by the current state of the art in commercial practice, and evaluate
how Inertial HSMs could close these gaps to make secure hardware accessible to a wider range of applications. The
contributions in this chapter are as follows:
@ -27,8 +27,8 @@ contributions in this chapter are as follows:
illustrating them.
\item From our sample, we extract several design patterns that can be applied to increase the security of a design.
\item We note security flaws in several of our samples.
\item We provide the results of CT measurements of multiple samples, and we evaluate their impact on tamper sensing
mesh security.
\item We provide the results of Computed Tomography (CT) imaging of multiple samples, and we evaluate their impact
on tamper sensing mesh security.
\end{itemize}
\section{The History of Tamper Sensing Meshes}
@ -70,9 +70,9 @@ the widespread adoption of cryptography in commercial applications~\cite{
One early practical uses of tamper sensing meshes for information security as opposed to the security of some physical
good is documented in notes on a series of lectures given by Dr.~David~G. Boak, a specialist in communications security
and signal intelligence at the US National Security
Agency~\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
Agency~\cite{boakHistoryUSCommunications1981,boakHistoryUSCommunications1973}. In this lecture series, Boak mentions
that around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time
were large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
@ -111,24 +111,29 @@ history of nuclear material passing through these facilities.
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
bright color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
that drilling or cutting into something like a metal enclosure will leave detectable traces, and that perfectly
replicating an object including features such as minute surface imperfections is infeasible even to a nation
state~\cite{iaea2011}.
extensive use of tamper-indicating enclosures and of seals\footnote{
Note that in IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper
indication''. The IAEA distinguishes between active tamper indication, which we conventionally call tamper
detection, and passive tamper indication, which we conventionally call tamper evidence. Tamper indicating devices
include seals, but also the aforementioned uniquely characterizable enclosures, which IAEA terminology calls
intrinsically tamper-indicating. An example for an active tamper indicating device would be a seismic sensor at the
bottom of a borehole that has been back-filled with concrete such that any attempt to reach the sensor would be
well-visible in the sensor's own readings~\cite{simmonsHowInsureThat1988}.
}. In both systems, the approach taken is that the enclosure or seal is treated similarly to what these days, in
computing we call a Physically Unclonable Function (PUF). The concept of a PUF centers on electronic component
manufactured such that random manufacturing variations can later be measured by the finished circuit. The core idea is
that since these manufacturing variations are random, they can be used as a source for cryptographic entropy.
Furthermore, the concept is based on the assumption that these manufacturing variations cannot be controlled, hence
making the device \emph{unclonable}.
In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
readings~\cite{simmonsHowInsureThat1988}.
Similar to a PUF, in the IAEA's application an enclosure or seal is manufactured in a process that leaves an
unpredictable and uncontrollable pattern of manufacturing variations such as surface imperfections. A process used in
the IAEA is to package devices in aluminium enclosures passivated in a bright color, which leaves a random, microscopic
pattern of pits in the surface from the etching step. Before such a device is deployed in the field, it is precisely
measured from all sides. Later on, after field deployment, its integrity can then be checked by comparing its current
state to these initial measurements. The underlying assumption is that drilling or cutting into something like a metal
enclosure will leave detectable traces, and that perfectly replicating an object including features such as minute
surface imperfections is infeasible even to a nation state~\cite{iaea2011}.
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
@ -148,12 +153,12 @@ and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right
of card payment terminals.
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
hampered by their high cost. These applications include key management in the TLS certificate infrastructure. In this
chapter, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
Other applications include mail franking machines, where they are used to protect the credit counter and franking data,
with one such unit analyzed in this chapter. Furthermore, we have identified several models of key safes that in Germany
are mounted externally on public buildings to provide keys to emergency services, and which include tamper sensing
meshes on their door and interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
hampered by their high cost. In this chapter, we will analyze a commercial HSM that was used in the key management
infrastructure of a premium TV provider as one example of such uses. Examples of other applications include mail
franking machines, where they are used to protect the credit counter and franking data, with one such unit analyzed in
this chapter. Furthermore, we have identified several models of key safes that in Germany are mounted externally on
public buildings to provide keys to emergency services, and which include tamper sensing meshes on their door and
interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
krusesicherheitssystemeDatenblattKRUSEFWSchlusseldepot2018}. Finally, we have found a processing unit used in a series
of mid-2000s era slot machines in Germany that includes a tamper sensing mesh, presumably to prevent modification or
cloning. This device will also be analyzed later in this chapter.
@ -213,7 +218,7 @@ To achieve low power consumption, a popular technique known since at least
1902~\cite{suttonElectricallyprotectedStructure1902} and still used
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's
end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a
mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Bridge circuits were already used
mesh trace's resistance with a reference resistor, or using a Wheatstone bridge. Bridge circuits were already used
in early tamper sensing mesh implementations~\cite{
ElektrischeSicherheitseinrichtungSchutze1932,
hamPrintedcircuitTypeSecurity1971,
@ -228,10 +233,7 @@ within its nominal operating environment, tampering can be made less convenient.
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other
sensors have been proposed, including humidity sensors, vibration sensors, light sensors, magnetometers, and radiation
sensors such as X-ray sensors have been proposed. While the implementation cost of most sensor types is low, each
additional environmental sensor comes with an increased false alarm rate. Anecdotally, we have heard of light sensors
being removed from a datacenter HSM product because they caused frequent false alarms despite extensive efforts like
custom injection-molded plastic light baffles at all air vents of the device designed to prevent ingress of outside
light.
additional environmental sensor comes with an increased false alarm rate.
% FIXME citations?
\section{A Survey of Meshes in the Wild}
@ -250,9 +252,9 @@ terminals, which represent the most varied class of device incorporating such me
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
this survey, we chose 30 total devices including 23 different models of card payment terminals, and 7 other devices.
Some devices were procured by dumpster diving, while most were sourced from ebay. The majority of these were sold by
electronic waste recycling companies. A complete list of our specimens can be found in
Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Some devices were procured by intercepting electronic waste, while most were sourced from ebay in Februrary and March
2025. The majority of these were sold by electronic waste recycling companies. A complete list of our specimens can be
found in Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Figure~\ref{fig_hsm_survey_sample_pics} and internal photos are shown in
Figure~\ref{fig_hsm_survey_sample_internal_pics}. In the following sections, we will go into detail on the classes of
devices we selected for this study.
@ -353,12 +355,11 @@ skimming that aim to exfiltrate card data and PINs entered by the customer. The
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
standardization organization in the card payment space. Due to the international scale of the large credit card
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
of security than one might expect from an industry association.
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well.
One reason for the high level of physical security standards in card payment applications both on the client side
(payment terminals) and on the server side (HSM appliances) is that the finance industry has been reluctant to adopt
modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or
modern cryptography. Not only are modern cryptographic protocols like secure Multiparty Computation (MPC) or
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
ancient ciphers such as Triple DES are still commonly referenced in industry
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is
@ -376,8 +377,8 @@ and are used across application domains. Depending on the application, these HSM
can be used as coprocessors through an API. In practice, the standalone appliances are just low-end computers in a
rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we obtained two
devices labelled as HSMs. We were only able to procure two such devices since they are expensive, and even used
specimens of older models are usually listed for several hundreds to several thousands of EUR. Unfortunately, one of the
devices we obtained did not contain any security meshes in its case, and thus would not provide adequate protection
specimens of older models are usually listed for several hundreds to several thousands of Euro. Unfortunately, one of
the devices we obtained did not contain any security meshes in its case, and thus would not provide adequate protection
against advanced attacks. The other specimen we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a
white-label variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce
cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on
@ -607,6 +608,7 @@ list, we will address several common structural features that we observed across
\label{hsm_fig_materials}
\end{figure}
\todo{FIXME: Add scale / structure size to photos?}
Regular Printed Circuit Boards are frequently used to implement tamper sensing meshes as shown in
Figure~\ref{hsm_fig_materials_pcb_rigid}. PCB production is a highly advanced, large-scale industry and PCBs are
inexpensive, commodity products. PCBs can be manufactured with many layers, at almost arbitrary total thickness, and
@ -700,11 +702,11 @@ across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but t
soldering. Hand soldering increases unit cost over mechanized soldering techniques such as wave soldering or reflow
soldering.
FPCs are suitable for use with standard Zero Insertion Force (ZIF) FPC connectors as shown in
Figure~\ref{hsm_fig_connector_fpc} that directly mate to a contact area, called \emph{gold fingers} in industry terms,
on the FPC. Both FPCs and rigid PCBs can be used with standard board-to-board stacking connectors such as the one
visible in the center of Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's
back side to ensure the solder joints don't break from mechanical stress when connecting or disconnecting.
FPCs are suitable for use with standard FPC connectors as shown in Figure~\ref{hsm_fig_connector_fpc}. These connectors
mate directly to a contact area on the FPC, called \emph{gold fingers} in industry terms. Both FPCs and rigid PCBs can
be used with standard board-to-board stacking connectors such as the one visible in the center of
Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's back side to ensure the
solder joints don't break from mechanical stress when connecting or disconnecting.
In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper sensing mesh
assemblies. Elastomeric connectors such as the one shown in the center of Figure~\ref{hsm_fig_connector_elastomeric} are
@ -802,7 +804,7 @@ Thermoforming is a cheap industry standard process, but applied to flexible circ
only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet
cannot be cut or contain slots or large holes before forming since it needs to be kept under a constant tension from all
sides to ensure it evenly stretches into the mold. Finally, the depth achievable in such a process is rather limited,
with no sample in our survey exceeding \qty{2}{\milli\meter}\todo{Get proper number}. Higher depths would require
with no sample in our survey exceeding \qty{2}{\milli\meter}.\todo{Get proper number} Higher depths would require
extensive deformation of the mesh circuit's plastic substrate, which could lead to tears in the mesh traces since the
particle-based conductive inks used for screen-printed electronics are inelastic. Among our samples, we saw two
instances of thermoformed meshes. First, all recent Ingenico terminals (\sampleno{H06,H13,H23,H24}) integrated an ink
@ -840,7 +842,7 @@ access by probes.
\label{fig_ingenico_forming}
\end{figure}
specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
Specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
shown does not extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a
PCB to protect components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the
PCB surface, through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry.
@ -928,15 +930,69 @@ terminal. While a similar result could also be achieved by milling a slot into t
PCB, the economics of PCB manufacturing are such that it may be more cost-effective to bond two standard-thickness PCBs
on top of one another instead.
Figure~\ref{hsm_fig_3d_sandwich_lid} finally shows an advanced construction technique that uses a custom PCB with a
large indent milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base
PCB. This PCB lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A
ground plane filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the
cavity. Below this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
Figure~\ref{hsm_fig_3d_sandwich_lid} shows an advanced construction technique that uses a custom PCB with a large indent
milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base PCB. This PCB
lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A ground plane
filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the cavity. Below
this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
Figure~\ref{hsm_fig_3d_sandwich_via_fence} in an attempt to protect the sides around the central cavity. Below these two
via fence layers, at the bottom of the PCB is one more layer containing the pads connecting it to the base PCB.
\subsubsection{Tabular results}
\subsubsection{CT Imaging}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
\caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.}
\label{hsm_fig_ingenico_potted_ct_cut}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_geom.pdf}
\caption{CT 3D reconstruction of the mesh's trace geometry.}
\label{hsm_fig_ingenico_potted_ct_3d}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(specimen~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
% FIXME put the CT people in the acknowledgements! Also the microwave people!
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\
specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is
to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we
experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an
industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the
resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In
this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil,
and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this
information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that
the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through
one of the mesh's traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
mesh.
\subsubsection{Results summary}
Below is a table representing which features discussed in the sections above we found in which of our samples. Overall,
we commonly found a combination of a rigid PCB mesh in the specimen's main PCB and and flexible meshes formed into a lid
@ -969,7 +1025,7 @@ reverse engineering.
\newcolumntype{M}{>{\centering\arraybackslash}p{4mm}}
\setlength{\tabcolsep}{0pt}
\begin{tabular}{ll|MMMMM|MMMM|MMMMM|MMMMM|MMMMM|MMM|MM}
&&\multicolumn{29}{c}{\textbf{Mesh}}\\
&&\multicolumn{29}{c}{\textbf{Specimen}}\\
\textbf{Feature} & \textbf{Figures} &
1 & 2 & 3 & 4 & 5 & 6 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 27 & 28 & 30 & 31 & 32
\\\hline
@ -1135,64 +1191,12 @@ Integrated contact pads & \ref{hsm_fig_connector_fpc}
& & & \\ % 30 - 32
\end{tabular}
\caption{Feature matrix of all specimens analyzed.}
\caption[Feature matrix of all specimens analyzed.]{Feature matrix of all specimens analyzed. Dots indicate presence
of a feature. The figures column lists which figures above contain examples of a particular feature.}
\label{tab_hsm_survey_sample_results}
\end{table}
\end{landscape}
\subsubsection{CT Imaging}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
\caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.}
\label{hsm_fig_ingenico_potted_ct_cut}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_geom.pdf}
\caption{CT 3D reconstruction of the mesh's trace geometry.}
\label{hsm_fig_ingenico_potted_ct_3d}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(specimen~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
% FIXME put the CT people in the acknowledgements! Also the microwave people!
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\
specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is
to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we
experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an
industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the
resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In
this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil,
and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this
information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that
the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through
one of the mesh's traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
mesh.
\section{Discussion}
In our survey, we have seen the technological state of the art to which tamper-sensing meshes have evolved since the