From 6c461a27110965b28944112d588cd500e15ff65c Mon Sep 17 00:00:00 2001 From: jaseg Date: Mon, 23 Mar 2026 20:57:08 +0100 Subject: [PATCH] Add harris presentation --- chapter-hsms/pres-harris.tex | 488 +++++++++++++++++++++++++++++++++++ 1 file changed, 488 insertions(+) create mode 100644 chapter-hsms/pres-harris.tex diff --git a/chapter-hsms/pres-harris.tex b/chapter-hsms/pres-harris.tex new file mode 100644 index 0000000..9087622 --- /dev/null +++ b/chapter-hsms/pres-harris.tex @@ -0,0 +1,488 @@ +\documentclass[aspectratio=169]{beamer} +\usetheme{default} +\usepackage[T1]{fontenc} +\usepackage{textcomp} +\usepackage{graphicx} +\usepackage{subcaption} +\usepackage{siunitx} +\usepackage{booktabs} +\usepackage{array} +\usepackage{ragged2e} +\usepackage{colortbl} +\usepackage{pdflscape} +\usepackage[percent]{overpic} + +\graphicspath{{figures}} + +% Define custom commands if not already defined +\newcommand{\surveypic}[2]{ + \begingroup + \setlength{\fboxsep}{0.2mm} + \begin{overpic}[percent,height=10mm]{#2} + \put(100,85){\makebox[0pt][r]{\colorbox{white}{\footnotesize H#1}}} + \end{overpic} + \endgroup + } +\newcommand{\sampleno}[1]{#1} + +\title{Tamper-Sensing Meshes in the Wild} +\author{Jan Sebastian Götte, TU Darmstadt} +\date{2026-03-24} + +\begin{document} + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame}{What is a Tamper Sensing Mesh?} +\begin{itemize} +\item Embedded looped conductor covering a surface +\item Detects physical intrusion + \begin{itemize} + \item Drills, saws, lasers etc. + \end{itemize} +\item Triggers some tamper response + \begin{itemize} + \item Deleting keys + \item Raising alarms + \item Explosions? + \end{itemize} +\item Widely used in HSMs, payment terminals, ATMs, nuclear weapons +\end{itemize} +\end{frame} + +\begin{frame}{The History of Tamper-Sensing Meshes} +\begin{itemize} +\item \textbf{1870}: First patents using literal wire meshes to protect bank vaults +\item \textbf{1902}: Multi-layer, orthogonal meshes documented +\item \textbf{1971}: Printed circuit technology adopted +\item \textbf{1990s}: Widespread commercial adoption with cryptographic applications +\end{itemize} + +Other, hard to date examples: NSA use for protecting ciphering machines (earlier than 1973), US use in nuclear weapons +\end{frame} + +\begin{frame}{Commercial Applications Today} +\begin{itemize} +\item Datacenter HSMs (Key management, payment processing) +\item Card Payment Terminals (PIN encryption) +\item ATM Encrypting Pin Pads (PIN encryption) +\item Key Safes for Emergency services access (Germany only?) +\item Mail Franking Machines (credit counter) +\item Slot Machines (likely for DRM) +\end{itemize} +\end{frame} + + +\begin{frame}{Our Survey} +\textbf{Sample Size}: 30 devices + +\textbf{Device Types}: +\begin{itemize} + \item 23 Card payment terminals (Verifone, Ingenico, SumUp, etc.) + \item 3 ATM Encrypting Pin Pads (NCR, Sagem) + \item 2 HSM modules (SafeNet, Utimaco) + \item 1 Franking machine + \item 1 German slot machine CPU +\end{itemize} +\end{frame} + +\begin{frame}{Mesh Materials and Structure Sizes Observed} +\begin{itemize} + \item \textbf{Rigid PCB (FR-4):} Photolithographic etching, \SIrange{100}{200}{\micro\meter} + \item \textbf{Polyimide/Copper FPC:} Photolithographic etching, \SIrange{100}{200}{\micro\meter} + \item \textbf{Silver ink FPC:} Screen printing, \SIrange{500}{3000}{\micro\meter} + \item \textbf{Carbon ink FPC:} Screen printing, \SIrange{500}{3000}{\micro\meter} + \item \textbf{Gold laser direct structuring:} Laser Direct Structuring, \SIrange{50}{200}{\micro\meter} + \item \textbf{IBM/Gore mesh:} Printed, \SIrange{200}{1500}{\micro\meter} +\end{itemize} +\end{frame} + +\begin{frame}{Survey Specimens - External Photos} +\begin{figure} + \centering + \footnotesize + \begin{tabular}[c]{cccccc} + \surveypic{02}{survey_diag_S02.jpg}& + \surveypic{03}{survey_diag_S03.jpg}& + \surveypic{04}{survey_diag_S04.jpg}& + \surveypic{05}{survey_diag_S05.jpg}& + \surveypic{06}{survey_diag_S06.jpg}& + \surveypic{08}{survey_diag_S08.jpg}\\ + \surveypic{09}{survey_diag_S09.jpg}& + \surveypic{10}{survey_diag_S10.jpg}& + \surveypic{11}{survey_diag_S11.jpg}& + \surveypic{12}{survey_diag_S12.jpg}& + \surveypic{13}{survey_diag_S13.jpg}& + \surveypic{14}{survey_diag_S14.jpg}\\ + \surveypic{15}{survey_diag_S15.jpg}& + \surveypic{16}{survey_diag_S16.jpg}& + \surveypic{17}{survey_diag_S17.jpg}& + \surveypic{18}{survey_diag_S18.jpg}& + \surveypic{19}{survey_diag_S19.jpg}& + \surveypic{20}{survey_diag_S20.jpg}\\ + \surveypic{21}{survey_diag_S21.jpg}& + \surveypic{22}{survey_diag_S22.jpg}& + \surveypic{23}{survey_diag_S23.jpg}& + \surveypic{24}{survey_diag_S24.jpg}& + \surveypic{25}{survey_diag_S25.jpg}& + \surveypic{27}{survey_diag_S27.jpg}\\ + \surveypic{28}{survey_diag_S28.jpg}& + \surveypic{29}{survey_diag_S29.jpg}& + \surveypic{30}{survey_diag_S30.jpg}& + \surveypic{31}{survey_diag_S31.jpg}& + \surveypic{32}{survey_diag_S32.jpg}& + \\ + \end{tabular} +\end{figure} +\end{frame} + +\begin{frame}{Survey Specimens - Internal Photos} +\begin{figure} + \centering + \footnotesize + \begin{tabular}[c]{cccccc} + \surveypic{01}{survey_internal_09_S01.jpg}& + \surveypic{02}{survey_internal_20_S02.jpg}& + \surveypic{03}{survey_internal_11_S03.jpg}& + \surveypic{04}{survey_internal_03_S04.jpg}& + \surveypic{05}{survey_internal_10_S05.jpg}& + \surveypic{06}{survey_internal_08_S06.jpg}\\ + \surveypic{08}{survey_internal_24_S08.jpg}& + \surveypic{09}{survey_internal_13_S09.jpg}& + \surveypic{10}{survey_internal_23_S10.jpg}& + \surveypic{11}{survey_internal_17_S11.jpg}& + \surveypic{12}{survey_internal_19_S12.jpg}& + \surveypic{13}{survey_internal_02_S13.jpg}\\ + \surveypic{14}{survey_internal_00_S14.jpg}& + \surveypic{15}{survey_internal_04_S15.jpg}& + \surveypic{16}{survey_internal_05_S16.jpg}& + \surveypic{17}{survey_internal_22_S17.jpg}& + \surveypic{18}{survey_internal_21_S18.jpg}& + \surveypic{19}{survey_internal_26_S19.jpg}\\ + \surveypic{20}{survey_internal_12_S20.jpg}& + \surveypic{21}{survey_internal_15_S21.jpg}& + \surveypic{22}{survey_internal_16_S22.jpg}& + \surveypic{23}{survey_internal_07_S23.jpg}& + \surveypic{24}{survey_internal_06_S24.jpg}& + \surveypic{25}{survey_internal_25_S25.jpg}\\ + \surveypic{27}{survey_internal_18_S27.jpg}& + \surveypic{28}{survey_internal_14_S28.jpg}& + \surveypic{30}{survey_internal_29_S30.jpg}& + \surveypic{31}{survey_internal_27_S31.jpg}& + \surveypic{32}{survey_internal_28_S32.jpg}& + \\ + \end{tabular} +\end{figure} +\end{frame} + +\begin{frame}{Mesh Trace Layouts} +\begin{columns}[T] +\begin{column}{0.5\textwidth} + \centering + \begin{overpic}[width=.45\textwidth]{hsm_mesh_offset.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries A}} + \end{overpic} + \hspace{1mm} + \begin{overpic}[width=.45\textwidth]{hsm_mesh_orthogonal.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries B}} + \end{overpic} + + \vspace{5mm} + + \begin{overpic}[width=.45\textwidth]{hsm_utimaco_mesh_gore.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries C}} + \end{overpic} + \hspace{1mm} + \begin{overpic}[width=.45\textwidth]{hsm_mesh_stack_epp.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries D}} + \end{overpic} +\end{column} +\begin{column}{0.45\textwidth} + \raggedright + \textbf{A:} Offset layers (H12) + + \textbf{B:} Orthogonal patterns (H14) + + \textbf{C:} Orthogonal + area pattern (H30) + + \textbf{D:} Spaced layers (H28) +\end{column} +\end{columns} +\end{frame} + +\begin{frame}{Mesh Materials and Manufacturing} +\centering +\begin{tabular}{lll} + \begin{overpic}[width=.22\textwidth]{trace_material_copper_pcb.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries A}} + \end{overpic} + & + \begin{overpic}[width=.22\textwidth]{trace_material_copper_flex.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries B}} + \end{overpic} + & + \begin{overpic}[width=.22\textwidth]{trace_material_silver.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries C}} + \end{overpic} + \\[3mm] + \begin{overpic}[width=.22\textwidth]{trace_material_contact_gold_lds.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries D}} + \end{overpic} + & + \begin{overpic}[width=.22\textwidth]{trace_material_carbon.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries E}} + \end{overpic} + & + \begin{tabular}[b]{@{}l@{}} + \textbf{A:} Rigid PCB (H10) \\ + \textbf{B:} Flexible PCB (H15) \\ + \textbf{C:} Silver ink (H14) \\ + \textbf{D:} Laser Direct Structuring (H32) \\ + \textbf{E:} Carbon ink (H30) + \end{tabular} +\end{tabular} +\end{frame} + +\begin{frame}{Mesh Connection Methods} +\centering +\begin{tabular}{ccc} + \begin{overpic}[width=.20\textwidth]{connector_castellated_edge.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries A}} + \end{overpic} + & + \begin{overpic}[width=.20\textwidth]{connector_elastomeric.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries B}} + \end{overpic} + & + \begin{overpic}[width=.20\textwidth]{connector_rf_gasket.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries C}} + \end{overpic} + \\[2mm] + \begin{overpic}[width=.20\textwidth]{connector_zif_fpc_2.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries D}} + \end{overpic} + & + \begin{overpic}[width=.20\textwidth]{connector_stacking.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries E}} + \end{overpic} + & + \begin{overpic}[width=.20\textwidth]{connector_metal_dome.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries F}} + \end{overpic} +\end{tabular} + +\vspace{3mm} + +\small +\textbf{A:} Direct soldering (H05) \quad +\textbf{B:} Elastomeric connector (H31) \quad +\textbf{C:} EMI gasket (H14) \\ +\textbf{D:} FPC connector (H20) \quad +\textbf{E:} Stacking connector (H17) \quad +\textbf{F:} Tactile dome (H06) +\end{frame} + +\begin{frame}{3D Mesh Construction Styles} +\centering +\begin{tabular}{lll} + \begin{overpic}[width=.22\textwidth]{hsm_3d_style_fold_overlap.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries A}} + \end{overpic} + & + \begin{overpic}[width=.22\textwidth]{hsm_3d_style_fold_no_overlap.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries B}} + \end{overpic} + & + \begin{overpic}[width=.22\textwidth]{3d_construction_lds_top.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries C}} + \end{overpic} + \\[3mm] + \begin{overpic}[width=.22\textwidth]{hsm_3d_style_vacform.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries D}} + \end{overpic} + & + \begin{overpic}[width=.22\textwidth]{3d_construction_cards_standalone.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries E}} + \end{overpic} + & + \begin{tabular}[b]{@{}l@{}} + \textbf{A:} Folded with overlap (H03) \\ + \textbf{B:} Folded without overlap (H14) \\ + \textbf{C:} Laser Direct Structuring (H32) \\ + \textbf{D:} Thermoformed (H12) \\ + \textbf{E:} House-of-Cards (H08) + \end{tabular} +\end{tabular} +\end{frame} + +\begin{frame}{Thermoforming Example} +\begin{columns}[T] +\begin{column}{0.32\textwidth} + \centering + \includegraphics[width=.6\textwidth]{survey_formed_mesh_before.jpg}\\ + \small Before removing lacquer +\end{column} +\begin{column}{0.32\textwidth} + \centering + \includegraphics[width=.6\textwidth]{survey_formed_mesh_after.jpg}\\ + \small After removing lacquer +\end{column} +\end{columns} +\vspace{3mm} +\small Formed cavities in printed foil mesh specimen H24 +\end{frame} + +\begin{frame}{Sandwich-Style Construction} +\begin{columns}[T] +\begin{column}{0.5\textwidth} + \centering + \begin{overpic}[width=.45\textwidth]{3d_construction_offset_mesh_delayered_contrast_improved.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries A}} + \end{overpic} + \hspace{1mm} + \begin{overpic}[width=.45\textwidth]{3d_construction_via_stitch_mesh_delayer_2.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries B}} + \end{overpic} + + \vspace{3mm} + + \begin{overpic}[width=.45\textwidth]{3d_construction_planar_stack.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries C}} + \end{overpic} + \hspace{1mm} + \begin{overpic}[width=.45\textwidth]{3d_construction_cavity_2.jpg} + \put(5,92){\colorbox{white}{\footnotesize\bfseries D}} + \end{overpic} +\end{column} +\begin{column}{0.45\textwidth} + \raggedright + \textbf{A:} Obstacle mesh coupons (H17) + + \textbf{B:} Via-fence meshes (H24) + + \textbf{C:} Planar sandwich stack (H24) + + \textbf{D:} PCB lid with cavity (H14) +\end{column} +\end{columns} +\end{frame} + +\begin{frame}{Security Issues Observed} +\textbf{Design Defects:} +\begin{itemize} + \item Meshes not overlapping at edges leaving gaps for probe insertion + \item Gaps at mesh-PCB interfaces + \item Thermoformed cavities with enlarged structure size at corners +\end{itemize} + +\textbf{Obscurity Failures:} +\begin{itemize} + \item In one case, an opaque lacquer was easily removed with acetone (without damaging the mesh!) + \item Trace patterns visible through cover layers due to surface unevenness +\end{itemize} +\end{frame} + +\begin{frame}{Design Recommendations (1/2)} + \begin{itemize} + \item Commodity PCB manufacturing process design rules in the \SIrange{100}{200}{\micro\meter} range are better than the state of the art in mesh structure size + \item Avoid ink printing processes or thermoforming because of their large structure size + \item Carefully think about your literal corner cases (and edges)! + \begin{itemize} + \item Overlap meshes where possible. + \end{itemize} + \item Use potting and cover layers, but verify that they work + \begin{itemize} + \item Check that you \emph{actually} can't see what's below + \item Test their chemical resistance (and that of your mesh) + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}{Design Recommendations (2/2)} + \begin{itemize} + \item Mixing tough potting or enclosure materials and fragile mesh materials makes life harder for an attacker + \begin{itemize} + \item Consider using steel instead of plastic (also helps against X-ray inspection!) + \item Use thin substrates and thin conductive layers for the mesh + \item Balance adhesion so removing potting / cover layers tears away traces below + \end{itemize} + \item Overlap mesh layers at a 50\% structure size offset + \item Space (some) mesh layers apart in Z direction to constrain attack tools + \item Use a pressure-sensitive connection method like tactile domes or elastomeric conncetors + \end{itemize} +\end{frame} + +\begin{frame} +\centering +\Huge Thank you! + +\vspace{1cm} + +\Large Questions? +\end{frame} + +\begin{frame} +\centering +Long-form version of this presentation in my thesis: + +\url{https://jaseg.de/thesis-final-web.pdf} + +\includegraphics{thesis_qr.png} +\end{frame} + +\begin{frame}{Specimen List (1/2)} +\footnotesize +\begin{tabular}{c>{\RaggedRight\arraybackslash}p{25mm}>{\RaggedRight\arraybackslash}p{35mm}ll} +\toprule +\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type} & \textbf{Year} \\ +\midrule +H01 & PED & Verifone & VX 570 & ca. 2010 \\ +H02 & Slot machine & Merkur / ADP & Sam 12 EC2 & ca. 2012 \\ +H03 & EPP & Sagem & USA1315-4240 & 2014 \\ +H04 & EPP & Sagem & USA1316-5120 & 2007 \\ +H05 & PED & Xac & xAPT-103 & 2014 \\ +H06 & PED & Ingenico & iCT250-11T1860A & 2016-17 \\ +H08 & PED & Sagem & NOR4100-4220 & 2012 \\ +H09 & PED & Hypercom & M4230 & 2010 \\ +H10 & PED & Worldline & YOMANI XR & 2016 \\ +H11 & PED & Banksys & C-ZAM Smash & 2004 \\ +H12 & PED & Hypercom & Optimum P2100 & 2010 \\ +H13 & PED & Ingenico & iCT 220-11T2938A & 2016 \\ +H14 & PED & Verifone & H5000 & 2016 \\ +H15 & PED & Verifone & MX 925 & 2018 \\ +H16 & PED & Verifone & V200c CTLS & 2021 \\ +H17 & PED & Verifone & VX 680 & 2014 \\ +\bottomrule +\end{tabular} +\end{frame} + +\begin{frame}{Specimen List (2/2)} +\footnotesize +\begin{tabular}{c>{\RaggedRight\arraybackslash}p{25mm}>{\RaggedRight\arraybackslash}p{35mm}ll} +\toprule +\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type} & \textbf{Year} \\ +\midrule +H18 & PED & Ingenico & i7910 & 2010 \\ +H19 & PED & Banksys & XENTA & 2004-2011 \\ +H20 & PED & Verifone & VX 520 3G & 2017 \\ +H21 & PED & Verifone & V400m Plus 4G & 2018 \\ +H22 & PED & Ingenico & Move 3500 & 2020 \\ +H23 & PED & Ingenico & iPP 350-11T1718A & 2015 \\ +H24 & PED & Ingenico & iWL255-01T2117A & 2016 \\ +H25 & Franking Mach. & Neopost & IJ-25 & ca. 2001 \\ +H27 & PED & Sumup & AIR1E205 & 2021 \\ +H28 & EPP & NCR & 5814 UEPP & 2019 \\ +H29 & HSM & SafeNet & VBD-05 & 2018 \\ +H30 & HSM & Irdeto & Mayflower & 2011 \\ +H31 & PED & SumUp & SumUp 3G & 2019 \\ +H32 & PED & SumUp & SumUp Air & 2022 \\ +\bottomrule +\end{tabular} +\vspace{3mm} + +\tiny PED: Pin Entry Device; EPP: Encrypting Pin Pad; HSM: Hardware Security Module +\end{frame} + +\end{document}