diff --git a/chapter-hsms/chapter.tex b/chapter-hsms/chapter.tex index 0eb19ce..577bd20 100644 --- a/chapter-hsms/chapter.tex +++ b/chapter-hsms/chapter.tex @@ -671,7 +671,7 @@ In our survey, we found a wide variety of connecting methods used to connect tam base PCBs with a selection shown in Figure~\ref{hsm_fig_connector}. Both rigid PCBs and FPCs can be soldered directly to a PCB using either a Land Grid Array (LGA) technique where pads on both PCBs are soldered facing each other, or using \emph{castellated} edges, where pads on the base PCB are soldered sideways to holes on the top PCB that have been milled -in half as shown in Figure~\ref{hsm_fig_connector_castellations}. FPCs can also be soldered by draggin a solder blob +in half as shown in Figure~\ref{hsm_fig_connector_castellations}. FPCs can also be soldered by dragging a blob of solder across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but this technique is only suitable for hand soldering. Hand soldering increases unit cost over mechanized soldering techniques such as wave soldering or reflow soldering. @@ -914,77 +914,184 @@ via fence layers, at the bottom of the PCB is one more layer containing the pads \subsubsection{Tabular results} +\begin{landscape} \begin{table} - \footnotesize - \rowcolors{2}{gray!15}{white} - \begin{tabular}[c]{c>{\RaggedRight\arraybackslash}p{20mm}>{\RaggedRight\arraybackslash}p{30mm}lccccc} - \textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type code} & - \textbf{Mesh Contacts} & \textbf{Mesh Material} & \textbf{3D Construction} & - \textbf{Obscurity Features} & \textbf{Others} \\ - \hline - H01 & PED & Verifone & VX 570 & & & & & \\ - H02 & Slot machine CPU module & Merkur / ADP Gauselmann & Sam 12 EC2 & & & & & \\ - H03 & EPP & Sagem & USA1315-4240 & & & & & \\ - H04 & EPP & Sagem & USA1316-5120 & & & & & \\ - H05 & PED & Xac & xAPT-103 & & & & & \\ - H06 & PED & Ingenico & iCT250 & & & & & \\ - H08 & PED & Sagem & NOR4100 & & & & & \\ - H09 & PED & Hypercom & M4230 & & & & & \\ - H10 & PED & Worldline & YOMANI XR & & & & & \\ - H11 & PED & Banksys & C-ZAM Smash Portable & & & & & \\ - H12 & PED & Hypercom & P2100 & & & & & \\ - H13 & PED & Ingenico & iCT 220 & & & & & \\ - H14 & PED & Verifone & H5000 & & & & & \\ - H15 & PED & Verifone & MX 925 & & & & & \\ - H16 & PED & Verifone & V200c CTLS & & & & & \\ - H17 & PED & Verifone & VX 680 & & & & & \\ - H18 & PED & Ingenico & i7910 & & & & & \\ - H19 & PED & Banksys & XENTA & & & & & \\ - H20 & PED & Verifone & VX 520 3G & & & & & \\ - H21 & PED & Verifone & V400m Plus 4G & & & & & \\ - H22 & PED & Ingenico & Move 3500 & & & & & \\ - H23 & PED & Ingenico & iPP 350 & & & & & \\ - H24 & PED & Ingenico & iWL255 & & & & & \\ - H25 & Franking Machine & Neopost & IJ-25 & & & & & \\ - H27 & PED & Sumup & AIR1E205 & & & & & \\ - H28 & EPP & NCR & 5814 & & & & & \\ - H29 & HSM & SafeNet & VBD-05 & & & & & \\ - H30 & HSM & Irdeto & C201 & & & & & \\ - H31 & PED & SumUp & SumUp 3G & & & & & \\ - H32 & PED & SumUp & SumUp Air & & & & & \\ +\footnotesize +\centering +\newcolumntype{M}{>{\centering\arraybackslash}p{4mm}} +\setlength{\tabcolsep}{0pt} + \begin{tabular}{ll|MMMMM|MMMM|MMMMM|MMMMM|MMMMM|MMM|MM} + &&\multicolumn{29}{c}{\textbf{Mesh}}\\ +\textbf{Feature} & \textbf{Figures} & +1 & 2 & 3 & 4 & 5 & 6 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 27 & 28 & 30 & 31 & 32 + \\\hline + +\multicolumn{31}{l}{\textbf{Mesh Contacts.}} \\\hline +Elastomeric & \ref{hsm_fig_connector_elastomeric}, \ref{hsm_fig_connector_stack} + % 0 1 2 3 4 5 6 7 8 9 + & ⬤ & ⬤ & ⬤ & ⬤ & & & ⬤ & % 0 - 9 + & ⬤ & & ⬤ & & ⬤ & ⬤ & ⬤ & ⬤ & & % 10 - 19 + & ⬤ & ⬤ & ⬤ & & & & ⬤ & ⬤ % 20 - 29 + & & ⬤ & ⬤\\ % 30 - 32 +Soldered & \ref{hsm_fig_connector_castellations} + % 0 1 2 3 4 5 6 7 8 9 + & ⬤ & & & ⬤ & ⬤ & ⬤ & ⬤ & % 0 - 9 + & & & ⬤ & & & & ⬤ & ⬤ & ⬤ & % 10 - 19 + & & & ⬤ & ⬤ & ⬤ & & & % 20 - 29 + & & ⬤ & \\ % 30 - 32 +Stacking & \ref{hsm_fig_connector_stack} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & & & ⬤ & % 0 - 9 + & & & & & & & & ⬤ & & % 10 - 19 + & & & & & & & & % 20 - 29 + & & & \\ % 30 - 32 +\hline +Tactile Dome & \ref{hsm_fig_connector_dome}, \ref{hsm_fig_connector_fpc} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & & ⬤ & & % 0 - 9 + & & & & ⬤ & & & & & & % 10 - 19 + & & ⬤ & & ⬤ & ⬤ & & & % 20 - 29 + & & & \\ % 30 - 32 +FPC Connector & \ref{hsm_fig_connector_fpc} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & ⬤ & & & ⬤ % 0 - 9 + & ⬤ & & & & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & % 10 - 19 + & & ⬤ & & & & & & % 20 - 29 + & ⬤ & & \\ % 30 - 32 +Mesh EMI Gasket & \ref{hsm_fig_connector_gasket} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & & & & % 0 - 9 + & & & & & ⬤ & & & & & % 10 - 19 + & & & & & & & & % 20 - 29 + & & & \\ % 30 - 32 + +\hline +\multicolumn{31}{l}{\textbf{Mesh Material}} \\ +\hline +Rigid PCB & \ref{hsm_fig_materials_pcb_rigid} + % 0 1 2 3 4 5 6 7 8 9 + & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ % 0 - 9 + & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & % 10 - 19 + & & ⬤ & ⬤ & ⬤ & ⬤ & & ⬤ & ⬤ % 20 - 29 + & & ⬤ & ⬤\\ % 30 - 32 +Copper FPC & \ref{hsm_fig_materials_pcb_flex} + % 0 1 2 3 4 5 6 7 8 9 + & & & ⬤ & ⬤ & & ⬤ & ⬤ & % 0 - 9 + & & & ⬤ & ⬤ & & & ⬤ & ⬤ & & % 10 - 19 + & ⬤ & ⬤ & & ⬤ & ⬤ & & ⬤ & ⬤ % 20 - 29 + & & ⬤ & \\ % 30 - 32 +Printed silver ink & \ref{hsm_fig_materials_silver_ink} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & ⬤ & ⬤ & & % 0 - 9 + & ⬤ & & ⬤ & ⬤ & ⬤ & & & ⬤ & ⬤ & % 10 - 19 + & & ⬤ & & ⬤ & ⬤ & & & % 20 - 29 + & & & \\ % 30 - 32 +\hline +Printed carbon ink & \ref{hsm_fig_materials_carbon_ink} + % 0 1 2 3 4 5 6 7 8 9 + & ⬤ & & & & & & & ⬤ % 0 - 9 + & & & & & & & & & & % 10 - 19 + & & & & & & & & % 20 - 29 + & ⬤ & & \\ % 30 - 32 +Gold (Laser Direct Structuring) & \ref{hsm_fig_materials_gold_lds} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & & & & % 0 - 9 + & & & & & & & & & & % 10 - 19 + & & & & & & & & % 20 - 29 + & & & ⬤\\ % 30 - 32 + +\hline +\multicolumn{31}{l}{\textbf{3D Construction}} \\ +\hline +Folded mesh & \ref{hsm_fig_3d_struct_folded_overlap}, \ref{hsm_fig_3d_struct_folded_no_overlap} + % 0 1 2 3 4 5 6 7 8 9 + & ⬤ & & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ & ⬤ % 0 - 9 + & ⬤ & & ⬤ & ⬤ & & & ⬤ & ⬤ & ⬤ & % 10 - 19 + & ⬤ & ⬤ & & ⬤ & ⬤ & & ⬤ & % 20 - 29 + & ⬤ & ⬤ & \\ % 30 - 32 +House of cards & \ref{hsm_fig_3d_struct_house_of_cards} + % 0 1 2 3 4 5 6 7 8 9 + & ⬤ & & & & & & ⬤ & % 0 - 9 + & ⬤ & & & & & & & & ⬤ & % 10 - 19 + & & & & & & & & % 20 - 29 + & & & \\ % 30 - 32 +Laser Direct Structuring & \ref{hsm_fig_3d_struct_lds} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & & & & % 0 - 9 + & & & & & & & & & & % 10 - 19 + & & & & & & & & % 20 - 29 + & & & ⬤\\ % 30 - 32 +\hline +Thermoformed & \ref{hsm_fig_3d_struct_vacuum_form}, \ref{fig_ingenico_forming} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & & ⬤ & & % 0 - 9 + & & & ⬤ & & & & & & & % 10 - 19 + & & & & ⬤ & ⬤ & & & % 20 - 29 + & & & \\ % 30 - 32 +Planar obstacle & \ref{hsm_fig_3d_sandwich_obstacle}, \ref{hsm_fig_3d_sandwich_via_fence} + % 0 1 2 3 4 5 6 7 8 9 + & ⬤ & & & ⬤ & ⬤ & & & % 0 - 9 + & & & & ⬤ & ⬤ & & ⬤ & ⬤ & & % 10 - 19 + & & & & ⬤ & & & & % 20 - 29 + & & & \\ % 30 - 32 +Complex planar & \ref{hsm_fig_3d_sandwich_stack}, \ref{hsm_fig_3d_sandwich_lid} + % 0 1 2 3 4 5 6 7 8 9 + & & & & ⬤ & & & & % 0 - 9 + & & & & & ⬤ & & & & & % 10 - 19 + & & & & & & & & % 20 - 29 + & & & \\ % 30 - 32 + +\hline +\multicolumn{31}{l}{\textbf{Obscurity Features}} \\ +\hline +Metal enclosure & \ref{hsm_fig_3d_struct_folded_overlap} + % 0 1 2 3 4 5 6 7 8 9 + & & ⬤ & ⬤ & ⬤ & & & ⬤ & % 0 - 9 + & & & & & & & ⬤ & & & % 10 - 19 + & & ⬤ & & & & & ⬤ & % 20 - 29 + & ⬤ & & \\ % 30 - 32 +Potting & \ref{hsm_fig_ingenico_potted_seated} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & ⬤ & & & % 0 - 9 + & & & & & & & & & ⬤ & % 10 - 19 + & & & & & & & & % 20 - 29 + & ⬤ & & \\ % 30 - 32 +\hline +Opaque foil & \ref{hsm_fig_connector_dome} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & ⬤ & ⬤ & & ⬤ % 0 - 9 + & ⬤ & & & ⬤ & & & & ⬤ & & % 10 - 19 + & ⬤ & ⬤ & & ⬤ & & & & % 20 - 29 + & ⬤ & & \\ % 30 - 32 +Opaque lacquer & \ref{fig_ingenico_forming} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & ⬤ & ⬤ & & % 0 - 9 + & & & & ⬤ & & & & ⬤ & & % 10 - 19 + & ⬤ & & & ⬤ & & & & % 20 - 29 + & ⬤ & & ⬤\\ % 30 - 32 + +\hline +\multicolumn{31}{l}{\textbf{Other Features}} \\ +\hline +Integrated tactile domes & \ref{hsm_fig_connector_dome} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & ⬤ & ⬤ & & % 0 - 9 + & & & & ⬤ & & & & ⬤ & & % 10 - 19 + & & ⬤ & & ⬤ & ⬤ & & ⬤ & % 20 - 29 + & & ⬤ & \\ % 30 - 32 +Integrated contact pads & \ref{hsm_fig_connector_fpc} + % 0 1 2 3 4 5 6 7 8 9 + & & & & & & & & % 0 - 9 + & & & & & ⬤ & & ⬤ & & & % 10 - 19 + & & ⬤ & & & & & ⬤ & % 20 - 29 + & & & \\ % 30 - 32 + \end{tabular} - \caption{Features found in the samples we dissected. Column key: - \emph{Mesh contacts:} - Elastomeric (Figures~\ref{hsm_fig_connector_elastomeric}, \ref{hsm_fig_connector_stack}), - Soldered (Figure~\ref{hsm_fig_connector_castellations}), - Stacking (Figure~\ref{hsm_fig_connector_stack}), - Tactile Dome (Figures~\ref{hsm_fig_connector_dome}, \ref{hsm_fig_connector_fpc}), - FPC Connector (Figure~\ref{hsm_fig_connector_fpc}), - Mesh EMI Gasket (Figure~\ref{hsm_fig_connector_gasket}). - \emph{Mesh Material:} - Rigid PCB (Figure~\ref{hsm_fig_materials_pcb_rigid}), - Copper FPC (Figure~\ref{hsm_fig_materials_pcb_flex}), - Printed silver ink (Figure~\ref{hsm_fig_materials_silver_ink}), - Printed carbon ink (Figure~\ref{hsm_fig_materials_carbon_ink}), - Gold Laser Direct Structuring (Figure~\ref{hsm_fig_materials_lds}). - \emph{3D Construction:} - Folded mesh (Figures~\ref{hsm_fig_3d_struct_folded_overlap} and \ref{hsm_fig_3d_struct_folded_no_overlap}), - House of cards (Figure~\ref{hsm_fig_3d_struct_house_of_cards}), - Laser Direct Structuring (Figure~\ref{hsm_fig_3d_struct_lds}), - Thermoformed (Figures~\ref{hsm_fig_3d_struct_vacuum_form} and \ref{fig_ingenico_forming}), - Planar obstacle (Figures~\ref{hsm_fig_3d_sandwich_obstacle} and \ref{hsm_fig_3d_sandwich_via_fence}), - Complex planar (Figures~\ref{hsm_fig_3d_sandwich_stack} and \ref{hsm_fig_3d_sandwich_lid}), - \emph{Obscurity Features:} - Metal enclosure (Figure~\ref{hsm_fig_3d_struct_folded_overlap}), - Potting (Figure~\ref{hsm_fig_ingenico_potted_seated}), - Opaque foil (Figure~\ref{hsm_fig_connector_dome}), - Opaque lacquer (Figure~\ref{fig_ingenico_forming}). - \emph{Other Features:} - Integrated tactile domes (Figure~\ref{hsm_fig_connector_dome}), - -Integrated tactile Dome landing pad (Figure~\ref{hsm_fig_connector_fpc}). - } + \caption{Feature matrix of all specimens analyzed.} \label{tab_hsm_survey_sample_results} \end{table} +\end{landscape} + \subsubsection{CT Imaging} \begin{figure} @@ -1021,14 +1128,15 @@ Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\r burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}). \todo{Pictures/refs of opaque materials, mention sample numbers} To circumvent such attempts, an obvious attack vector is to use radiographical imaging techniques such as X-ray or CT -imaging. To evaluate CT imaging as an attack method, we experimentally imaged the potted HSM module of an Ingenico -payment terminal using an industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two -images exported from the resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut -across part of the module. In this cut, we can clearly identify a mesh layer with multiple traces, four solid metal -contacts crimped to the mesh foil, and two unused contact pads and mesh traces in the lower part of the picture. An -attacker would be able to use this information to target the metal contacts with a tool like a needle probe. From the CT -scan we were able to measure that the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a -thin needle probe right through one of the mesh's traces should be possible without breaking the trace. +imaging. To evaluate CT imaging as an attack method, we experimentally imaged the potted HSM module of +sample~\sampleno{H18}, an Ingenico payment terminal, using an industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows +the module we analyzed and two images exported from the resulting CT scan data. +Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In this cut, we can +clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil, and two unused +contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this information to +target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that the mesh of the +device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through one of the mesh's +traces should be possible without breaking the trace. Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the diff --git a/common-defs.tex b/common-defs.tex index e866f52..f263fac 100644 --- a/common-defs.tex +++ b/common-defs.tex @@ -174,6 +174,7 @@ \setstretch{1.3} +\DeclareUnicodeCharacter{2B24}{$\bullet$} \newcommand{\sampleno}[1]{\textsf{#1}} % Settings for tocloft as applied to minitoc %\setlength{\cftbeforesecskip}{-1pt} diff --git a/common-packages.tex b/common-packages.tex index 2cfe781..39f3ba7 100644 --- a/common-packages.tex +++ b/common-packages.tex @@ -23,6 +23,9 @@ \usepackage{commath} \usepackage{graphicx,color} \usepackage{ccicons} +\usepackage{rotating} +\usepackage{pdflscape} +\usepackage{afterpage} \usepackage{subcaption} \usepackage{float} \usepackage{footmisc}