jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

survey: Add giant table

Browse source
This commit is contained in:
jaseg 2025-11-03 17:05:22 +01:00
parent 9715bf6bd1
commit 91b4164cbd
3 changed files with 188 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

260
chapter-hsms/chapter.tex
View file

@ -671,7 +671,7 @@ In our survey, we found a wide variety of connecting methods used to connect tam
base PCBs with a selection shown in Figure~\ref{hsm_fig_connector}. Both rigid PCBs and FPCs can be soldered directly to
a PCB using either a Land Grid Array (LGA) technique where pads on both PCBs are soldered facing each other, or using
\emph{castellated} edges, where pads on the base PCB are soldered sideways to holes on the top PCB that have been milled
in half as shown in Figure~\ref{hsm_fig_connector_castellations}. FPCs can also be soldered by draggin a solder blob
in half as shown in Figure~\ref{hsm_fig_connector_castellations}. FPCs can also be soldered by dragging a blob of solder
across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but this technique is only suitable for hand
soldering. Hand soldering increases unit cost over mechanized soldering techniques such as wave soldering or reflow
soldering.
@ -914,77 +914,184 @@ via fence layers, at the bottom of the PCB is one more layer containing the pads
\subsubsection{Tabular results}
\begin{landscape}
\begin{table}
\footnotesize
\rowcolors{2}{gray!15}{white}
\begin{tabular}[c]{c>{\RaggedRight\arraybackslash}p{20mm}>{\RaggedRight\arraybackslash}p{30mm}lccccc}
\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type code} &
\textbf{Mesh Contacts} & \textbf{Mesh Material} & \textbf{3D Construction} &
\textbf{Obscurity Features} & \textbf{Others} \\
\hline
H01 & PED & Verifone & VX 570 & & & & & \\
H02 & Slot machine CPU module & Merkur / ADP Gauselmann & Sam 12 EC2 & & & & & \\
H03 & EPP & Sagem & USA1315-4240 & & & & & \\
H04 & EPP & Sagem & USA1316-5120 & & & & & \\
H05 & PED & Xac & xAPT-103 & & & & & \\
H06 & PED & Ingenico & iCT250 & & & & & \\
H08 & PED & Sagem & NOR4100 & & & & & \\
H09 & PED & Hypercom & M4230 & & & & & \\
H10 & PED & Worldline & YOMANI XR & & & & & \\
H11 & PED & Banksys & C-ZAM Smash Portable & & & & & \\
H12 & PED & Hypercom & P2100 & & & & & \\
H13 & PED & Ingenico & iCT 220 & & & & & \\
H14 & PED & Verifone & H5000 & & & & & \\
H15 & PED & Verifone & MX 925 & & & & & \\
H16 & PED & Verifone & V200c CTLS & & & & & \\
H17 & PED & Verifone & VX 680 & & & & & \\
H18 & PED & Ingenico & i7910 & & & & & \\
H19 & PED & Banksys & XENTA & & & & & \\
H20 & PED & Verifone & VX 520 3G & & & & & \\
H21 & PED & Verifone & V400m Plus 4G & & & & & \\
H22 & PED & Ingenico & Move 3500 & & & & & \\
H23 & PED & Ingenico & iPP 350 & & & & & \\
H24 & PED & Ingenico & iWL255 & & & & & \\
H25 & Franking Machine & Neopost & IJ-25 & & & & & \\
H27 & PED & Sumup & AIR1E205 & & & & & \\
H28 & EPP & NCR & 5814 & & & & & \\
H29 & HSM & SafeNet & VBD-05 & & & & & \\
H30 & HSM & Irdeto & C201 & & & & & \\
H31 & PED & SumUp & SumUp 3G & & & & & \\
H32 & PED & SumUp & SumUp Air & & & & & \\
\footnotesize
\centering
\newcolumntype{M}{>{\centering\arraybackslash}p{4mm}}
\setlength{\tabcolsep}{0pt}
\begin{tabular}{ll|MMMMM|MMMM|MMMMM|MMMMM|MMMMM|MMM|MM}
&&\multicolumn{29}{c}{\textbf{Mesh}}\\
\textbf{Feature} & \textbf{Figures} &
1 & 2 & 3 & 4 & 5 & 6 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 27 & 28 & 30 & 31 & 32
\\\hline
\multicolumn{31}{l}{\textbf{Mesh Contacts.}} \\\hline
Elastomeric & \ref{hsm_fig_connector_elastomeric}, \ref{hsm_fig_connector_stack}
% 0 1 2 3 4 5 6 7 8 9
&&&&& & && % 0 - 9
&& && &&&&& & % 10 - 19
&&&& & & &&% 20 - 29
& &&\\ % 30 - 32
Soldered & \ref{hsm_fig_connector_castellations}
% 0 1 2 3 4 5 6 7 8 9
&& & &&&&& % 0 - 9
& & && & & &&&& % 10 - 19
& & &&&& & & % 20 - 29
& && \\ % 30 - 32
Stacking & \ref{hsm_fig_connector_stack}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & && % 0 - 9
& & & & & & & && & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
Tactile Dome & \ref{hsm_fig_connector_dome}, \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & & && & % 0 - 9
& & & && & & & & & % 10 - 19
& && &&& & & % 20 - 29
& & & \\ % 30 - 32
FPC Connector & \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & && & &% 0 - 9
&& & & &&&&&& % 10 - 19
& && & & & & & % 20 - 29
&& & \\ % 30 - 32
Mesh EMI Gasket & \ref{hsm_fig_connector_gasket}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & && & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Mesh Material}} \\
\hline
Rigid PCB & \ref{hsm_fig_materials_pcb_rigid}
% 0 1 2 3 4 5 6 7 8 9
&&&&&&&&% 0 - 9
&&&&&&&&&& % 10 - 19
& &&&&& &&% 20 - 29
& &&\\ % 30 - 32
Copper FPC & \ref{hsm_fig_materials_pcb_flex}
% 0 1 2 3 4 5 6 7 8 9
& & &&& &&& % 0 - 9
& & &&& & &&& & % 10 - 19
&&& &&& &&% 20 - 29
& && \\ % 30 - 32
Printed silver ink & \ref{hsm_fig_materials_silver_ink}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
&& &&&& & &&& % 10 - 19
& && &&& & & % 20 - 29
& & & \\ % 30 - 32
\hline
Printed carbon ink & \ref{hsm_fig_materials_carbon_ink}
% 0 1 2 3 4 5 6 7 8 9
&& & & & & & &% 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
&& & \\ % 30 - 32
Gold (Laser Direct Structuring) & \ref{hsm_fig_materials_gold_lds}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & &\\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{3D Construction}} \\
\hline
Folded mesh & \ref{hsm_fig_3d_struct_folded_overlap}, \ref{hsm_fig_3d_struct_folded_no_overlap}
% 0 1 2 3 4 5 6 7 8 9
&& &&&&&&% 0 - 9
&& &&& & &&&& % 10 - 19
&&& &&& && % 20 - 29
&&& \\ % 30 - 32
House of cards & \ref{hsm_fig_3d_struct_house_of_cards}
% 0 1 2 3 4 5 6 7 8 9
&& & & & & && % 0 - 9
&& & & & & & & && % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
Laser Direct Structuring & \ref{hsm_fig_3d_struct_lds}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & &\\ % 30 - 32
\hline
Thermoformed & \ref{hsm_fig_3d_struct_vacuum_form}, \ref{fig_ingenico_forming}
% 0 1 2 3 4 5 6 7 8 9
& & & & & && & % 0 - 9
& & && & & & & & & % 10 - 19
& & & &&& & & % 20 - 29
& & & \\ % 30 - 32
Planar obstacle & \ref{hsm_fig_3d_sandwich_obstacle}, \ref{hsm_fig_3d_sandwich_via_fence}
% 0 1 2 3 4 5 6 7 8 9
&& & &&& & & % 0 - 9
& & & &&& &&& & % 10 - 19
& & & && & & & % 20 - 29
& & & \\ % 30 - 32
Complex planar & \ref{hsm_fig_3d_sandwich_stack}, \ref{hsm_fig_3d_sandwich_lid}
% 0 1 2 3 4 5 6 7 8 9
& & & && & & & % 0 - 9
& & & & && & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Obscurity Features}} \\
\hline
Metal enclosure & \ref{hsm_fig_3d_struct_folded_overlap}
% 0 1 2 3 4 5 6 7 8 9
& &&&& & && % 0 - 9
& & & & & & && & & % 10 - 19
& && & & & && % 20 - 29
&& & \\ % 30 - 32
Potting & \ref{hsm_fig_ingenico_potted_seated}
% 0 1 2 3 4 5 6 7 8 9
& & & & && & & % 0 - 9
& & & & & & & & && % 10 - 19
& & & & & & & & % 20 - 29
&& & \\ % 30 - 32
\hline
Opaque foil & \ref{hsm_fig_connector_dome}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& &% 0 - 9
&& & && & & && & % 10 - 19
&&& && & & & % 20 - 29
&& & \\ % 30 - 32
Opaque lacquer & \ref{fig_ingenico_forming}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
& & & && & & && & % 10 - 19
&& & && & & & % 20 - 29
&& &\\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Other Features}} \\
\hline
Integrated tactile domes & \ref{hsm_fig_connector_dome}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
& & & && & & && & % 10 - 19
& && &&& && % 20 - 29
& && \\ % 30 - 32
Integrated contact pads & \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & && && & & % 10 - 19
& && & & & && % 20 - 29
& & & \\ % 30 - 32
\end{tabular}
\caption{Features found in the samples we dissected. Column key:
\emph{Mesh contacts:}
Elastomeric (Figures~\ref{hsm_fig_connector_elastomeric}, \ref{hsm_fig_connector_stack}),
Soldered (Figure~\ref{hsm_fig_connector_castellations}),
Stacking (Figure~\ref{hsm_fig_connector_stack}),
Tactile Dome (Figures~\ref{hsm_fig_connector_dome}, \ref{hsm_fig_connector_fpc}),
FPC Connector (Figure~\ref{hsm_fig_connector_fpc}),
Mesh EMI Gasket (Figure~\ref{hsm_fig_connector_gasket}).
\emph{Mesh Material:}
Rigid PCB (Figure~\ref{hsm_fig_materials_pcb_rigid}),
Copper FPC (Figure~\ref{hsm_fig_materials_pcb_flex}),
Printed silver ink (Figure~\ref{hsm_fig_materials_silver_ink}),
Printed carbon ink (Figure~\ref{hsm_fig_materials_carbon_ink}),
Gold Laser Direct Structuring (Figure~\ref{hsm_fig_materials_lds}).
\emph{3D Construction:}
Folded mesh (Figures~\ref{hsm_fig_3d_struct_folded_overlap} and \ref{hsm_fig_3d_struct_folded_no_overlap}),
House of cards (Figure~\ref{hsm_fig_3d_struct_house_of_cards}),
Laser Direct Structuring (Figure~\ref{hsm_fig_3d_struct_lds}),
Thermoformed (Figures~\ref{hsm_fig_3d_struct_vacuum_form} and \ref{fig_ingenico_forming}),
Planar obstacle (Figures~\ref{hsm_fig_3d_sandwich_obstacle} and \ref{hsm_fig_3d_sandwich_via_fence}),
Complex planar (Figures~\ref{hsm_fig_3d_sandwich_stack} and \ref{hsm_fig_3d_sandwich_lid}),
\emph{Obscurity Features:}
Metal enclosure (Figure~\ref{hsm_fig_3d_struct_folded_overlap}),
Potting (Figure~\ref{hsm_fig_ingenico_potted_seated}),
Opaque foil (Figure~\ref{hsm_fig_connector_dome}),
Opaque lacquer (Figure~\ref{fig_ingenico_forming}).
\emph{Other Features:}
Integrated tactile domes (Figure~\ref{hsm_fig_connector_dome}),
-Integrated tactile Dome landing pad (Figure~\ref{hsm_fig_connector_fpc}).
}
\caption{Feature matrix of all specimens analyzed.}
\label{tab_hsm_survey_sample_results}
\end{table}
\end{landscape}
\subsubsection{CT Imaging}
\begin{figure}
@ -1021,14 +1128,15 @@ Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\r
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}).
\todo{Pictures/refs of opaque materials, mention sample numbers}
To circumvent such attempts, an obvious attack vector is to use radiographical imaging techniques such as X-ray or CT
imaging. To evaluate CT imaging as an attack method, we experimentally imaged the potted HSM module of an Ingenico
payment terminal using an industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two
images exported from the resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut
across part of the module. In this cut, we can clearly identify a mesh layer with multiple traces, four solid metal
contacts crimped to the mesh foil, and two unused contact pads and mesh traces in the lower part of the picture. An
attacker would be able to use this information to target the metal contacts with a tool like a needle probe. From the CT
scan we were able to measure that the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a
thin needle probe right through one of the mesh's traces should be possible without breaking the trace.
imaging. To evaluate CT imaging as an attack method, we experimentally imaged the potted HSM module of
sample~\sampleno{H18}, an Ingenico payment terminal, using an industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows
the module we analyzed and two images exported from the resulting CT scan data.
Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In this cut, we can
clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil, and two unused
contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this information to
target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that the mesh of the
device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through one of the mesh's
traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the

1
common-defs.tex
View file

@ -174,6 +174,7 @@
\setstretch{1.3}
\DeclareUnicodeCharacter{2B24}{$\bullet$}
\newcommand{\sampleno}[1]{\textsf{#1}}
% Settings for tocloft as applied to minitoc
%\setlength{\cftbeforesecskip}{-1pt}

3
common-packages.tex
View file

@ -23,6 +23,9 @@
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{ccicons}
\usepackage{rotating}
\usepackage{pdflscape}
\usepackage{afterpage}
\usepackage{subcaption}
\usepackage{float}
\usepackage{footmisc}