\chapterquote{An unnamed atomic bomb designer~\cite{blechmanTechnologyLimitationInternational1989}}{ Bypassing a PAL [atomic bomb ignition code lock] should be about as complex as performing a tonsillectomy while entering the patient from the wrong end. } \chaptertitle{Hardware Security Modules in the Wild} In this chapter we will take a look at how Hardware Security Modules are built and what they are used for. We will analyze the gaps left by the current state of the industry, and evaluate how Inertial HSMs could close these gaps to make secure hardware accessible to everyone. We will start with a brief history of secure hardware with a particular focus on tamper-sensing meshes since the tamper-sensing mesh is the primary line of defense that delineates a hardware security module from other, weaker secure hardware primitives such as Smart Cards or Trusted Platform Modules (TPMs). % FIXME include stuff from EPA paper \section{The History of Tamper Sensing Meshes} \subsection{Use by the US Military} Electronic tamper sensing meshes are documented in literature beginning around World War \RN{2}. The earliest mention of such a system we are aware of is from notes on a series of lectures given by Dr.~David~G. Boak, a specialist in communications security and signal intelligence at the US National Security Agency\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more exciting--exploding the device. \subsection{Use in Nuclear Weapons} Communications security was not the earliest use of tamper-sensing membranes in the US military, with Boak mentioning HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation when triggered in just the right way. While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper-sensing membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control. \subsection{Use in Nuclear Safeguards} Besides being used in nuclear weapons, tamper-sensing systems have another, more peaceful application in the nuclear field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the history of nuclear material passing through these facilities. When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a brigh color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is that drilling or cutting into something like a steel enclosure will leave detectable traces, and that perfectly replicating an object including features such as minute surface imperfections is infeasible even to a nation state~\cite{iaea2011}. In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own readings~\cite{simmonsHowInsureThat1988} With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is used in contemporary hardware security modules to detect attempts at drilling or cutting into the system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of the tamper sensing mesh such as materials used or structure sizes are publically available. \subsection{Commercial Use} Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially in then-new HSMs, cryptographic coprocessors primarily aimed at the financial industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds of card payment terminals. We will analyze two such ATM pin pads later in this paper. HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this paper, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider. Beyond finance, tamper-sensing meshes have found applications in a variety of other use cases as well. For instance, we have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit analyzed in this paper. Furthermore, we have identified at least one model of key safe that in Germany is mounted externally on public buildings to provide keys to emergency services, and which includes a tamper sensing mesh on its outside-facing wall to detect attempts at drilling into it. Finally, we have found a processing unit used in a series of mid-2000s era slot machines in Germany that includes a tamper-sensing mesh, presumably to prevent modification or cloning. This device will also be analyzed later in this chapter. \section{The Principles of Tamper-Sensing Mesh Construction and Monitoring} \subsection{Tamper-sensing Mesh Manufacturing} The manufacturing technology of a tamper sensing mesh is a critical factor in its security. While in many applications, meshes manufactured from off-the-shelf processes such as Flexible Printed Circuit (FPC) processes are used, these processes tend to be optimzed to maximize the robustness of the produced circuits to mechanical stress. In contrast, the ideal tamper-sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal handling, but should not be more robust than that. As a result, more secure meshes tend to be manufactured in bespoke manufacturing processes. % FIXME cite Immler et al One more widely cited tamper-sensing mesh implementation is a commercial product developed by IBM in collaboration with chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately 2020. % FIXME mention that Immler et al. cite them This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces are printed. The flexible circuit layers are joined with a opaque black, stretchy glue and after installation embedded in an elastic opaque resin. The plastic substrate foil is thinner and significantly less resistant to tearing than plastic substrates commonly used in the electronics industry for applications like key pads and circuit boards, which improves its security against tampering. Furthermore, both the glue fusing the foil layers together and the resin the mesh is embedded inside after installation are clearly co-designed with the carbon trace material such that the trace material adheres well to both, leading to the traces being destroyed when either are peeled off. The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name. % FIXME list actual patents as citations or table. \subsection{Tamper-sensing Mesh Monitoring} Tamper-sensing meshes are most effective when they are continuously monitored using a backup power supply when the larger system is powered off. In practice, the main challenge with continuous monitoring of tamper-sensing meshes is in the design of the monitoring circuit. A large portion of industry attention has been spent on designing low-power monitoring circuits that are sensitive to tampering with the mesh while using little enough power to enable years of operation from a battery. Commonly, one or two cylindrical or large coin cell Lithium primary batteries are used, providing in the order of \qtyrange{10}{20}{\watt\hour} over their lifetime. Broken down to an unpowered storage life of e.g.\ 5 years, this corresponds to a maximum average power consumption of \qty{450}{\micro\watt}. % FIXME cite patent US20010056542A1, maybe others? % relevant categories: (H01L23/576), (G06K19/07372) % keyword: wire covering % FIXME US10251260B1, US9730315B1 (both square) mention wheatstone bridge % FIXME DE2656349A1 mentions bridge circuit but applied to a fence(!) To achieve low power consumption, a popular technique known since at least 1902 % FIXME cite US708093A and still used today % FIXME cite section on utimaco / gore mesh, cite US20010056542A1 (ibm), US10251260B1, US9730315B1 (square) is to measure the mesh's deviation from its baseline value. This measurement can be implemented either by directly comparing a mesh trace's resistance with a reference resistor, or using a wheatstone bridge. % FIXME cite DE559905C This technique, known since at least 1929, is still used in modern HSMs for its simple implementation: Comparators do no need a lot of power, and similar to the layout of a strain gauge, the wheatstone bridge circuit can be implemented using the mesh's traces. When all traces are interleaved, this also provides some degree of intrinsic temperature compensation. % FIXME US10321589B2 cites comparators % US587931A (1897) describes overlapping structure % FIXME US7345497B2 uses balanced transmission lines / fast pulses % FIXME NCR Group patent US4593384A mentioned tamper traces in 1984 % FIXME NCR Group patent US3594770A mentions meshes in 1968 % FIXME US110362A from 1870 may be oldes mention of mesh I found % FIXME US708093A from 1902 shows literal meshes like we do them today, just with wires not PCBs, and also describes % bridge-like comparator circuit using counter-wound coils % FIXME Hughes Aircraft patent US5568124A mentions mesh-like panels in 1993 % NOTE: US3882324A mentions exploding the device as tamper response \subsection{Other Tamper Sensing Techniques} Besides tamper-sensing meshes, environmental sensors such as temperature or light sensors are frequently used as a secondary line of defence in HSMs and similar devices. By placing such sensors in the device and verifying the device is within its nominal operating environment, tampering can be made less convenient. Modern security standards often mandate the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other sensors have been proposed, including humidity sensors, vibration sensors, light sensors, magnetometers, and radiation sensors such as X-ray sensors have been proposed. While the implementation cost of most sensor types is low, each additional environmental sensor comes with an increased false alarm rate. Anecdotally, we have heard of light sensors being removed from a datacenter HSM product because they caused frequent false alarms despite extensive efforts like custom injection-molded plastic light baffles at all air vents of the device designed to prevent ingress of outside light. % FIXME citations? \subsection{The Patent Landscape} Tamper-sensing meshes can be implemented in many different ways. Their design offers various degrees of freedom from the precise conductor layout, through the manufacturing technology of the mesh and how it is wrapped around the payload during manufacturing up to its monitoring circuitry. As a result, manufacturers across application domains from datacenter appliance HSMs through card payment terminals and including niche applications like mail franking machines have historically used patents on parts of their tamper-sensing mesh implementations as a means to prevent copying of their designs. While most original tamper sensing mesh implementations are covered by at least one patent, we want to highlight IBM for dwarfing the efforts of most other companies and fielding industry's widest portfolio of related patents. While the patent history of HSM-like devices is rather shallow and begins in the 1990ies % FIXME cite with scarce prior examples, % FIXME cite tamper-sensing meshes have a much longer history dating back to at least 1870. % FIXME cite Tamper-sensing meshes were often called \emph{wire coverings} in earlier patent literature from before the widespread adoption of printed circuits. Beginning in the late 1800s, there is an abundance of patents claiming such meshes for the protection of safes and vault rooms. A 1969 NCR patent % FIXME cite US10321589B2 is the earliest mention we were able to find of such a tamper-sensing mesh being implemented in a printed circuit process instead of by laying out a physical wire. \section{A Survey of Meshes in the Wild} Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive, high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that include tamper-sensing meshes to gain an understanding of how they are implemented, and what security level they are targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial devices with a focus on card payment terminals, which represent the most varied class of device incorporating such meshes. \subsection{Sample Selection} Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For this survey, we chose 21 different models of card payment terminals, and 6 other devices. All devices were procured from ebay, and the majority were sold by electronic waste recycling companies. \subsubsection{Card Payment Terminals} Card payment terminals commonly include advanced tamper sensing features to discourage physical attacks such as skimming that aim to exfiltrate card data and PINs entered by the customer. The Payment Card Industry Security Standards Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto standardization organization in the card payment space. Due to the international scale of the large credit card networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level of security than one might expect from an industry association. Physical security standards in card payment applications both on the client side -- payment terminals -- and on the server side -- HSM appliances -- are more stringent than one might expect since the finance industry has been reluctant to adopt modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and ancient ciphers such as Triple DES are still commonly referenced in industry standards~\cite{pci_security_standards_council_payment_2025}. As a result, increased hardware security is necessary to safeguard weak symmetric keys, compensating for the systems' modest cryptographic security. Since card payment terminals are widely deployed, many different models from various manufacturers are available. Each manufacturer tends to have their own, patented tamper-sensing implementation. Being manufactured at scale, card payment terminals are cost-sensitive devices, which is reflected in the construction of their tamper-sensing implementations. \subsubsection{HSM Appliances} For datacenter applications, HSMs are sold both as add-in cards and as standalone rackmount appliances with a network interface. In practice, the standalone appliances are just low-end computers in a rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we were only able to procure a single such HSM since these devices are expensive, and even used specimens of older models are usually listed for several hundreds to several thousands of EUR. The one sample we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a white-label variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on datacenter components. The device was sold with any HDDs removed. The device consisted of an older mainboard for embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of DDR2 RAM, which was connected to the HSM add-in card through PCI. The device contained a small Lithium backup battery on the add-in card, and another, larger battery in an enclosure at the front of the device that was connected to the card through a cable. The device did not contain any obvious case intrusion sensors. \subsubsection{ATM Encrypting Pin Pads} ATMs are built in a modular construction approach. Physically, the enclosure of an ATM is not its only security barrier. Besides the enclosure, there are two security barriers worthy of note. First, the bank notes in the machine are stored in an automatic cash dispenser that is built into a traditional vault inside the machine. This vault primarily acts as a mechanical barrier to discourage theft, but it also often includes tamper sensors that activate an Intelligent Banknote Neutralisation System (IBNS). The IBNS is designed to spread hard-to-remove ink over the bank notes inside the vault when tampered. The permanently stained bank notes are not accepted by banks or retailers anymore. % FIXME cite https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf % archive: https://web.archive.org/web/20250822134238/https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf % FIXME cite https://www.ecb.europa.eu/euro/banknotes/damaged/html/index.en.html % FIXME cite https://www.bcl.lu/en/Banknotes-and-Coins/remboursement/billets-macules1/index.html Besides the vault, the other secondary security barrier is located inside the ATM's pin pad. While all communication with the customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's smartcard IC, the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the PIN is encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption. Often, both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a tamper-sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and transmit the plaintex PIN. We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by Cryptera and Diebold, respectively, and one made by and branded NCR. All three devices have robust stainless steel front cases. \subsubsection{Other miscellaneous devices} Sometimes, tamper-sensing meshes show up in other types of devices. We acquired two such devices. First, we acquired a Neopost mail franking machine, a type of device that is used to directly print a code on an envelope that replaces a conventional postage stamp. \subsection{Methodology} We proceeded by first photographing every test specimen from multiple angles, then disassembling them. After disassembly, we photographed each major component. After photos were taken, we proceeded with destructive techniques where necessary to obtain microscope photos of each tamper-sensing mesh component. PCBs were sectioned using a sanding drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling, cutting and prying, applying heat from a heat gun as necessary to soften polymer compounds and to break glue joints. \subsection{Results} \subsubsection{Mesh materials.} We found meshes constructed from rigid PCBs as well as a number of Flexible Printed Circuit (FPC) processes. Tamper-sensing meshes constructed from PCBs sometimes used parts of an existing PCB, and sometimes additional PCBs only containing a mesh were added. Sometimes, multiple rigid PCB meshes were assembled in a house of cards fashion to enclose part of a device. For flexible meshes, with the exception of the Utimaco HSM appliance's HSM card that used an off-the-shelf Gore tamper sensing mesh foil were all clearly manufactured either entirely or mostly in standard processes. We found silkscreened silver ink and silkscreened carbon ink-based foils similar to those used for membrane keyboards, as well as conventional photolithographically etched copper/polyimide Flexible Printed Circuits (FPCs). Overall, etched PCBs showed better resolution compared to silkscreen-printed meshes. Feature size for both rigid and flexible etched PCB meshes was generally in the order of \qtyrange{100}{200}{\micro\meter}, while feature size for printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}. \subsubsection{Mesh layout.} \begin{figure} \centering \begin{subfigure}[t]{0.45\textwidth} \centering\includegraphics[width=\linewidth]{hsm_mesh_offset.jpg} \caption{Offset layers for more complete coverage} \label{hsm_fig_mesh_layout_offset} \end{subfigure} \quad \begin{subfigure}[t]{0.45\textwidth} \centering\includegraphics[width=\linewidth]{hsm_mesh_orthogonal.jpg} \caption{Orthogonal patterns on subsequent layers} \label{hsm_fig_mesh_layout_orthogonal} \end{subfigure} \quad \begin{subfigure}[t]{0.45\textwidth} \centering\includegraphics[width=\linewidth]{hsm_utimaco_mesh_gore.jpg} \caption{Combining orthogonal layers with area-covering pattern} \label{hsm_fig_mesh_layout_utimaco} \end{subfigure} \quad \begin{subfigure}[t]{0.45\textwidth} \centering\includegraphics[width=\linewidth]{hsm_mesh_stack_epp.jpg} \caption{Spacing mesh layers apart to constrict angular freedom of an attack tool} \label{hsm_fig_mesh_layout_epp} \end{subfigure} \caption{Mesh trace layout approaches for multi-layer meshes.} \label{hsm_fig_mesh_layout} \end{figure} A key goal in tamper-sensing mesh design is to avoid any gaps in coverage. In single-layer meshes, gaps between adjacent mesh traces cannot be avoided, and provide an easy approach for an attack. In multi-layer meshes, these structure size-dependent gaps can be mitigated in multiple ways as shown in Figure~\ref{hsm_fig_mesh_layout}. \paragraph{Offset patterns.} In a two-sided foil mesh, most of the gaps between adjacent traces can be covered by simply offsetting the pattern by one structure size in both axes between the foil's top and bottom layers as shown in Figure~\ref{hsm_fig_mesh_layout_offset}. Depending on the mesh layout, only a small number of point-shaped gaps remain at corners in mesh traces on one of the layers. The number of these gaps can be reduced by reducing the number of misaligned corners between both layers for instance by choosing a systematic serpentine or spiral trace layout. \paragraph{Orthogonal patterns.} In some other specimens, the manufacturer chose the opposite approach of keeping the mesh pattern mostly orthogonal on the mesh's two layers as shown in Figure~\ref{hsm_fig_mesh_layout_orthogonal}. While this leads to a larger amount of gaps compared to offset patterns as described above, it also reduces the largest gap size to about one structure size by one structure size. \paragraph{Combined approaches.} Figure~\ref{hsm_fig_mesh_layout_utimaco} shows the layout of a Gore tamper-sensing mesh foil used in an Utimaco HSM. This mesh consists of two foil layers bonded to each other. The outer foil is patterned on both sides with a sparse pattern of thin serpentine traces with the patterns on both layers being orthogonal to each other. Both patterns are oriented at a \qty{45}{\degree} angle relative to the sides of the rectangular enclosed volume. The inner foil is only patterned on one side, and contains a thicker serpentine trace laid out in a zigzag pattern. The two foil layers are aligned such that no gaps remain between the layers. \paragraph{Using layer spacing.} Figure~\ref{hsm_fig_mesh_layout_epp} shows how an ATM Encrypting Pin Pad (EPP) implemented the mesh on its keypad. Off-the-shelf metal snap dome contacts were used on the surface of a conventional rigid PCB to create the keys. On top of the rigid PCB and contact domes, a two-layer copper/polyimide FPC with an additional polyimide cover layer was glued down. Meshes were placed on both layers of the FPC, as well as on one internal layer of the rigid PCB. The resulting structure had the FPC mesh layers separated from the rigid PCB mesh layer by several hundred micrometers of the rigid PCB's substrate. The meshes on both the FPC and the rigid PCB used a structure size of \qty{150}{\micro\meter}. The vertical separation between the two meshes was several times that structure size, which limits the possible angles an attack tool could be inserted through both mesh layers. \subsubsection{3D construction.} \begin{figure} \centering \begin{subfigure}[t]{0.3\textwidth} \centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_overlap.jpg} \caption{Folded with overlap} \label{hsm_fig_3d_struct_folded_overlap} \end{subfigure} \quad \begin{subfigure}[t]{0.3\textwidth} \centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_no_overlap.jpg} \caption{Folded without overlap} \label{hsm_fig_3d_struct_folded_no_overlap} \end{subfigure} \quad \begin{subfigure}[t]{0.3\textwidth} \centering\includegraphics[width=\linewidth]{hsm_3d_style_vacform.jpg} \caption{Thermoformed} \label{hsm_fig_3d_struct_vacuum_form} \end{subfigure} \quad \begin{subfigure}[t]{0.3\textwidth} \centering\includegraphics[width=\linewidth]{example-image-1x1.pdf} \caption{House-of-Cards construction} \label{hsm_fig_3d_struct_house_of_cards} \end{subfigure} \quad \begin{subfigure}[t]{0.3\textwidth} \centering\includegraphics[width=\linewidth]{hsm_3d_style_lds.jpg} \caption{Laser Direct Structuring, Image from \cite{mahungORWLPCMost2016}} \label{hsm_fig_3d_struct_lds} \end{subfigure} \caption[3D mesh construction styles]{Construction styles used to fit tamper sensing meshes into 3D envelopes.} \label{hsm_fig_3d_struct} \end{figure} In practice, meshes are almost always manufactured in planar processes first, and then transformed into a three-dimensional shape. Figure~\ref{hsm_fig_3d_struct} \subref{hsm_fig_3d_struct_folded_overlap}-\subref{hsm_fig_3d_struct_house_of_cards} show the construction styles we saw among our samples that shape a planar mesh into a three-dimensional structure. Figure~\ref{hsm_fig_3d_struct_folded_overlap} and Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} have meshes produced as flexible printed circuits, in Figure~\ref{hsm_fig_3d_struct_folded_overlap} using a standard photolithographic copper/polyimide FPC process usually used for flexible PCBs, and in Figure~\ref{hsm_fig_3d_struct_folded_overlap} using a standard silver ink screenprinting process. The choice in Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} not to overlap the mesh in the corner is likely caused by manufacturing considerations, since it might be difficult to ensure proper folding of a small foil tab with adhesive pre-applied. Figure~\ref{hsm_fig_3d_struct_vacuum_form} shows a sample of a flexible circuit manufactured in a screenprinted silver-ink process thermoformed into a three-dimensional shape. The flexible circuit mesh is first produced in a standard planar printing process. After printing and curing, the resulting foil is then heated to soften it, and forced into a three-dimensional shape using a mold. Depending on the process, one or two molds, and vacuum or pressured air can be used to shape the foil. The process requires a screenprinted flexible circuit, and would not work with copper/polyimide flexible PCBs since their copper layer is too thick to plastically deform without tearing, and because polyimide is not sufficiently thermoplastic at low temperatures. Thermoforming is a cheap industry standard process, but applied to flexible circuits it has some limitations. First, only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet cannot be cut or contain slots or large holes before forming since it needs to be kept under a constant tension from all sides to ensure it evenly stretches into the mold. Finally, the depth achievable in such a process is rather limited, with no sample in our survey exceeding \qty{2}{\milli\meter}\todo{Get proper number}. Higher depths would require extensive deformation of the mesh circuit's plastic substrate, which could lead to tears in the mesh traces since the particle-based conductive inks used for screen-printed electronics are inelastic. The specimen in Figure~\ref{hsm_fig_3d_struct_vacuum_form} shows one further design defect. The mesh shown does not extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a PCB to protect components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the PCB surface, through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry. \todoplaceholder{take pic of sample H08 card slot cover} Figure~\ref{house of cards pcb construction} shows a card slot being protected by several rigid PCBs assembled into a three-dimensional structure. Solder connections between large pads are used to mechanically and electrically join the boards. While the rigid PCBs used in such as structure can be produced in a highly inexpensive, standard process, this style of construction requires manual assembly leading to increased labor cost. Furthermore, the construction leaves large gaps at edges and corners, which is not a problem for card slot protection in payment applications but which would be a flaw in a more standard HSM application. Figure~\ref{hsm_fig_3d_struct_lds} shows the resutl of Laser Direct Structuring (LDS), a process that avoids some of the limitations of thermoformed planar meshes. In LDS, a plastic part is covered in a conductive pattern in a combination of selective laser erosion of its surface and a series of preparation and electroless metal plating steps. LDS allows covering complex three-dimensional shapes, with the main limitation being that all patterned areas must have a direct line of sight to the outside for the scanning laser to reach it. Thus, the outside of complex parts can be covered, but internal cavities cannot. LDS is commonly used to create complex antenna shapes on the surface of internal structural plastic parts for smartphones, but is more costly compared to screenprinting processes due to its complexity. A further disadvantage of LDS is that it is only suitable for single-layer patterns, while two layers are easily achievable in silkscreen and photolithographic PCB processes by patterning both sides of the substrate. More layers can be achived in these processes by simply stacking multiple foil layers and adding vias (through contacts), or by folding. \subsubsection{Contact construction.} \subsubsection{Payment Terminal Construction} \begin{figure} \centering \includegraphics[width=0.7\textwidth]{mesh_fold_screenshot.pdf} \caption[HSM appliance CT scan]{Computed Tomography (CT) scan of a corner of the PCIe HSM module from an Utimaco rackmount HSM appliance. Visible are several capacitors, the edge of a large IC, and a large Flat Flexible Cable (FFC) connector. Two layers of metal enclosures with resin potting in between are visible, and the security mesh can be seen folded between layers of the folded FFC cable connecting to the outside.} \label{hsm_fig_utimaco_ct} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{cut_chip_scene.pdf} \caption[Ingenico Payment Terminal HSM CT Section Cut]{CT Section cut across the Ingenico potted module sample. The fold pattern of the mesh foil can be seen clearly. The mesh traces can be seen on both sides of the foil. The two-layer PCB and the lead frame and bond wires of a chip soldered on its top side are visible.} \label{fig_ingenico_cut} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{mesh_pitch.pdf} \caption[Ingenico Payment Terminal HSM Mesh Pitch]{A horizontal cut through the Ingenico potted module with millimeter scale next to the mesh foil. As is visible, the mesh has a trace pitch of \qty{1.0}{\milli\meter} and traces are offset between the two mesh layers to reduce the amount of gaps between traces.} \label{fig_ingenico_pitch} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{mesh_contact_joint.pdf} \caption[Ingenico Payment Terminal HSM Mesh Contacts]{Mesh contact joints in the Ingenico potted module sample. The mesh is a foil that is attached to the PCB through bent stamped metal contacts. The contacts are riveted into large contact pads patterend onto the mesh foil, and are soldered to the PCB. Next to the contacts, the mesh layout is visble clearly.} \label{fig_ingenico_contacts} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{open_end_detail.pdf} \caption[Ingenico Payment Terminal HSM End Closure]{Connector end of the Ingenico potted module sample. This cut shows that the mesh only encloses the PCB on three sides, and the connector side is left unprotected.} \label{fig_ingenico_end} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{mesh_geom.pdf} \caption[Ingenico Payment Terminal HSM Mesh 3D]{3D reconstruction of the mesh from the Ingenico potted module sample. The mesh layout can clearly be seen. From this 3D view, the mesh construction is evident: A T-shaped mesh foil is wrapped around the PCB on three sides, with PCB tabs at two corners acting as locating and fixturing features. In the corners, cylindrical components are visible that likely serve as an attempt at sensing intrusion through the corners.} \label{fig_ingenico_3d} \end{figure} \section{Discussion} % FIXME intro here \subsection{Tamper-sensing meshes then and now} Concluding both our patent research and our experimental survey, we find that tamper-sensing meshes have been a commonplace technology throughout the past 150 years. While mesh manufacturing technology has experienced some advancements from historical wire-wound meshes to modern meshes always being constructed in printed circuit processes, mesh monitoring approaches have received surprisingly little attention through the centuries and even in recent, state-of-the-art systems, a simple comparator monitoring a mesh arranged in a wheatstone bridge configuration is still considered sufficient by manufacturers. % FIXME todo above: show wheatstone bridge schematic \subsection{Mesh construction techniques} We found that in almost all cases, practical tamper-sensing meshes are constructed using standard manufacturing processes. In some card payment terminals, we found meshes that used slightly customized standard processes and e.g. integrated a mesh layer produced in a carbon printing process into a membrane keypad, but customizations were minimal. We only found one mesh manufactured in a bespoke process in the datacenter HSM appliance we examined, and that bespoke process turns out to be a turnkey solution used by at least two HSM vendors. \subsection{Mesh monitoring circuits} We observed that in general, academic research leads before patent literature, which is ahead of actual implementations in the field. Practical monitoring circuitry seems basic. Particularly the datacenter HSM appliance we examined showed a contrast between a mesh manufactured in a bespoke process combined with a unsophisticated, discrete monitoring circuit based around a number of voltage comparators. \subsection{Computed Tomography Imaging} CT imaging presents a serious threat to any HSM design that relies on its mesh layout remaining secret. For instance, the Gore tamper-sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias are lasered into a specially preparte area on the mesh foil to randomize the connection pattern of the mesh on a unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used to provide sub-millimeter accurate positioning for an attack, even if the sample to be attacked has large production tolerances. We found that CT imaging can be made more difficult using three complementary techniques. \paragraph{Low-contrast trace materials.} CT imaging can be made more difficult by manufacturing the mesh with very thin conductive traces, and using a trace material that has low atomic number, corresponding to low X-ray absorption. For instance, the Gore mesh sample used a carbon-based ink that judging by structure size was screen-printed, which leads to an economical yet relatively secure solution. \paragraph{Use of X-ray attenuating materials.} We found that placing any highly X-ray attenuating material in the HSM makes CT imaging more difficult since it makes using higher-energy X-rays necessary, which lead to poorer contrast on X-ray-transparent features like polymers. The result of this difference can be seen in the difference in image fidelity between the Utimaco HSM appliance and Ingenico potted module samples. The Ingenico sample was easy to image since it consisted of a PCB wrapped with a mesh foil and encased in resin inside of an injection-molded plastic enclosure. Thus, we were able to image it at a low X-ray energy and we were able to easily reconstruct detail on both the mesh's layout and the PCB's circuitry. In contrast, the Utimaco HSM module was potted inside a metal shell open on one side and had a second, spot-welded metal shell enclosing the PCB right underneath the mesh foil. While the outer metal shell could have been removed through e.g.\ milling, this inner metal shell was inaccessible. The Utimaco CT scans look worse because we chose a higher X-ray energy due to the large amount of metal, leading to poorer image contrast. In a practical application, a sheed made from elementary tin or a tin alloy would be a suitable choice for such an X-ray absorbing feature since tin is cheap, non-hazardous and absorbs X-rays almost as well as lead. Alternatively to a sheet-metal enclosure, an X-ray absorbing material could also be incorporated into a potting compound as a powder. \paragraph{Size.} Finally, we found that a larger module size makes CT imaging more difficult simply due to the thickness of material that the X-rays need to penetrate. Ideally, a HSM should aim for a cuboid form factor, as the common flat construction style is easily penetrated by X-rays along at least one axis. \section{Conclusion} In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push the boundaries of achievable structure size for a given process. The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and can even be forcibly separated from some potting compounds without destroying their traces. The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices marketed as hardware secuirty modules. Given the inexpensive nature of tamper sensing meshes and the high price point of such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper sensing meshes. We conclude from this observation that the term ``HSM'' does not imply state-of-the-art physical tamper sensing. From an academic point of view, the core finding of our survey is that tamper sensing meshes manufactured in a number of commercial manufacturing processes would yield acceptable surrogates for real devices found in the wild. With the exception of a single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range, none of the devices we examined utilized particularly non-obvious construction techniques. Form an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic construction techniques. Implementing such a system that matches the security of other systems seen in the wild should be achievable to most engineers.