jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
phd-thesis/chapter-hsms/chapter.tex
jaseg 6fd1d985d4 Include last of Olga's comments
2025-12-01 16:26:07 +01:00

1324 lines
92 KiB
TeX
Raw Permalink Blame History

\chapterquote{An unnamed atomic bomb designer~\cite{blechmanTechnologyLimitationInternational1989}}{
Bypassing a PAL [atomic bomb ignition code lock] should be about as complex as performing a tonsillectomy while
entering the patient from the wrong end.
}
\chaptertitle{Active Tamper Sensing in the Wild}
\label{chapter-survey}
Inertial Hardware Security Modules are the latest link in a series of developments bringing hardware security primitives
from niche military cipher machines to mass-market applications. The tamper sensing technology that forms the primary
line of defense in such physical security systems goes back more than a century, with the earliest tamper sensing meshes
being used in the late 19\textsuperscript{th} century, around the widespread commercialization of electricity. Today,
active tamper sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs.
In this chapter, we will start with a brief history of tamper sensing meshes. Complementing our historical analysis, we
will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will examine
their implementation. We will analyze the gaps left by the current state of the art in commercial practice, and evaluate
how Inertial HSMs could close these gaps to make secure hardware accessible to a wider range of applications. The
contributions in this chapter are as follows:
\begin{itemize}
\item We provide a historical overview of uses of tamper sensing meshes.
\item We provide the first large-scale analysis of real devices incorporating tamper sensing meshes in the academic
record.
\item We create a taxonomy of practical construction techniques and provide both detailed analyis and photos
illustrating them.
\item From our sample, we extract several design patterns that can be applied to increase the security of a design.
\item We note security flaws in several of our samples.
\item We provide the results of Computed Tomography (CT) imaging of multiple samples, and we evaluate their impact
on tamper sensing mesh security.
\end{itemize}
\section{The History of Tamper Sensing Meshes}
Tamper sensing meshes offer many degrees of freedom in their design ranging from the precise conductor layout, through
the manufacturing technology of the mesh and how it is wrapped around the payload during manufacturing up to their
monitoring circuitry. As a result, manufacturers across application domains from datacenter appliance HSMs to card
payment terminals have historically used patents on parts of their tamper sensing mesh implementations as a means to
prevent copying of their designs~\cite{
razaghiCircuitBoardHold2019,
heitmannTamperBarrierElectronic2005,
clarkTamperDetectionSystem2005,
heitmannMethodMakingTamper2009,
perreaultSystemMethodInstalling2005,
}. The basic principle of modern tamper sensing meshes is to reliably detect physical intrusion using an embedded looped
conductor to cover a surface. This concept traces back at least as far as 1870~\cite{
ImprovementProtectingSafes1870,
ImprovementElectromagneticEnvelopes1870}, when it was applied to the protection of bank vaults from robbers
attempting to dig, drill and saw through the vault's floor and walls. Even multi-layer, orthogonal tamper sensing meshes
are documented as far back as 1902~\cite{suttonElectricallyprotectedStructure1902}. Using printed circuits instead of
wires for this purpose occurs in literature as soon as printed circuit technology finds widespread commercial adoption
in the 1960ies~\cite{hamPrintedcircuitTypeSecurity1971}. The history of more HSM-like devices begins in the 1990ies with
the widespread adoption of cryptography in commercial applications~\cite{
kleijneSecurityDeviceSecure1986,
joyceMethodDetectPenetration1996,
droegeSicherheitsmodulMitEinteiliger1997,
cesanaTamperResistantCard2001,
cesanaSecurityClothDesign2006,
elbertSecureCircuitAssembly2006,
cookTamperDetectionCircuit2020,
brodskyCircuitLayoutsTamperrespondent2018,
cobianuLargeAreaDistributed2008,
phamAntitamperMesh2011,
} when instead of protecting an entire device it became feasible to create a protected cryptographic coprocessor.
\subsection{Use by the US Military}
One early practical uses of tamper sensing meshes for information security as opposed to the security of some physical
good is documented in notes on a series of lectures given by Dr.~David~G. Boak, a specialist in communications security
and signal intelligence at the US National Security
Agency~\cite{boakHistoryUSCommunications1981,boakHistoryUSCommunications1973}. In this lecture series, Boak mentions
that around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time
were large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak
does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more
exciting--exploding the device.
\subsection{Use in Nuclear Weapons}
Communications security was not the earliest use of tamper sensing membranes in the US military, with Boak mentioning
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The
concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The
stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To
achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional
tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental
conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by
the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear
explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
when triggered in just the right way.
While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper sensing
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.
\subsection{Use in Nuclear Safeguards}
Besides being used in nuclear weapons, tamper sensing systems have another, more peaceful application in the nuclear
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
history of nuclear material passing through these facilities.
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
extensive use of tamper-indicating enclosures and of seals\footnote{
Note that in IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper
indication''. The IAEA distinguishes between active tamper indication, which we conventionally call tamper
detection, and passive tamper indication, which we conventionally call tamper evidence. Tamper indicating devices
include seals, but also the aforementioned uniquely characterizable enclosures, which IAEA terminology calls
intrinsically tamper-indicating. An example for an active tamper indicating device would be a seismic sensor at the
bottom of a borehole that has been back-filled with concrete such that any attempt to reach the sensor would be
well-visible in the sensor's own readings~\cite{simmonsHowInsureThat1988}.
}. In both systems, the approach taken is that the enclosure or seal is treated similarly to what these days, in
computing we call a Physical Unclonable Function (PUF). The concept of a PUF centers on electronic component
manufactured such that random manufacturing variations can later be measured by the finished circuit. The core idea is
that since these manufacturing variations are random, they can be used as a source for cryptographic entropy.
Furthermore, the concept is based on the assumption that these manufacturing variations cannot be controlled, hence
making the device \emph{unclonable}.
Similar to a PUF, in the IAEA's application an enclosure or seal is manufactured in a process that leaves an
unpredictable and uncontrollable pattern of manufacturing variations such as surface imperfections. A process used in
the IAEA is to package devices in aluminium enclosures passivated in a bright color, which leaves a random, microscopic
pattern of pits in the surface from the etching step. Before such a device is deployed in the field, it is precisely
measured from all sides. Later on, after field deployment, its integrity can then be checked by comparing its current
state to these initial measurements. The underlying assumption is that drilling or cutting into something like a metal
enclosure will leave detectable traces, and that perfectly replicating an object including features such as minute
surface imperfections is infeasible even to a nation state~\cite{iaea2011}.
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not
yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing
System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is
used in contemporary hardware security modules to detect attempts at drilling or cutting into the
system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of
the tamper sensing mesh such as materials used or structure sizes are publically available.
\subsection{Commercial Use}
Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially
in then-new HSMs, cryptographic coprocessors primarily aimed at the financial
industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters
and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds
of card payment terminals.
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
hampered by their high cost. In this chapter, we will analyze a commercial HSM that was used in the key management
infrastructure of a premium TV provider as one example of such uses. Examples of other applications include mail
franking machines, where they are used to protect the credit counter and franking data, with one such unit analyzed in
this chapter. Furthermore, we have identified several models of key safes that in Germany are mounted externally on
public buildings to provide keys to emergency services, and which include tamper sensing meshes on their door and
interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
krusesicherheitssystemeDatenblattKRUSEFWSchlusseldepot2018}. Finally, we have found a processing unit used in a series
of mid-2000s era slot machines in Germany that includes a tamper sensing mesh, presumably to prevent modification or
cloning. This device will also be analyzed later in this chapter.
\section{Tamper Sensing Mesh Design Principles}
%\subsection{tamper sensing Mesh Manufacturing}
The manufacturing technology of a tamper sensing mesh is a critical factor in its security. While in many applications,
meshes manufactured from off-the-shelf processes such as Flexible Printed Circuit (FPC) processes are used, these
processes tend to be optimzed to maximize the robustness of the produced circuits to mechanical stress. In contrast, the
ideal tamper sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal
handling, but should not be more robust than that. As a result, more secure meshes tend to be manufactured in bespoke
manufacturing processes~\cite{
immlerBTREPIDBatterylessTamperresistant2018,
immlerSecurePhysicalEnclosures2018,
ImprovementProtectingSafes1870,
hennigApparatusMethodComprising2020,
obermaierPUFfilmMethodProducing2023,
vasileProtectingSecretsAdvanced2019,
smithBuildingHighperformanceProgrammable1999}.
One more widely cited tamper sensing mesh implementation is a commercial product developed by IBM in collaboration with
chemical company W.\ L.\ Gore \& Asscociates Inc. This product is used in IBM's datacenter HSM products up to
approximately 2020~\cite{
obermaier2018,
andersonSecurityEngineeringGuide2020,
smithBuildingHighperformanceProgrammable1999}.
It uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are printed.
Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces are
printed. The flexible circuit layers are joined with a opaque black, stretchy glue and are embedded in an elastic opaque
resin after installation. The plastic substrate foil is thinner and significantly less resistant to tearing than plastic
substrates commonly used in the electronics industry for applications like key pads and circuit boards, which improves
its security against tampering. It is clear that both the glue fusing the foil layers together and the resin that the
mesh is embedded inside are co-designed with the carbon trace material such that the trace material adheres well to
both, leading to the traces being destroyed when either are peeled off.
The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name. Its
basic construction and layout has not changed much since the early 1990ies~\cite{
macphersonImprovementsSecurityEnclosures1993,
macphersonTamperRespondentEnclosure1999}.
Concluding this brief history of tamper sensing meshes, we find that they were initially developed for sensitive
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
adoption of PCB and FPC production processes enabled their use as inexpensive, high-resolution substrates for such
meshes.
\subsection{Monitoring Circuit Approaches}
Tamper sensing meshes are most effective when they are continuously monitored using a backup power supply while the rest
of the system is powered off. In practice, the main challenge with continuous monitoring of tamper sensing meshes is in
the design of the monitoring circuit. A large portion of industry attention has been spent on designing low-power
monitoring circuits that are sensitive to tampering with the mesh while using little enough power to enable years of
operation from a battery. Commonly, one or two cylindrical or large coin cell Lithium primary batteries are used,
providing in the order of \qty{10}{\watt\hour} over their lifetime\cite{horowitzArtElectronics2024}. Broken down to an
unpowered storage life of e.g.\ 5 years, this corresponds to a maximum average power consumption of less than
\qty{230}{\micro\watt}.
% relevant categories: (H01L23/576), (G06K19/07372)
% keyword: wire covering
To achieve low power consumption, a popular technique known since at least
1902~\cite{suttonElectricallyprotectedStructure1902} and still used
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's
end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a
mesh trace's resistance with a reference resistor, or using a Wheatstone bridge. Bridge circuits were already used
in early tamper sensing mesh implementations~\cite{
ElektrischeSicherheitseinrichtungSchutze1932,
hamPrintedcircuitTypeSecurity1971,
dalphinEnceinteProtegeeAvec1987,
} since they make it possible to detect small changes in the mesh's resistance with little complexity.
\subsection{Other Tamper Sensing Techniques}
Besides tamper sensing meshes, environmental sensors such as temperature or light sensors are frequently used as a
secondary line of defence in HSMs and similar devices. By placing such sensors in the device and verifying the device is
within its nominal operating environment, tampering can be made less convenient. Modern security standards often mandate
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device~\cite{
usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019,
ISOIEC19790}.
A multitude of other sensors have been proposed, including vibration sensors, light sensors,
magnetometers, and radiation sensors such as X-ray sensors have been proposed. While the implementation cost of most
sensor types is low, each additional environmental sensor comes with an increased false alarm
rate~\cite{andersonSecurityEngineeringGuide2020}.
\section{A Survey of Meshes in the Wild}
In this section, we will examine a large sample of recent devices that include tamper sensing meshes to gain an
understanding of how they are implemented, and what security level they are targeted towards. Since we were unable to
acquire a nuclear weapon for our research, we limited our survey to commercial devices. While we analyzed devices across
a broad spectrum of applications, our survey includes a large variety of card payment terminals, which represent the
most varied class of device incorporating such meshes.
\subsection{Specimen Selection}
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
this survey, we chose 30 total devices including 23 different models of card payment terminals, and 7 other devices.
Some devices were procured by intercepting electronic waste, while most were sourced from ebay in Februrary and March
2025. The majority of these were sold by electronic waste recycling companies. A complete list of our specimens can be
found in Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Figure~\ref{fig_hsm_survey_sample_pics} and internal photos are shown in
Figure~\ref{fig_hsm_survey_sample_internal_pics}. In the following sections, we will go into detail on the classes of
devices we selected for this study.
\begin{table}
\footnotesize
\rowcolors{2}{gray!15}{white}
\begin{tabular}[c]{c>{\RaggedRight\arraybackslash}p{20mm}>{\RaggedRight\arraybackslash}p{30mm}llc}
\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type code} & \textbf{Year} \\
\hline
H01 & PED & Verifone & VX 570 & ca. 2010 \\
H02 & Slot machine CPU module & Merkur / ADP Gauselmann & Sam 12 EC2 & ca. 2012 \\
H03 & EPP & Sagem & USA1315-4240 R1A & 2014 \\
H04 & EPP & Sagem & USA1316-5120 R1A & 2007 \\
H05 & PED & Xac & xAPT-103 & 2014 \\
H06 & PED & Ingenico & iCT250-11T1860A & 2016-17 \\
H08 & PED & Sagem & NOR4100-4220 R1A & 2012 \\
H09 & PED & Hypercom & M4230 & 2010 \\
H10 & PED & Worldline & YOMANI XR & 2016 \\
H11 & PED & Banksys & C-ZAM Smash Portable & 2004 \\
H12 & PED & Hypercom & Optimum P2100 & 2010 \\
H13 & PED & Ingenico & iCT 220-11T2938A & 2016 \\
H14 & PED & Verifone & H5000 & 2016 \\
H15 & PED & Verifone & MX 925 & 2018 \\
H16 & PED & Verifone & V200c CTLS & 2021 \\
H17 & PED & Verifone & VX 680 & 2014 \\
H18 & PED & Ingenico & i7910 & 2010 \\
H19 & PED & Banksys & XENTA & 2004-2011 \\
H20 & PED & Verifone & VX 520 3G & 2017 \\
H21 & PED & Verifone & V400m Plus 4G & 2018 \\
H22 & PED & Ingenico & Move 3500 & 2020 \\
H23 & PED & Ingenico & iPP 350-11T1718A & 2015 \\
H24 & PED & Ingenico & iWL255-01T2117A & 2016 \\
H25 & Franking Machine & Neopost & IJ-25 & ca. 2001 \\
H27 & PED & Sumup & AIR1E205 & 2021 \\
H28 & EPP & NCR & 5814 UEPP & 2019 \\
H29 & HSM & SafeNet & VBD-05 & 2018 \\
H30 & HSM & Irdeto & Mayflower-IDX/C201 & 2011 \\
H31 & PED & SumUp & SumUp 3G & 2019 \\
H32 & PED & SumUp & SumUp Air & 2022 \\
\end{tabular}
\caption[Tamper sensing mesh survey specimen list]{The specimens we dissected in our survey. PED stands for
\emph{Pin Entry Device}, the industry term for card payment terminals that have sufficient security to handle
credit card PINs. EPP stands for \emph{Encrypting Pin Pad}, the type of keypad used for pin entry on ATMs. HSM
stands for Hardware Security Module.}
\label{tab_hsm_survey_sample_list}
\end{table}
\newcommand{\surveypic}[2]{
\begingroup
\setlength{\fboxsep}{0.2mm}
\begin{overpic}[percent,width=25mm]{#2}
\put(100,85){\makebox[0pt][r]{\colorbox{white}{\large H#1}}}
\end{overpic}
\endgroup
}
\begin{figure}
\begin{tabular}[c]{cccc}
\surveypic{02}{survey_diag_S02.jpg}&
\surveypic{03}{survey_diag_S03.jpg}&
\surveypic{04}{survey_diag_S04.jpg}&
\surveypic{05}{survey_diag_S05.jpg}\\
\surveypic{06}{survey_diag_S06.jpg}&
\surveypic{08}{survey_diag_S08.jpg}&
\surveypic{09}{survey_diag_S09.jpg}&
\surveypic{10}{survey_diag_S10.jpg}\\
\surveypic{11}{survey_diag_S11.jpg}&
\surveypic{12}{survey_diag_S12.jpg}&
\surveypic{13}{survey_diag_S13.jpg}&
\surveypic{14}{survey_diag_S14.jpg}\\
\surveypic{15}{survey_diag_S15.jpg}&
\surveypic{16}{survey_diag_S16.jpg}&
\surveypic{17}{survey_diag_S17.jpg}&
\surveypic{18}{survey_diag_S18.jpg}\\
\surveypic{19}{survey_diag_S19.jpg}&
\surveypic{20}{survey_diag_S20.jpg}&
\surveypic{21}{survey_diag_S21.jpg}&
\surveypic{22}{survey_diag_S22.jpg}\\
\surveypic{23}{survey_diag_S23.jpg}&
\surveypic{24}{survey_diag_S24.jpg}&
\surveypic{25}{survey_diag_S25.jpg}&
\surveypic{27}{survey_diag_S27.jpg}\\
\surveypic{28}{survey_diag_S28.jpg}&
\surveypic{29}{survey_diag_S29.jpg}&
\surveypic{30}{survey_diag_S30.jpg}&
\surveypic{31}{survey_diag_S31.jpg}\\
\surveypic{32}{survey_diag_S32.jpg}&
\end{tabular}
\caption[Tamper sensing mesh survey specimen external photos]{External photos of all survey specimens.}
\label{fig_hsm_survey_sample_pics}
\end{figure}
\subsubsection{Card Payment Terminals}
Card payment terminals commonly include advanced tamper sensing features to discourage physical attacks such as
skimming that aim to exfiltrate card data and PINs entered by the customer. The Payment Card Industry Security Standards
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
standardization organization in the card payment space. Due to the international scale of the large credit card
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well.
One reason for the high level of physical security standards in card payment applications both on the client side
(payment terminals) and on the server side (HSM appliances) is that the finance industry has been reluctant to adopt
modern cryptography. Not only are modern cryptographic protocols like secure Multiparty Computation (MPC) or
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
ancient ciphers such as Triple DES are still commonly referenced in industry
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is
necessary to safeguard weak symmetric keys, compensating for the systems' modest cryptographic security.
Since card payment terminals are widely deployed, many different models from various manufacturers are available. Each
manufacturer tends to have their own, patented tamper sensing implementation. Being manufactured at scale, card payment
terminals are cost-sensitive devices, which is reflected in the construction of their tamper sensing implementations.
\subsubsection{HSM Appliances}
When credit card payments are handled on the web as opposed to in a physical store, HSMs are used in data centers to
handle plaintext payment data such as credit card numbers. Such HSM appliances are usually standalone rackmount devices
and are used across application domains. Depending on the application, these HSMs can be programmed with custom code, or
can be used as coprocessors through an API~\cite{LunaNetworkHSM}. In practice, the standalone appliances are just
low-end computers in a rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this
survey, we obtained two devices labelled as HSMs. We were only able to procure two such devices since they are
expensive, and we found that even used specimens of older models are usually listed for several hundreds to several
thousands of Euro. Unfortunately, one of the devices we obtained did not contain any security meshes in its case, and
thus would not provide adequate protection against advanced attacks. The other specimen we procured was a 2011 model
Utimaco CryptoServer LAN. Our unit was a white-label variant procured by premium TV encryption technology provider
Irdeto, presumably used in Germany to produce cryptographic key streams for TV signal encryption. We bought the device
from a recycling company specialized on datacenter components. The device was sold with any HDDs removed. The device
consisted of an older mainboard for embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of
DDR2 RAM, which was connected to the HSM add-in card through PCI. The device contained a small Lithium backup battery on
the add-in card, and another, larger battery in an enclosure at the front of the device that was connected to the card
through a cable. The device did not contain any obvious case intrusion sensors.
\subsubsection{ATM Encrypting Pin Pads}
ATMs are built in a modular construction approach. Physically, the enclosure of an ATM is not its only security
barrier. Besides the enclosure, there are two security barriers worthy of note. First, the bank notes in the machine are
stored in an automatic cash dispenser that is built into a traditional vault inside the machine. This vault primarily
acts as a mechanical barrier to discourage theft, but it also often includes tamper sensors that activate an Intelligent
Banknote Neutralisation System (IBNS)~\cite{
banquecentraleduluxembourgInkstainedBanknotes,
europeancentralbankDamagedInkstainedBanknotes2023,
oberthurcashprotectionIntroductionCashProtection2019}.
The IBNS is designed to spread hard-to-remove ink over the bank notes inside the vault when tampered. The permanently
stained bank notes are not accepted by banks or retailers anymore.
Besides the vault, the another security barrier is located inside the ATM's pin pad. While all communication with the
customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's smartcard IC,
the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the PIN is
encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the
encryption~\cite{andersonSecurityEngineeringGuide2020}. Often, both the circuit board containing the PIN pad's keyboard
matrix and this microcontroller are shielded by a tamper sensing mesh to prevent physical attacks such as the
installation of a skimming device that would record and transmit the plaintex PIN.
We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by
Cryptera and Diebold, respectively, and one made by and branded NCR. All three devices have robust stainless steel front
cases, and are built in a sandwich construction of several layers of steel sheets and PCBs.
\subsubsection{Other miscellaneous devices}
Sometimes, tamper sensing meshes show up in other types of devices. We acquired two such devices. First, we acquired a
Neopost mail franking machine, a type of device that is used to directly print a code on an envelope that replaces a
conventional postage stamp. Since in businesses handling large volumes of mail these devices were routinely charged with
large sums of money in postage, such devices have security features ranging from physical seals on their enclosure to
full security meshes encasing their CPU modules. In case of Neopost, we are aware of one online source showing a
security mesh inside one such device~\cite{mikeselectricstuffNeopostPostalFranking2023}, but we found that our older
specimen only contained a sturdy cast zinc case that was welded shut with a spring-loaded lid switch inside. The other
miscellaneous device we found is a broken CPU module from a German slot machine manufacturer. While it would be
reasonable to assume this type of device might include active tamper sensing features to enforce state gambling
regulations, other slot machine manufacturers seem not to use tamper sensing in their systems so the more likely reason
is DRM. Our specimen included both a tamper sensing mesh as well as a semiconductor junction light sensor inside of a
sealed sheet metal enclosure.
\subsection{Methodology}
In this survey, we aim to create a comprehensive taxonomy of tamper sensing mesh construction methods across a range of
devices. To this purpose, we proceeded by first photographing every test specimen from multiple angles, then
disassembling them. After disassembly, we photographed each major component.
Figure~\ref{fig_hsm_survey_sample_internal_pics} shows a selection of these photos showing the major internal components
of the devices. After photos were taken, we proceeded with destructive techniques where necessary to understand the
devices' use of tamper-sensing meshes. We took microscope photos where we found interesting small structures. PCBs were
sectioned using a sanding drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling,
cutting and prying, and applying heat from a heat gun as necessary to soften polymer compounds and to break glue joints.
\begin{figure}
\begin{tabular}[c]{cccc}
\surveypic{01}{survey_internal_09_S01.jpg}&
\surveypic{02}{survey_internal_20_S02.jpg}&
\surveypic{03}{survey_internal_11_S03.jpg}&
\surveypic{04}{survey_internal_03_S04.jpg}\\
\surveypic{05}{survey_internal_10_S05.jpg}&
\surveypic{06}{survey_internal_08_S06.jpg}&
\surveypic{08}{survey_internal_24_S08.jpg}&
\surveypic{09}{survey_internal_13_S09.jpg}\\
\surveypic{10}{survey_internal_23_S10.jpg}&
\surveypic{11}{survey_internal_17_S11.jpg}&
\surveypic{12}{survey_internal_19_S12.jpg}&
\surveypic{13}{survey_internal_02_S13.jpg}\\
\surveypic{14}{survey_internal_00_S14.jpg}&
\surveypic{14}{survey_internal_01_S14.jpg}&
\surveypic{15}{survey_internal_04_S15.jpg}&
\surveypic{16}{survey_internal_05_S16.jpg}\\
\surveypic{17}{survey_internal_22_S17.jpg}&
\surveypic{18}{survey_internal_21_S18.jpg}&
\surveypic{19}{survey_internal_26_S19.jpg}&
\surveypic{20}{survey_internal_12_S20.jpg}\\
\surveypic{21}{survey_internal_15_S21.jpg}&
\surveypic{22}{survey_internal_16_S22.jpg}&
\surveypic{23}{survey_internal_07_S23.jpg}&
\surveypic{24}{survey_internal_06_S24.jpg}\\
\surveypic{25}{survey_internal_25_S25.jpg}&
\surveypic{27}{survey_internal_18_S27.jpg}&
\surveypic{28}{survey_internal_14_S28.jpg}&
\surveypic{30}{survey_internal_29_S30.jpg}\\
\surveypic{31}{survey_internal_27_S31.jpg}&
\surveypic{32}{survey_internal_28_S32.jpg}&
% make sure the last row with a single dangling landscape picture is full height to avoid the last row's label
% overlapping the previous row
\rule{0pt}{25mm}
\end{tabular}
\caption[Tamper sensing mesh survey specimen internal photos]{Internal overview photos of the survey specimens.}
\label{fig_hsm_survey_sample_internal_pics}
\end{figure}
\subsection{Results}
In the following sections, we will list some observations we made while dissecting our specimens. A complete set of
internal pictures and micrographs of selected components that goes beyond the following description is available in the
supplementary material to this thesis.
\todo{Actually assemble the supplementary material and include all photos}
\subsubsection{Mesh materials.}
We found meshes constructed from rigid PCBs (e.g.\ specimens~\sampleno{H02}, \sampleno{H03} and \sampleno{H08}) as well
as a number of FPC processes. Tamper sensing meshes constructed from PCBs sometimes used parts of an existing PCB (e.g.\
specimens~\sampleno{H03} and \sampleno{H10}), and sometimes additional PCBs only containing a mesh were added (e.g.\
specimen~\sampleno{H02} and \sampleno{H08}). In some samples (e.g.\ specimens~\sampleno{H08} and \sampleno{H18}),
multiple rigid PCB meshes were assembled in a house of cards fashion to enclose a card slot. All flexible meshes that we
found with the exception of the Utimaco HSM appliance's HSM card (specimen~\sampleno{H30}) were clearly manufactured
either entirely or mostly in standard processes. We found printed silver ink (e.g.\ specimen~\sampleno{H12}) and printed
carbon ink-based foils (e.g.\ specimen~\sampleno{H09}) similar to those used for membrane keyboards, as well as
conventional photolithographically etched copper/polyimide FPCs (e.g.\ specimens~\sampleno{H03}, \sampleno{H04} and
\sampleno{H08}). Overall, etched PCBs showed better resolution compared to silkscreen-printed meshes. Feature size for
both rigid and flexible etched PCB meshes was generally in the order of \qtyrange{100}{200}{\micro\meter}, while feature
size for screen printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}. In contrast to these
standard processes, the Utimaco HSM used a mesh foil that is manufactured in a proprietary, bespoke process by Gore.
\subsubsection{Mesh layout.}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_offset.jpg}
\caption{Offset layers for more complete coverage (specimen~\sampleno{H12}).}
\label{hsm_fig_mesh_layout_offset}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_orthogonal.jpg}
\caption{Orthogonal patterns on subsequent layers (specimen~\sampleno{H14}).}
\label{hsm_fig_mesh_layout_orthogonal}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_utimaco_mesh_gore.jpg}
\caption{Combining orthogonal layers with area-covering pattern (specimen~\sampleno{H30}).}
\label{hsm_fig_mesh_layout_utimaco}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_stack_epp.jpg}
\caption{Spacing mesh layers apart to constrict angular freedom of an attack tool (specimen~\sampleno{H28}).}
\label{hsm_fig_mesh_layout_epp}
\end{subfigure}
\caption{Mesh trace layout approaches for multi-layer meshes.}
\label{hsm_fig_mesh_layout}
\end{figure}
A key goal in tamper sensing mesh design is to avoid any gaps in coverage. In single-layer meshes, gaps between adjacent
mesh traces cannot be avoided, and provide an easy approach for an attack. In multi-layer meshes, these structure
size-dependent gaps can be mitigated in multiple ways as shown in Figure~\ref{hsm_fig_mesh_layout}. In the following
list, we will address several common structural features that we observed across samples.
\begin{enumerate}
\item\textbf{Offset patterns.} In a two-sided foil mesh, most of the gaps between adjacent traces can be covered by
simply offsetting the pattern by one structure size in both axes between the foil's top and bottom layers as
shown in Figure~\ref{hsm_fig_mesh_layout_offset}. Depending on the mesh layout, only a small number of
point-shaped gaps remain at corners in mesh traces on one of the layers. The number of these gaps can be reduced
by reducing the number of misaligned corners between both layers for instance by choosing a systematic
serpentine or spiral trace layout.
\item \textbf{Orthogonal patterns.} In some other specimens, the manufacturer chose the opposite approach of keeping
the mesh pattern mostly orthogonal on the mesh's two layers as shown in
Figure~\ref{hsm_fig_mesh_layout_orthogonal}. While this leads to a larger amount of gaps compared to offset
patterns as described above, it also reduces the largest gap size to about one structure size by one structure
size.
\item \textbf{Combined approaches.} Figure~\ref{hsm_fig_mesh_layout_utimaco} shows the layout of a Gore tamper
sensing mesh foil used in an Utimaco HSM. This mesh consists of two foil layers bonded to each other. The outer
foil is patterned on both sides with a sparse pattern of thin serpentine traces with the patterns on both layers
being orthogonal to each other. Both patterns are oriented at a \qty{45}{\degree} angle relative to the sides of
the rectangular enclosed volume. The inner foil is only patterned on one side, and contains a thicker serpentine
trace laid out in a zigzag pattern. The two foil layers are aligned such that no gaps remain between the
layers.\todo{sample number here and below (ingenico)}
\item \textbf{Using layer spacing.} Figure~\ref{hsm_fig_mesh_layout_epp} shows how an ATM Encrypting Pin Pad (EPP)
implemented the mesh on its keypad. Off-the-shelf metal snap dome contacts were used on the surface of a
conventional rigid PCB to create the keys. On top of the rigid PCB and contact domes, a two-layer
copper/polyimide FPC with an additional polyimide cover layer was glued down. Meshes were placed on both layers
of the FPC, as well as on one internal layer of the rigid PCB. The resulting structure had the FPC mesh layers
separated from the rigid PCB mesh layer by several hundred micrometers of the rigid PCB's substrate. The meshes
on both the FPC and the rigid PCB used a structure size of \qty{150}{\micro\meter}. The vertical separation
between the two meshes was several times that structure size, which limits the possible angles an attack tool
could be inserted through both mesh layers.
\end{enumerate}
\subsubsection{Contact and trace construction.}
\begin{figure}
\centering
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_copper_pcb.jpg}
\caption{Standard photolithographic copper PCB process on rigid FR-4 fiberglass substrate
(specimen~\sampleno{H10}).}
\label{hsm_fig_materials_pcb_rigid}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_copper_flex.jpg}
\caption{Standard photolithographic copper PCB process on flexible polyimide substrate (specimen~\sampleno{H15}).}
\label{hsm_fig_materials_pcb_flex}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_silver.jpg}
\caption{Screen printing process using silver ink with some carbon ink contact pads for embedded buttons
(specimen~\sampleno{H14}).}
\label{hsm_fig_materials_silver_ink}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_contact_gold_lds.jpg}
\caption{Laser direct structuring using electroless gold plating (specimen~\sampleno{H32}).}
\label{hsm_fig_materials_gold_lds}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_carbon.jpg}
\caption{Screen printing process using carbon ink (specimen~\sampleno{H30}).}
\label{hsm_fig_materials_carbon_ink}
\end{subfigure}
\caption[Mesh materials and manufacturing processes]{Materials and manufacturing processes used for mesh traces and
contacts.}
\label{hsm_fig_materials}
\end{figure}
\todo{FIXME: Add scale / structure size to photos?}
Regular Printed Circuit Boards are frequently used to implement tamper sensing meshes as shown in
Figure~\ref{hsm_fig_materials_pcb_rigid}. PCB production is a highly advanced, large-scale industry and PCBs are
inexpensive, commodity products. PCBs can be manufactured with many layers, at almost arbitrary total thickness, and
offer small structure sizes enabling the creation of fine features down to approximately \qty{100}{\micro\meter} even on
commodity processes. The primary disadvantage of using PCBs to implement tamper sensing meshes is that PCBs are
fundamentally designed to be as robust as possible. The traces on the top of a PCB are etched from a thick (usually
\qty{35}{\micro\meter} on the outer layers) copper foil adhered to the PCB substrate. As a result, the PCB and the
traces on its surface are easy to manipulate by hand using tools like knives and techniques like soldering. For a
tamper sensing mesh, trace patterns manufactured to be more fragile might be advantageous. Additionally, standard PCBs
are made using a rigid FR-4 fiberglass/epoxy substrate. Since a tamper sensing mesh must often enclose all sides of a
payload, flexible foils offer benefits over rigid PCBs.
Figure~\ref{hsm_fig_materials_pcb_flex} shows an FPCs produced in a standard commercial process similar to PCB
production. In FPCs, a copper foil adhered to a substrate is etched, but the substrate here usually is a thin foil made
from polyimide, an orange, temperature-resistant polymer that survives common reflow (hot air) soldering temperatures.
In contrast to rigid PCBs, FPCs are usually limited to no more than four layers before losing flexibility. Flexible PCBs
are often used for tamper sensing meshes that wrap around a payload, but they come with the same limitation as standard
PCBs: Due to their robust substrate and thick copper layers, they are easily manipulated by hand.
Figure~\ref{hsm_fig_materials_silver_ink} shows an FPC created in a different process. Here, instead of
photolithographically etching a continuous copper foil adhered to a flexible substrate, the substrate is instead printed
using a conductive ink. A variety of printing processes are suitable for this technique. The conductive ink is based on
small conductive particles suspended in a hardening binder. Common conductive ink materials are silver and carbon.
Silver-based inks offer lower resistance compared to carbon-based inks, but are prone to surface oxitation and as such
are not suitable for contacts. As such, they are often combined with a carbon ink used in contact areas. Carbon-based
inks have high resistance, and can be used to create embedded resistors. The circuit shown in
Figure~\ref{hsm_fig_materials_silver_ink} contains a tamper sensing mesh on a lower layer, and a keypad matrix with
carbon contacts on its surface.
Figure~\ref{hsm_fig_materials_gold_lds} shows part of a mesh and a contact created using Laser Direct Structuring, an
industrial technique combining selective activation of a plastic surface using a scanning laser and electroless gold
plating~\cite{lpkflaser&electronicsagLPKFLDSLaser2014}. Where in electroplating electrical current is used to deposit
metal atoms on a surface, in electroless plating a series of chemical reactions is used. Electroplating requires all
traces to be electrically connected to form a single electrode, while electroless plating can be used on the finished
circuit. Laser Direct Structuring allows patterning complex surfaces with fine structures made from metal deposited in a
thin layer. In Figure~\ref{hsm_fig_materials_gold_lds}, it is visible how the trace was created using three parallel
passes by the laser. The micrograph also shows the rather coarse edge structure created by LDS, which is caused by the
rough surface left after pulsed laser ablation. The uneven, thin layer of metallization created by LDS results in
mechanically fragile contacts that must be contacted using a soft material, usually an elastomeric connector.
\subsubsection{Connection methods}
\begin{figure}
\centering
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_castellated_edge.jpg}
\caption{Direct soldering (specimen~\sampleno{H05}).}
\label{hsm_fig_connector_castellations}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_elastomeric.jpg}
\caption{Direct soldering of an FPC and an elastomeric connector (specimen~\sampleno{H31}).}
\label{hsm_fig_connector_elastomeric}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_zif_fpc_2.jpg}
\caption{Landing pads for tactile contact domes as well as FPC connector (specimen~\sampleno{H20}).}
\label{hsm_fig_connector_fpc}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_stacking.jpg}
\caption{Elastomeric connector landing pattern as well as stacking board-to-board connector
(specimen~\sampleno{H17}).}
\label{hsm_fig_connector_stack}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_rf_gasket.jpg}
\caption{Soft, conductive EM shielding gaskets used as connectors (specimen~\sampleno{H14}).}
\label{hsm_fig_connector_gasket}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_metal_dome.jpg}
\caption{Tactile dome (specimen~\sampleno{H06}).}
\label{hsm_fig_connector_dome}
\end{subfigure}
\caption[Mesh connecting methods]{Connecting methods used between tamper sensing mesh assemblies and their base PCBs}
\label{hsm_fig_connector}
\end{figure}
In our survey, we found a wide variety of connecting methods used to connect tamper sensing mesh assemblies with their
base PCBs with a selection shown in Figure~\ref{hsm_fig_connector}. Both rigid PCBs and FPCs can be soldered directly to
a PCB using either a Land Grid Array (LGA) technique where pads on both PCBs are soldered facing each other, or using
\emph{castellated} edges, where pads on the base PCB are soldered sideways to holes on the top PCB that have been milled
in half as shown in Figure~\ref{hsm_fig_connector_castellations}. FPCs can also be soldered by dragging a blob of solder
across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but this technique is only suitable for hand
soldering. Hand soldering increases unit cost over mechanized soldering techniques such as wave soldering or reflow
soldering.
FPCs are suitable for use with standard FPC connectors as shown in Figure~\ref{hsm_fig_connector_fpc}. These connectors
mate directly to a contact area on the FPC, called \emph{gold fingers} in industry terms. Both FPCs and rigid PCBs can
be used with standard board-to-board stacking connectors such as the one visible in the center of
Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's back side to ensure the
solder joints don't break from mechanical stress when connecting or disconnecting.
In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper sensing mesh
assemblies. Elastomeric connectors such as the one shown in the center of Figure~\ref{hsm_fig_connector_elastomeric} are
usually used in LCD construction to contact a PCB to the LCD's Indium Tin Oxide (ITO)-coated conductive glass, but they
can be used between any two parallel, conductive surfaces~\cite{andreaElectronicConnectorBook2022}. Elastomeric
connectors consist of two insulating elastic polymer layers on the outside, with a thin strip of fine, alternating
conductive and insulating elastic polymer layers sandwiched in between. In Figure~\ref{hsm_fig_connector_elastomeric}
the outer insulating layers are the blue polymer, and the alternating pattern can be seen embedded in their middle. The
fine alternating pattern mates to much larger pads on the two contact surfaces, ensuring that adjacent contacts are
electrically insulated. In tamper sensing mesh applications, elastomeric connectors provide an intrinsic disassembly
detection since they require continuous pressure to maintain electrical contact. In the top part of
Figure~\ref{hsm_fig_connector_stack}, a land pattern for an elastomeric connector is visible.
Elastomeric connectors are elegant and allow for multiple contacts to be made in a small area using a single elastomeric
connector strip, but they are not off-the-shelf components and are always custom made to order. We found several
instances where other, off-the-shelf technologies were used instead to create a pressure-sensitive connection.
Figure~\ref{hsm_fig_connector_gasket} shows a connection made using conductive gaskets intended for creating gapless
connections between PCBs and enclosures to shield Electromagnetic Emissions (EMI). Unlike elastomeric connectors, they
are not anisotropic and thus they must be cut into pieces to maintain isolation between adjacent pads. This results in a
much larger contact pitch compared to other solutions.
Figure~\ref{hsm_fig_connector_dome} shows another technique, here used to connect the mesh layer embedded into a key pad
to a base PCB. Here, a tactile metal dome intended to be used for creating buttons in low-profile keypads is used to
connect the mesh to the base PCB.
An alternative to soldering and elastomeric connectors that we did not observe during our survey but that deserves
mention here is Anisotropic Conductive Film (ACF)~\cite{huangHardwareHackerAdventures2019}. Similar to elastomeric
connectors, ACF is industrially used to contact flexible PCBs to ITO-coated glass in TFT displays. ACF comes as a
double-sided tape that is bonded using pressure and sometimes high temperatures, and creates a connection between
conductive surfaces on both sides of the tape. This connection has an anisotropic nature, meaning that the tape only
electrically conducts from one face to the other, and not laterally. Technically, this is achieved by embedding a large
number of tiny conductive spheres inside the tape that when the tape is mounted get squished between the two contact
surfaces. During ACF manufacturing, the distribution of these spheres is carefully controlled to provide a reliable
connection while guaranteeing adjacent spheres never touch each other.
\subsubsection{3D construction.}
\begin{figure}
\centering
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_overlap.jpg}
\caption{Folded with overlap (specimen~\sampleno{H03})}
\label{hsm_fig_3d_struct_folded_overlap}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_no_overlap.jpg}
\caption{Folded without overlap (specimen~\sampleno{H14})}
\label{hsm_fig_3d_struct_folded_no_overlap}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_vacform.jpg}
\caption{Thermoformed (specimen~\sampleno{H12})}
\label{hsm_fig_3d_struct_vacuum_form}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_cards_standalone.jpg}
\caption{House-of-Cards construction (specimen~\sampleno{H08})}
\label{hsm_fig_3d_struct_house_of_cards}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_lds_top.jpg}
\caption{Laser Direct Structuring (specimen~\sampleno{H32})}
\label{hsm_fig_3d_struct_lds}
\end{subfigure}
\caption[3D mesh construction styles]{Construction styles used to fit tamper sensing meshes into 3D envelopes. Grids
in the background are \qty{10}{\milli\meter}, subdivisions are \qty{5}{\milli\meter}.}
\label{hsm_fig_3d_struct}
\end{figure}
While practical meshes are almost always manufactured in planar processes first, their applications usually require at
least partially covering a three-dimensional volume. In our survey, we saw a number of methods being used to create
three-dimensional structures from planar meshes. Figure~\ref{hsm_fig_3d_struct}
\subref{hsm_fig_3d_struct_folded_overlap}-\subref{hsm_fig_3d_struct_house_of_cards} show the major construction styles
we saw among our samples. Figure~\ref{hsm_fig_3d_struct_folded_overlap} and
Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} have meshes produced as flexible printed circuits, in
Figure~\ref{hsm_fig_3d_struct_folded_overlap} using a standard photolithographic copper/polyimide FPC process usually
used for flexible PCBs, and in Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} using a standard silver ink
screenprinting process. The choice in Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} not to overlap the mesh in the
corner is likely caused by manufacturing considerations, since it might be difficult to ensure proper folding of a small
foil tab with adhesive pre-applied.
Figure~\ref{hsm_fig_3d_struct_vacuum_form} shows a sample of a flexible circuit manufactured in a screenprinted
silver-ink process thermoformed into a three-dimensional shape~\cite{weidnerHardwareschutzFormHalbschalen2007}. The
flexible circuit mesh is first produced in a standard planar printing process. After printing and curing, the resulting
foil is then heated to soften it, and forced into a three-dimensional shape using a mold. Depending on the process, one
or two molds, and vacuum or pressured air can be used to shape the foil. The process requires a screenprinted flexible
circuit, and would not work with copper/polyimide flexible PCBs since their copper layer is too thick to plastically
deform without tearing, and because polyimide is not sufficiently thermoplastic at low temperatures.
Thermoforming is a cheap industry standard process, but applied to flexible circuits it has some limitations. First,
only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet
cannot be cut or contain slots or large holes before forming since it needs to be kept under a constant tension from all
sides to ensure it evenly stretches into the mold. Finally, the depth achievable in such a process is rather limited,
with no sample in our survey exceeding \qty{2}{\milli\meter}.\todo{Get proper number} Higher depths would require
extensive deformation of the mesh circuit's plastic substrate, which could lead to tears in the mesh traces since the
particle-based conductive inks used for screen-printed electronics are inelastic. Among our samples, we saw two
instances of thermoformed meshes. First, all recent Ingenico terminals (\sampleno{H06,H13,H23,H24}) integrated an ink
printed mesh with thermoformed cavities into their key pad overlay. These terminals implement their key pad using
tactile domes with contacts patterned on their main PCBs' surface. These domes are commonly placed on an adhesive sheet
that is die cut to size so that the whole sheet can be placed on the PCB in one assembly step, instead of individually
placing each dome. In these samples, a mesh was integrated into this adhesive sheet using a silver ink printing process,
and two additional domes were used to provide contact between this integrated mesh and the main PCB. Cavities were
formed into this mesh to enclose the upper side of the main cryptographic processor and associated components.
Figure~\ref{fig_ingenico_forming} shows the mesh of specimen~\sampleno{H24} both before and after removing the black
opaque cover lacquer used on the bottom side of these meshes to obscure their features. The lacquer was removed by
gently rubbing it with a cotton swap soaked with acetone. In Figure~\ref{fig_ingenico_forming_after}, we see how the
mesh's structure was adapted around the formed cavities to reduce the risk of a break during the forming process: The
mesh's traces were kept parallel to the direction the foil was stretched, and the feature size of the mesh was increased
by a large factor in these areas. In the corners of the formed cavity, where the foil experiences stretching in both
directions, the features were scaled even larger than along the cavity's edges. This increase in structure size
compromises the mesh's security level, especially given that the edges of the cavity are at a convenient direction for
access by probes.
\begin{figure}
\begin{center}
\begin{subfigure}[t]{0.4\textwidth}
\includegraphics[width=\linewidth]{survey_formed_mesh_before.jpg}
\caption{Before removing opaque cover lacquer.}
\label{fig_ingenico_forming_before}
\end{subfigure}
\begin{subfigure}[t]{0.4\textwidth}
\includegraphics[width=\linewidth]{survey_formed_mesh_after.jpg}
\caption{After removing opaque cover lacquer.}
\label{fig_ingenico_forming_after}
\end{subfigure}
\end{center}
\caption{Formed cavities in printed foil mesh in specimen~\sampleno{H24}.}
\label{fig_ingenico_forming}
\end{figure}
Specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
shown does not extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a
PCB to protect components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the
PCB surface, through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry.
A similar design defect was mitigated in the specimens manufactured by Banksys, card payment terminal \sampleno{H08} and
ATM encrypting pin pads \sampleno{H03} and \sampleno{H04}. These specimens all have a polyimide/copper FPC mesh glued to
the inside of a casted zinc lid form five sides of a cuboid. These meshes sit atop their base PCBs, and a possible
vulnerability would be the interface between the mesh and the PCB, where there will be an unavoidable gap of at least
several hundred micrometers. In specimen~\sampleno{H03}, this was mitigated by milling a slot into the base PCB for the
mesh to sit inside, thereby placing the top layer of the base PCB as well as any internal mesh layers inside the cavity
of the mesh lid. In specimen~\sampleno{H04}, the payload circuit was instead placed on a daughterboard sitting inside
the lid using board-to-board stacking connectors (cf. Figure~\ref{hsm_fig_connector_stack}). Here, an additional rigid
mesh PCB was soldered flat on top of the base PCB to cover the open side of the mesh lid, creating an overlap at the
edges. In specimen~\sampleno{H08}, a card payment terminal, a simpler construction was used with a simple metal ring
soldered to the base PCB mechanically shielding the edge. We are unable to ascertain why this purely mechanical
shielding technique was used instead of the more secure overlapping technique seen in sample~\sampleno{H03}, which
should have a similar, low manufacturing cost.
Figure~\ref{hsm_fig_3d_struct_lds} shows the result of Laser Direct Structuring (LDS), a process that avoids some of the
limitations of thermoformed planar meshes. In LDS, a plastic part is covered in a conductive pattern in a combination of
selective laser erosion of its surface and a series of preparation and electroless metal plating steps. LDS allows
covering complex three-dimensional shapes, with the main limitation being that all patterned areas must have a direct
line of sight to the outside for the scanning laser to reach it. Thus, the outside of complex parts can be covered, but
internal cavities cannot. LDS is commonly used to create complex antenna shapes on the surface of internal structural
plastic parts for smartphones, but is more costly compared to screenprinting processes due to its complexity. A further
disadvantage of LDS is that it is only suitable for single-layer patterns, while two layers are easily achievable in
silkscreen and photolithographic PCB processes by patterning both sides of the substrate. More layers can be achived in
these processes by simply stacking multiple foil layers and adding vias (through contacts), or by folding.
Figure~\ref{hsm_fig_3d_struct_house_of_cards} shows an assembly of several rigid PCBs assembled into a three-dimensional
structure to protect a card slot. Solder connections between large pads are used to mechanically and electrically join
the boards. While the rigid PCBs used in such as structure can be produced in a highly inexpensive, standard process,
this style of construction requires manual assembly leading to increased labor cost. Furthermore, the construction
leaves large gaps at edges and corners, which is not a problem for card slot protection in payment applications but
which would be a flaw in a more standard HSM application.
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_offset_mesh_delayered_contrast_improved.jpg}
\caption{Small obstacle mesh coupons (specimen~\sampleno{H17}).}
\label{hsm_fig_3d_sandwich_obstacle}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_via_stitch_mesh_delayer_2.jpg}
\caption{Via-fence meshes (specimen~\sampleno{H24}).}
\label{hsm_fig_3d_sandwich_via_fence}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_planar_stack.jpg}
\caption{Planar sandwich stack protecting the back of a connector (specimen~\sampleno{H24}).}
\label{hsm_fig_3d_sandwich_stack}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_cavity_2.jpg}
\caption{PCB lid with routed cavity and embedded planar and via-fence meshes (specimen~\sampleno{H14}).}
\label{hsm_fig_3d_sandwich_lid}
\end{subfigure}
\caption[Sandwich mesh construction styles]{Construction styles used to cover 3D volumes using sandwich-style
construction.}
\label{hsm_fig_3d_sandwich}
\end{figure}
Besides the house of cards construction style shown in Figure~\ref{hsm_fig_3d_struct_house_of_cards} where PCBs are
hand-assembled into a 3D shape, rigid PCBs are also often soldered planar on top of other PCBs to serve as meshes.
Figure~\ref{hsm_fig_3d_sandwich} shows examples of such sandwich-style constructions.
Figure~\ref{hsm_fig_3d_sandwich_obstacle} and Figure~\ref{hsm_fig_3d_sandwich_via_fence} show a widely used construction
technique where a small mesh PCB coupon is soldered using a Land Grid Array (LGA)-technique on top of a larger base PCB
containing circuitry. The goal in this technique is to project a small part of the mesh into the space above the base
PCB. While this does not prevent targeted drilling as the small coupon is easy to avoid, it does prevent an attacker
from sawing or laser-cutting into the side of the device parallel to the base PCB. In the implementation shown in
Figure~\ref{hsm_fig_3d_sandwich_obstacle}, the coupon simply contains a small mesh embedded in an inner layer.
Figure~\ref{hsm_fig_3d_sandwich_via_fence} shows a different technique, where the mesh inside the coupon is not
primarily laid out in the PCB plane, but instead a large number of vias is used to create a three-dimensional zig-zag
trace structure. While due to structure size limitations this via structure is much coarser than a planar mesh like that
in Figure~\ref{hsm_fig_3d_sandwich_obstacle} would be, it increases the fraction of the vertical space inside the coupon
that is covered by the mesh.
Figure~\ref{hsm_fig_3d_sandwich_stack} shows a variation of this coupon technique where two such coupons are stacked to
create a small overhang, here attempting to protect the back side of a magnetic stripe reader contact in a payment
terminal. While a similar result could also be achieved by milling a slot into the side of a single custom-thickness
PCB, the economics of PCB manufacturing are such that it may be more cost-effective to bond two standard-thickness PCBs
on top of one another instead.
Figure~\ref{hsm_fig_3d_sandwich_lid} shows an advanced construction technique that uses a custom PCB with a large indent
milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base PCB. This PCB
lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A ground plane
filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the cavity. Below
this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
Figure~\ref{hsm_fig_3d_sandwich_via_fence} in an attempt to protect the sides around the central cavity. Below these two
via fence layers, at the bottom of the PCB is one more layer containing the pads connecting it to the base PCB.
\subsubsection{CT Imaging}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
\caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.}
\label{hsm_fig_ingenico_potted_ct_cut}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_geom.pdf}
\caption{CT 3D reconstruction of the mesh's trace geometry.}
\label{hsm_fig_ingenico_potted_ct_3d}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(specimen~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
% FIXME put the CT people in the acknowledgements! Also the microwave people!
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\
specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is
to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we
experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an
industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the
resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In
this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil,
and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this
information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that
the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through
one of the mesh's traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
mesh.
\subsubsection{Results summary}
Below is a table representing which features discussed in the sections above we found in which of our samples. Overall,
we commonly found a combination of a rigid PCB mesh in the specimen's main PCB and and flexible meshes formed into a lid
structure above its main PCB. The mesh inside the rigid PCB would protect the payload components soldered to the top
surface of the PCB such as pin pad buttons or crytographic coprocessors from probing from underneath, while the flexible
mesh lid would protect them from attacks from above or from the side. We only found two specimens that wrapped an entire
payload PCB inside of a mesh, the Utimaco datacenter HSM appliance (\sampleno{H30}) and an older Ingenico payment
terminal (\sampleno{H18}). Only the datacenter HSM followed this approach through, its manufacturer going to some length
to carefully fold the mesh around corners and the entry point of its Flat Flex Cable (FFC) connections to the outside
world to avoid possible weak points there. The payment terminal module had weak points at the corners of the wrapped
mesh, and its wrapping pattern only covered five of the six sides of a cuboid, with the remaining side left open to
allow for the payload PCB to pass out of the mesh for its external connections.
We found an approximately even split between copper/polyimide FPCs and silver ink printing processes being used for
flexible meshes. Printed carbon ink processes were less popular, presumably because they offer no significant cost
savings but the resulting mesh has a much higher electrical resistance, limiting possible mesh length.
We found potting was only infrequently used across our sample, presumably because of the limited protection it provides.
We found conductive ink printed meshes commonly used opaque base foils and opaque lacquer cover layers to obscure their
features, but when dissecting these specimens we noticed that usually these opaque lacquers are easily removed without
damaging the underlying printed mesh traces using a cotton swab soaked in acetone. Additionally, in almost all instances
the trace structure was easily recognizable from the mesh traces' thickness showing through to the surface of the
opaque cover lacquer. In practice it served as electrical insulation, but did not convey meaningful protection against
reverse engineering.
\begin{landscape}
\begin{table}
\footnotesize
\centering
\newcolumntype{M}{>{\centering\arraybackslash}p{4mm}}
\setlength{\tabcolsep}{0pt}
\begin{tabular}{ll|MMMMM|MMMM|MMMMM|MMMMM|MMMMM|MMM|MM}
&&\multicolumn{29}{c}{\textbf{Specimen}}\\
\textbf{Feature} & \textbf{Figures} &
1 & 2 & 3 & 4 & 5 & 6 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 27 & 28 & 30 & 31 & 32
\\\hline
\multicolumn{31}{l}{\textbf{Mesh Contacts.}} \\\hline
Elastomeric & \ref{hsm_fig_connector_elastomeric}, \ref{hsm_fig_connector_stack}
% 0 1 2 3 4 5 6 7 8 9
&&&&& & && % 0 - 9
&& && &&&&& & % 10 - 19
&&&& & & &&% 20 - 29
& &&\\ % 30 - 32
Soldered & \ref{hsm_fig_connector_castellations}
% 0 1 2 3 4 5 6 7 8 9
&& & &&&&& % 0 - 9
& & && & & &&&& % 10 - 19
& & &&&& & & % 20 - 29
& && \\ % 30 - 32
Stacking & \ref{hsm_fig_connector_stack}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & && % 0 - 9
& & & & & & & && & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
Tactile Dome & \ref{hsm_fig_connector_dome}, \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & & && & % 0 - 9
& & & && & & & & & % 10 - 19
& && &&& & & % 20 - 29
& & & \\ % 30 - 32
FPC Connector & \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & && & &% 0 - 9
&& & & &&&&&& % 10 - 19
& && & & & & & % 20 - 29
&& & \\ % 30 - 32
Mesh EMI Gasket & \ref{hsm_fig_connector_gasket}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & && & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Mesh Material}} \\
\hline
Rigid PCB & \ref{hsm_fig_materials_pcb_rigid}
% 0 1 2 3 4 5 6 7 8 9
&&&&&&&&% 0 - 9
&&&&&&&&&& % 10 - 19
& &&&&& &&% 20 - 29
& &&\\ % 30 - 32
Copper FPC & \ref{hsm_fig_materials_pcb_flex}
% 0 1 2 3 4 5 6 7 8 9
& & &&& &&& % 0 - 9
& & &&& & &&& & % 10 - 19
&&& &&& &&% 20 - 29
& && \\ % 30 - 32
Printed silver ink & \ref{hsm_fig_materials_silver_ink}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
&& &&&& & &&& % 10 - 19
& && &&& & & % 20 - 29
& & & \\ % 30 - 32
\hline
Printed carbon ink & \ref{hsm_fig_materials_carbon_ink}
% 0 1 2 3 4 5 6 7 8 9
&& & & & & & &% 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
&& & \\ % 30 - 32
Gold (Laser Direct Structuring) & \ref{hsm_fig_materials_gold_lds}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & &\\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{3D Construction}} \\
\hline
Folded mesh & \ref{hsm_fig_3d_struct_folded_overlap}, \ref{hsm_fig_3d_struct_folded_no_overlap}
% 0 1 2 3 4 5 6 7 8 9
&& &&&&&&% 0 - 9
&& &&& & &&&& % 10 - 19
&&& &&& && % 20 - 29
&&& \\ % 30 - 32
House of cards & \ref{hsm_fig_3d_struct_house_of_cards}
% 0 1 2 3 4 5 6 7 8 9
&& & & & & && % 0 - 9
&& & & & & & & && % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
Laser Direct Structuring & \ref{hsm_fig_3d_struct_lds}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & &\\ % 30 - 32
\hline
Thermoformed & \ref{hsm_fig_3d_struct_vacuum_form}, \ref{fig_ingenico_forming}
% 0 1 2 3 4 5 6 7 8 9
& & & & & && & % 0 - 9
& & && & & & & & & % 10 - 19
& & & &&& & & % 20 - 29
& & & \\ % 30 - 32
Planar obstacle & \ref{hsm_fig_3d_sandwich_obstacle}, \ref{hsm_fig_3d_sandwich_via_fence}
% 0 1 2 3 4 5 6 7 8 9
&& & &&& & & % 0 - 9
& & & &&& &&& & % 10 - 19
& & & && & & & % 20 - 29
& & & \\ % 30 - 32
Complex planar & \ref{hsm_fig_3d_sandwich_stack}, \ref{hsm_fig_3d_sandwich_lid}
% 0 1 2 3 4 5 6 7 8 9
& & & && & & & % 0 - 9
& & & & && & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Obscurity Features}} \\
\hline
Metal enclosure & \ref{hsm_fig_3d_struct_folded_overlap}
% 0 1 2 3 4 5 6 7 8 9
& &&&& & && % 0 - 9
& & & & & & && & & % 10 - 19
& && & & & && % 20 - 29
&& & \\ % 30 - 32
Potting & \ref{hsm_fig_ingenico_potted_seated}
% 0 1 2 3 4 5 6 7 8 9
& & & & && & & % 0 - 9
& & & & & & & & && % 10 - 19
& & & & & & & & % 20 - 29
&& & \\ % 30 - 32
\hline
Opaque foil & \ref{hsm_fig_connector_dome}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& &% 0 - 9
&& & && & & && & % 10 - 19
&&& && & & & % 20 - 29
&& & \\ % 30 - 32
Opaque lacquer & \ref{fig_ingenico_forming}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
& & & && & & && & % 10 - 19
&& & && & & & % 20 - 29
&& &\\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Other Features}} \\
\hline
Integrated tactile domes & \ref{hsm_fig_connector_dome}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
& & & && & & && & % 10 - 19
& && &&& && % 20 - 29
& && \\ % 30 - 32
Integrated contact pads & \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & && && & & % 10 - 19
& && & & & && % 20 - 29
& & & \\ % 30 - 32
\end{tabular}
\caption[Feature matrix of all specimens analyzed.]{Feature matrix of all specimens analyzed. Dots indicate presence
of a feature. The figures column lists which figures above contain examples of a particular feature.}
\label{tab_hsm_survey_sample_results}
\end{table}
\end{landscape}
\section{Discussion}
In our survey, we have seen the technological state of the art to which tamper-sensing meshes have evolved since the
earliest designs evidenced in patents from 150 years ago. While mesh manufacturing technology has experienced some
advancements from historical wire-wound meshes to modern meshes always being constructed in printed circuit processes,
mesh monitoring approaches have received surprisingly little attention through the centuries and even in recent,
state-of-the-art systems, a simple comparator monitoring a mesh arranged in a bridge configuration is still considered
sufficient in high-security applications~\cite{obermaier2018}.
\subsection{Mesh construction techniques}
We found that in almost all cases, practical tamper sensing meshes are constructed using standard manufacturing
processes. In some card payment terminals, we found meshes that used slightly customized standard processes and e.g.
integrated a mesh layer produced in a carbon printing process into a membrane keypad, but customizations were minimal.
We only found one mesh manufactured in a bespoke process in the datacenter HSM appliance we examined, and that bespoke
process turns out to be a turnkey solution used by at least two HSM vendors. Underscoring stagnating development in the
field, this particular mesh manufacturing process seems to have seen only minimal changes since the first patents
covering it were published in the late
1990ies~\cite{macphersonTamperRespondentEnclosure1999,macphersonImprovementsSecurityEnclosures1993,obermaier2018}.
\subsection{Mesh monitoring circuits}
We observed that in general, academic research leads before patent literature, which is ahead of actual implementations
in the field. Practical monitoring circuitry seems basic. Particularly the datacenter HSM appliance we examined
(specimen~\sampleno{H30}) showed a contrast between a mesh manufactured in a bespoke process combined with an
unsophisticated, discrete monitoring circuit based around a number of voltage comparators~\cite{obermaier2018}. We will
go into more detail on improved monitoring methods as well as the academic state of the art in this field in
Chapter~\ref{chapter_sampling_mesh_mon}.
\subsection{Computed Tomography Imaging}
CT imaging presents a serious threat to any HSM design that relies on its mesh layout remaining secret. For instance,
the Gore tamper sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
are lasered into a specially prepared area on the mesh foil to randomize the connection pattern of the mesh on a
unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used
to provide sub-millimeter accurate positioning for an attack, even if the specimen to be attacked has large production
tolerances. We found that CT imaging can be made more difficult using three complementary techniques.
\begin{figure}
\centering
\includegraphics[width=0.7\textwidth]{mesh_fold_screenshot.pdf}
\caption[HSM appliance CT scan]{Computed Tomography (CT) scan of a corner of the PCIe HSM module from an Utimaco
rackmount HSM appliance. Visible are several capacitors, the edge of a large IC, and a large Flat Flexible Cable
(FFC) connector. Two layers of metal enclosures with resin potting in between are visible, and the security mesh
can be seen folded between layers of the folded FFC cable connecting to the outside.}
\label{hsm_fig_utimaco_ct}
\end{figure}
\paragraph{Low-contrast trace materials.}
CT imaging can be made more difficult by manufacturing the mesh with very thin conductive traces, and using a trace
material that has low atomic number, corresponding to low X-ray absorption. For instance, the Gore mesh specimen used a
carbon-based ink that judging by structure size was screen-printed, which leads to an economical yet relatively secure
solution~\cite{andersonSecurityEngineeringGuide2020,smithBuildingHighperformanceProgrammable1999}.
\paragraph{Use of X-ray attenuating materials.}
We found that placing any highly X-ray attenuating material in the HSM makes CT imaging more difficult.
Figure~\ref{hsm_fig_utimaco_ct} shows a CT image taken from an Utimaco HSM. The device has two thick metal layers with a
potting resin and the tamper sensing mesh in between, so high-energy X-rays were necessary to penetrate both metal
layers and image the device. As a result, the contrast on X-ray-transparent features like polymers is low. In
comparison, the Ingenico specimen was easy to image since it consisted of a PCB wrapped with a mesh foil and encased in
resin inside of an injection-molded plastic enclosure. Thus, we were able to image it at a low X-ray energy and we were
able to easily reconstruct detail on both the mesh's layout and the PCB's circuitry. To apply X-ray dense materials for
defense in a practical design, a sheet made from elementary tin or a tin alloy would be a suitable choice for such an
X-ray absorbing feature since tin is cheap, non-hazardous and absorbs X-rays almost as well as lead. Alternatively to a
sheet-metal enclosure, an X-ray absorbing material could also be incorporated into a potting compound as a powder.
\paragraph{Size.}
Finally, we found that a larger module size makes CT imaging more difficult simply due to the thickness of material that
the X-rays need to penetrate. Ideally, a HSM should aim for a cuboid form factor, as the common flat construction style
is easily penetrated by X-rays along at least one axis.
\paragraph{Radiation sensors.}
Besides engineering techniques making CT imaging harder, in battery-powered devices with active tamper sensing, CT
imaging can be actively detected to trigger a tamper alarm. During CT imaging, a large amount of high-energy X-ray
images are taken. X-ray radiation can be reliably detected using off-the-shelf sensors that usually consist of a
large-area photodiode coupled to a scintillator crystal converting X-ray photons to visible light.
\section{Conclusion}
In this survey, we have analyzed a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also
carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards
are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push
the boundaries of achievable structure size for a given process.
The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's
traces. Silver or carbon ink printed circuits like they are normally used for keyboard matrices performed particularly
well in this regard since such inks adheres better to some potting compounds than to its plastic carrier substrate. We
found copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust
and can even be forcibly separated from some potting compounds without destroying their traces.
The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices
marketed as hardware security modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
sensing meshes despite their low cost. The primary security standard that is most often cited for the certification of
HSMs is the US government's FIPS-140, now in its third
version~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}. A peculiarity of this
standard is that it only requires active tamper sensing meshes in the highest of the four security levels it defines.
Overall, we can conclude that the term ``HSM'' does not imply state-of-the-art physical tamper sensing.
From an academic point of view, the core finding of our survey is that for academic research on mesh manufacturing,
monitoring or attacks on meshese, realistic tamper sensing mesh samples can easily be created. A number of commercial
manufacturing processes would yield acceptable standins for real devices found in the wild. With the exception of a
single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range approaching the limit of
inexpensive PCB manufacturing processes, none of the devices we examined utilized particularly non-obvious construction
techniques.
From an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
construction techniques for both the mesh itself and for its monitoring circuit. Implementing such a system that matches
the security of devices seen in the wild should be achievable to most engineers.
We find that the IHSM approach is a natural extension of the state of the art that we saw reflected in tamper sensing
mesh implementations in the field, and that the construction techniques that have been applied to improve their security
can be carried over to IHSM implementations. The three-dimensional layout of a mesh becomes easier in an IHSM
implementation since features like corners between mesh panels or gaps between mesh layers in most layouts are protected
by the mesh's motion. An unintended advantage that results in IHSM implementations over conventional meshes is that they
would provide a level of intrinsic resistance to X-ray and CT imaging. In contrast to optical cameras in the visible
spectrum, X-ray image sensors need integration times in the hundreds of milliseconds or longer, which makes them
unsuitable to image a quickly moving target.
Reference in a new issue View git blame Copy permalink