jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
phd-thesis/chapter-hsms/chapter.tex
jaseg 91b4164cbd survey: Add giant table
2025-11-03 17:05:22 +01:00

1277 lines
88 KiB
TeX
Raw Blame History

\chapterquote{An unnamed atomic bomb designer~\cite{blechmanTechnologyLimitationInternational1989}}{
Bypassing a PAL [atomic bomb ignition code lock] should be about as complex as performing a tonsillectomy while
entering the patient from the wrong end.
}
\chaptertitle{Active Tamper Sensing in the Wild}
Inertial Hardware Security Modules are the latest link in a series of developments bringing hardware security primitives
from niche military cipher machines to mass-market applications. The tamper sensing technology that forms the primary
line of defense in such physical security systems goes back more than a century, with the earliest tamper sensing meshes
being used in the late 19\textsuperscript{th} century, around the widespread commercialization of electricity. Today,
active tamper sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs.
In this chapter, we will start with a brief history of secure hardware with a particular focus on tamper sensing meshes.
Complementing our historical analysis, we will present the results of a survey of a range of real-world devices that use
tamper sensing meshes and analyze their implementation. We will analyze the gaps left by the current state of the art in
commercial practice, and evaluate how Inertial HSMs could close these gaps to make secure hardware accessible to a wider
range of applications.
\section{The History of Tamper Sensing Meshes}
tamper sensing meshes offer many degrees of freedom in their design ranging from the precise conductor layout, through
the manufacturing technology of the mesh and how it is wrapped around the payload during manufacturing up to their
monitoring circuitry. As a result, manufacturers across application domains from datacenter appliance HSMs to card
payment terminals have historically used patents on parts of their tamper sensing mesh implementations as a means to
prevent copying of their designs~\cite{
razaghiCircuitBoardHold2019,
heitmannTamperBarrierElectronic2005,
clarkTamperDetectionSystem2005,
heitmannMethodMakingTamper2009,
perreaultSystemMethodInstalling2005,
}. The basic principle of modern tamper sensing meshes, preventing physical intrusion using an embedded looped conductor
to cover a surface, traces back at least as far as 1870~\cite{
ImprovementProtectingSafes1870,
ImprovementElectromagneticEnvelopes1870}, when it was applied to the protection of bank vaults from robbers
attempting to dig, drill and saw through the vault's floor and walls. Even multi-layer, orthogonal tamper sensing meshes
are documented as far back as 1902~\cite{suttonElectricallyprotectedStructure1902}. Using printed circuits instead of
wires for this purpose occurs in literature as soon as printed circuit technology finds widespread commercial adoption
in the 1960ies~\cite{hamPrintedcircuitTypeSecurity1971}. The history of more HSM-like devices begins in the 1990ies with
the widespread adoption of cryptography in commercial applications~\cite{
kleijneSecurityDeviceSecure1986,
joyceMethodDetectPenetration1996,
droegeSicherheitsmodulMitEinteiliger1997,
cesanaTamperResistantCard2001,
cesanaSecurityClothDesign2006,
elbertSecureCircuitAssembly2006,
cookTamperDetectionCircuit2020,
brodskyCircuitLayoutsTamperrespondent2018,
cobianuLargeAreaDistributed2008,
phamAntitamperMesh2011,
} when instead of protecting an entire device it became feasible to create a protected cryptographic coprocessor.
\subsection{Use by the US Military}
One of the earliest practical uses of tamper sensing meshes is documented in notes on a series of lectures given by
Dr.~David~G. Boak, a specialist in communications security and signal intelligence at the US National Security
Agency~\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak
does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more
exciting--exploding the device.
\subsection{Use in Nuclear Weapons}
Communications security was not the earliest use of tamper sensing membranes in the US military, with Boak mentioning
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The
concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The
stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To
achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional
tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental
conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by
the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear
explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
when triggered in just the right way.
While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper sensing
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.
\subsection{Use in Nuclear Safeguards}
Besides being used in nuclear weapons, tamper sensing systems have another, more peaceful application in the nuclear
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
history of nuclear material passing through these facilities.
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
bright color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
that drilling or cutting into something like a metal enclosure will leave detectable traces, and that perfectly
replicating an object including features such as minute surface imperfections is infeasible even to a nation
state~\cite{iaea2011}.
In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
readings~\cite{simmonsHowInsureThat1988}.
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not
yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing
System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is
used in contemporary hardware security modules to detect attempts at drilling or cutting into the
system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of
the tamper sensing mesh such as materials used or structure sizes are publically available.
\subsection{Commercial Use}
Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially
in then-new HSMs, cryptographic coprocessors primarily aimed at the financial
industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters
and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds
of card payment terminals. We will analyze two such ATM pin pads later in this chapter.
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
chapter, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
Beyond finance, tamper sensing meshes have found applications in a variety of other use cases as well. For instance, we
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
analyzed in this chapter. Furthermore, we have identified several models of key safes that in Germany are mounted
externally on public buildings to provide keys to emergency services, and which include tamper sensing meshes on their
door and interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
krusesicherheitssystemeDatenblattKRUSEFWSchlusseldepot2018}. Finally, we have found a processing unit used in a series
of mid-2000s era slot machines in Germany that includes a tamper sensing mesh, presumably to prevent modification or
cloning. This device will also be analyzed later in this chapter.
\section{tamper sensing Mesh Design Principles}
%\subsection{tamper sensing Mesh Manufacturing}
The manufacturing technology of a tamper sensing mesh is a critical factor in its security. While in many applications,
meshes manufactured from off-the-shelf processes such as Flexible Printed Circuit (FPC) processes are used, these
processes tend to be optimzed to maximize the robustness of the produced circuits to mechanical stress. In contrast, the
ideal tamper sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal
handling, but should not be more robust than that. As a result, more secure meshes tend to be manufactured in bespoke
manufacturing processes~\cite{
immlerBTREPIDBatterylessTamperresistant2018,
immlerSecurePhysicalEnclosures2018,
ImprovementProtectingSafes1870}.
% TODO cite hennigApparatusMethodComprising2020 and obermaierPUFfilmMethodProducing2023 on immler et al PUF tech
One more widely cited tamper sensing mesh implementation is a commercial product developed by IBM in collaboration with
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately 2020.
This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are
printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces
are printed. The flexible circuit layers are joined with a opaque black, stretchy glue and after installation embedded
in an elastic opaque resin. The plastic substrate foil is thinner and significantly less resistant to tearing than
plastic substrates commonly used in the electronics industry for applications like key pads and circuit boards, which
improves its security against tampering. Furthermore, both the glue fusing the foil layers together and the resin the
mesh is embedded inside after installation are clearly co-designed with the carbon trace material such that the trace
material adheres well to both, leading to the traces being destroyed when either are peeled off.
The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name. Its
basic construction and layout has not changed much since the early 1990ies~\cite{
macphersonImprovementsSecurityEnclosures1993,
macphersonTamperRespondentEnclosure1999}.
\subsection{Monitoring Circuit Approaches}
tamper sensing meshes are most effective when they are continuously monitored using a backup power supply while the rest
of the system is powered off. In practice, the main challenge with continuous monitoring of tamper sensing meshes is in
the design of the monitoring circuit. A large portion of industry attention has been spent on designing low-power
monitoring circuits that are sensitive to tampering with the mesh while using little enough power to enable years of
operation from a battery. Commonly, one or two cylindrical or large coin cell Lithium primary batteries are used,
providing in the order of \qtyrange{10}{20}{\watt\hour} over their lifetime. Broken down to an unpowered storage life of
e.g.\ 5 years, this corresponds to a maximum average power consumption of \qty{450}{\micro\watt}.
% relevant categories: (H01L23/576), (G06K19/07372)
% keyword: wire covering
To achieve low power consumption, a popular technique known since at least
1902~\cite{suttonElectricallyprotectedStructure1902} and still used
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's
end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a
mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Using a bridge circuit was already used
in early tamper sensing mesh implementations~\cite{
ElektrischeSicherheitseinrichtungSchutze1932,
hamPrintedcircuitTypeSecurity1971,
dalphinEnceinteProtegeeAvec1987,
} and makes it possible to detect small changes in the mesh's resistance with little complexity.
\subsection{Other Tamper Sensing Techniques}
Besides tamper sensing meshes, environmental sensors such as temperature or light sensors are frequently used as a
secondary line of defence in HSMs and similar devices. By placing such sensors in the device and verifying the device is
within its nominal operating environment, tampering can be made less convenient. Modern security standards often mandate
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other
sensors have been proposed, including humidity sensors, vibration sensors, light sensors, magnetometers, and radiation
sensors such as X-ray sensors have been proposed. While the implementation cost of most sensor types is low, each
additional environmental sensor comes with an increased false alarm rate. Anecdotally, we have heard of light sensors
being removed from a datacenter HSM product because they caused frequent false alarms despite extensive efforts like
custom injection-molded plastic light baffles at all air vents of the device designed to prevent ingress of outside
light.
% FIXME citations?
\section{A Survey of Meshes in the Wild}
Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive,
high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that
include tamper sensing meshes to gain an understanding of how they are implemented, and what security level they are
targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
meshes.
\subsection{Sample Selection}
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
this survey, we chose 30 total devices including 23 different models of card payment terminals, and 7 other devices.
Some devices were procured by dumpster diving, while most were sourced from ebay. The majority of these were sold by
electronic waste recycling companies. A complete list of our samples can be found in
Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Figure~\ref{fig_hsm_survey_sample_pics} and internal photos are shown in
Figure~\ref{fig_hsm_survey_sample_internal_pics}. In the following sections, we will go into detail on the classes of
devices we selected for this study.
\begin{table}
\footnotesize
\rowcolors{2}{gray!15}{white}
\begin{tabular}[c]{c>{\RaggedRight\arraybackslash}p{20mm}>{\RaggedRight\arraybackslash}p{30mm}llc}
\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type code} & \textbf{Year} \\
\hline
H01 & PED & Verifone & VX 570 & ca. 2010 \\
H02 & Slot machine CPU module & Merkur / ADP Gauselmann & Sam 12 EC2 & ca. 2012 \\
H03 & EPP & Sagem & USA1315-4240 R1A & 2014 \\
H04 & EPP & Sagem & USA1316-5120 R1A & 2007 \\
H05 & PED & Xac & xAPT-103 & 2014 \\
H06 & PED & Ingenico & iCT250-11T1860A & 2016-17 \\
H08 & PED & Sagem & NOR4100-4220 R1A & 2012 \\
H09 & PED & Hypercom & M4230 & 2010 \\
H10 & PED & Worldline & YOMANI XR & 2016 \\
H11 & PED & Banksys & C-ZAM Smash Portable & 2004 \\
H12 & PED & Hypercom & Optimum P2100 & 2010 \\
H13 & PED & Ingenico & iCT 220-11T2938A & 2016 \\
H14 & PED & Verifone & H5000 & 2016 \\
H15 & PED & Verifone & MX 925 & 2018 \\
H16 & PED & Verifone & V200c CTLS & 2021 \\
H17 & PED & Verifone & VX 680 & 2014 \\
H18 & PED & Ingenico & i7910 & 2010 \\
H19 & PED & Banksys & XENTA & 2004-2011 \\
H20 & PED & Verifone & VX 520 3G & 2017 \\
H21 & PED & Verifone & V400m Plus 4G & 2018 \\
H22 & PED & Ingenico & Move 3500 & 2020 \\
H23 & PED & Ingenico & iPP 350-11T1718A & 2015 \\
H24 & PED & Ingenico & iWL255-01T2117A & 2016 \\
H25 & Franking Machine & Neopost & IJ-25 & ca. 2001 \\
H27 & PED & Sumup & AIR1E205 & 2021 \\
H28 & EPP & NCR & 5814 UEPP & 2019 \\
H29 & HSM & SafeNet & VBD-05 & 2018 \\
H30 & HSM & Irdeto & Mayflower-IDX/C201 & 2011 \\
H31 & PED & SumUp & SumUp 3G & 2019 \\
H32 & PED & SumUp & SumUp Air & 2022 \\
\end{tabular}
\caption{The samples we dissected in our survey. PED stands for \emph{Pin Entry Device}, the industry term for card
payment terminals that have sufficient security to handle credit card PINs. EPP stands for \emph{Encrypting Pin
Pad}, the type of keypad used for pin entry on ATMs. HSM stands for Hardware Security Module.}
\label{tab_hsm_survey_sample_list}
\end{table}
\newcommand{\surveypic}[2]{
\begingroup
\setlength{\fboxsep}{0.2mm}
\begin{overpic}[percent,width=25mm]{#2}
\put(100,85){\makebox[0pt][r]{\colorbox{white}{\large H#1}}}
\end{overpic}
\endgroup
}
\begin{figure}
\begin{tabular}[c]{cccc}
\surveypic{02}{survey_diag_S02.jpg}&
\surveypic{03}{survey_diag_S03.jpg}&
\surveypic{04}{survey_diag_S04.jpg}&
\surveypic{05}{survey_diag_S05.jpg}\\
\surveypic{06}{survey_diag_S06.jpg}&
\surveypic{08}{survey_diag_S08.jpg}&
\surveypic{09}{survey_diag_S09.jpg}&
\surveypic{10}{survey_diag_S10.jpg}\\
\surveypic{11}{survey_diag_S11.jpg}&
\surveypic{12}{survey_diag_S12.jpg}&
\surveypic{13}{survey_diag_S13.jpg}&
\surveypic{14}{survey_diag_S14.jpg}\\
\surveypic{15}{survey_diag_S15.jpg}&
\surveypic{16}{survey_diag_S16.jpg}&
\surveypic{17}{survey_diag_S17.jpg}&
\surveypic{18}{survey_diag_S18.jpg}\\
\surveypic{19}{survey_diag_S19.jpg}&
\surveypic{20}{survey_diag_S20.jpg}&
\surveypic{21}{survey_diag_S21.jpg}&
\surveypic{22}{survey_diag_S22.jpg}\\
\surveypic{23}{survey_diag_S23.jpg}&
\surveypic{24}{survey_diag_S24.jpg}&
\surveypic{25}{survey_diag_S25.jpg}&
\surveypic{27}{survey_diag_S27.jpg}\\
\surveypic{28}{survey_diag_S28.jpg}&
\surveypic{29}{survey_diag_S29.jpg}&
\surveypic{30}{survey_diag_S30.jpg}&
\surveypic{31}{survey_diag_S31.jpg}\\
\surveypic{32}{survey_diag_S32.jpg}&
\end{tabular}
\caption{External photos of all survey samples.}
\label{fig_hsm_survey_sample_pics}
\end{figure}
\subsubsection{Card Payment Terminals}
Card payment terminals commonly include advanced tamper sensing features to discourage physical attacks such as
skimming that aim to exfiltrate card data and PINs entered by the customer. The Payment Card Industry Security Standards
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
standardization organization in the card payment space. Due to the international scale of the large credit card
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
of security than one might expect from an industry association.
Physical security standards in card payment applications both on the client side (payment terminals) and on the server
side (HSM appliances) are more stringent than one might expect since the finance industry has been reluctant to adopt
modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
ancient ciphers such as Triple DES are still commonly referenced in industry
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is necessary to
safeguard weak symmetric keys, compensating for the systems' modest cryptographic security.
Since card payment terminals are widely deployed, many different models from various manufacturers are available. Each
manufacturer tends to have their own, patented tamper sensing implementation. Being manufactured at scale, card payment
terminals are cost-sensitive devices, which is reflected in the construction of their tamper sensing implementations.
\subsubsection{HSM Appliances}
When credit card payments are handled on the web as opposed to in a physical store, HSMs are used in data centers to
handle plaintext payment data such as credit card numbers. Such HSM appliances are usually standalone rackmount devices
and are used across application domains. Depending on the application, these HSMs can be programmed with custom code, or
can be used as coprocessors through an API. In practice, the standalone appliances are just low-end computers in a
rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we were only able
to procure a single such HSM since these devices are expensive, and even used specimens of older models are usually
listed for several hundreds to several thousands of EUR. The one sample we procured was a 2011 model Utimaco
CryptoServer LAN. Our unit was a white-label variant procured by premium TV encryption technology provider Irdeto,
presumably used in Germany to produce cryptographic key streams for TV signal encryption. We bought the device from a
recycling company specialized on datacenter components. The device was sold with any HDDs removed. The device consisted
of an older mainboard for embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of DDR2 RAM,
which was connected to the HSM add-in card through PCI. The device contained a small Lithium backup battery on the
add-in card, and another, larger battery in an enclosure at the front of the device that was connected to the card
through a cable. The device did not contain any obvious case intrusion sensors.
\subsubsection{ATM Encrypting Pin Pads}
ATMs are built in a modular construction approach. Physically, the enclosure of an ATM is not its only security
barrier. Besides the enclosure, there are two security barriers worthy of note. First, the bank notes in the machine are
stored in an automatic cash dispenser that is built into a traditional vault inside the machine. This vault primarily
acts as a mechanical barrier to discourage theft, but it also often includes tamper sensors that activate an Intelligent
Banknote Neutralisation System (IBNS). The IBNS is designed to spread hard-to-remove ink over the bank notes inside the
vault when tampered. The permanently stained bank notes are not accepted by banks or retailers anymore.
% FIXME cite https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
% archive: https://web.archive.org/web/20250822134238/https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
% FIXME cite https://www.ecb.europa.eu/euro/banknotes/damaged/html/index.en.html
% FIXME cite https://www.bcl.lu/en/Banknotes-and-Coins/remboursement/billets-macules1/index.html
Besides the vault, the other secondary security barrier is located inside the ATM's pin pad. While all communication
with the customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's
smartcard IC, the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the
PIN is encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption.
Often, both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a
tamper sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and
transmit the plaintex PIN.
We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by
Cryptera and Diebold, respectively, and one made by and branded NCR. All three devices have robust stainless steel front
cases, and are built in a sandwich construction of several layers of steel sheets and PCBs.
\subsubsection{Other miscellaneous devices}
Sometimes, tamper sensing meshes show up in other types of devices. We acquired two such devices. First, we acquired a
Neopost mail franking machine, a type of device that is used to directly print a code on an envelope that replaces a
conventional postage stamp. Since in businesses handling large volumes of mail these devices were routinely charged with
large sums of money in postage, such devices have security features ranging from physical seals on their enclosure to
full security meshes encasing their CPU modules. In case of Neopost, we are aware of one online source showing a
security mesh inside one such device~\cite{mikeselectricstuffNeopostPostalFranking2023}, but we found that our older
specimen only contained a sturdy cast zinc case that was welded shut with a spring-loaded lid switch inside. The other
miscellaneous device we found is a broken CPU module from a German slot machine manufacturer. While it would be
reasonable to assume this type of device might include active tamper sensing features to enforce state gambling
regulations, other slot machine manufacturers seem not to use tamper sensing in their systems so the more likely reason
is DRM. Our specimen included both a tamper sensing mesh as well as a semiconductor junction light sensor inside of a
sealed sheet metal enclosure.
\subsection{Methodology}
We proceeded by first photographing every test specimen from multiple angles, then disassembling them. After
disassembly, we photographed each major component. Figure~\ref{fig_hsm_survey_sample_internal_pics} shows a selection of
these photos showing the major internal components of the devices. After photos were taken, we proceeded with
destructive techniques where necessary to obtain microscope photos of each tamper sensing mesh component. PCBs were
sectioned using a sanding drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling,
cutting and prying, and applying heat from a heat gun as necessary to soften polymer compounds and to break glue joints.
\begin{figure}
\begin{tabular}[c]{cccc}
\surveypic{01}{survey_internal_09_S01.jpg}&
\surveypic{02}{survey_internal_20_S02.jpg}&
\surveypic{03}{survey_internal_11_S03.jpg}&
\surveypic{04}{survey_internal_03_S04.jpg}\\
\surveypic{05}{survey_internal_10_S05.jpg}&
\surveypic{06}{survey_internal_08_S06.jpg}&
\surveypic{08}{survey_internal_24_S08.jpg}&
\surveypic{09}{survey_internal_13_S09.jpg}\\
\surveypic{10}{survey_internal_23_S10.jpg}&
\surveypic{11}{survey_internal_17_S11.jpg}&
\surveypic{12}{survey_internal_19_S12.jpg}&
\surveypic{13}{survey_internal_02_S13.jpg}\\
\surveypic{14}{survey_internal_00_S14.jpg}&
\surveypic{14}{survey_internal_01_S14.jpg}&
\surveypic{15}{survey_internal_04_S15.jpg}&
\surveypic{16}{survey_internal_05_S16.jpg}\\
\surveypic{17}{survey_internal_22_S17.jpg}&
\surveypic{18}{survey_internal_21_S18.jpg}&
\surveypic{19}{survey_internal_26_S19.jpg}&
\surveypic{20}{survey_internal_12_S20.jpg}\\
\surveypic{21}{survey_internal_15_S21.jpg}&
\surveypic{22}{survey_internal_16_S22.jpg}&
\surveypic{23}{survey_internal_07_S23.jpg}&
\surveypic{24}{survey_internal_06_S24.jpg}\\
\surveypic{25}{survey_internal_25_S25.jpg}&
\surveypic{27}{survey_internal_18_S27.jpg}&
\surveypic{28}{survey_internal_14_S28.jpg}&
\surveypic{30}{survey_internal_29_S30.jpg}\\
\surveypic{31}{survey_internal_27_S31.jpg}&
\surveypic{32}{survey_internal_28_S32.jpg}&
% make sure the last row with a single dangling landscape picture is full height to avoid the last row's label
% overlapping the previous row
\rule{0pt}{25mm}
\end{tabular}
\caption{Internal overview photos of the survey samples.}
\label{fig_hsm_survey_sample_internal_pics}
\end{figure}
\subsection{Results}
In the following sections, we will list some observations we made while dissecting our specimens. A complete set of
internal pictures and micrographs of selected components that goes beyond the following description is available in the
supplementary material to this thesis.
\todo{Actually assemble the supplementary material and include all photos}
\subsubsection{Mesh materials.}
We found meshes constructed from rigid PCBs (e.g.\ samples~\sampleno{H02}, \sampleno{H03} and \sampleno{H08}) as well as
a number of Flexible Printed Circuit (FPC) processes. Tamper sensing meshes constructed from PCBs sometimes used parts
of an existing PCB (e.g.\ samples~\sampleno{H03} and \sampleno{H10}), and sometimes additional PCBs only containing a
mesh were added (e.g.\ sample~\sampleno{H02} and \sampleno{H08}). In some samples (e.g.\ samples~\sampleno{H08} and
\sampleno{H18}), multiple rigid PCB meshes were assembled in a house of cards fashion to enclose a card slot. For
flexible meshes, with the exception of the Utimaco HSM appliance's HSM card (sample~\sampleno{H30}) that used an
off-the-shelf Gore tamper sensing mesh foil, all were clearly manufactured either entirely or mostly in standard
processes. We found printed silver ink (e.g.\ sample~\sampleno{H12}) and printed carbon ink-based foils (e.g.\
sample~\sampleno{H09}) similar to those used for membrane keyboards, as well as conventional photolithographically
etched copper/polyimide Flexible Printed Circuits (FPCs) (e.g.\ samples~\sampleno{H03}, \sampleno{H04} and
\sampleno{H08}). Overall, etched PCBs showed better resolution compared to silkscreen-printed meshes. Feature size for
both rigid and flexible etched PCB meshes was generally in the order of \qtyrange{100}{200}{\micro\meter}, while feature
size for screen printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}.
\subsubsection{Mesh layout.}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_offset.jpg}
\caption{Offset layers for more complete coverage (sample~\sampleno{H12}).}
\label{hsm_fig_mesh_layout_offset}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_orthogonal.jpg}
\caption{Orthogonal patterns on subsequent layers (sample~\sampleno{H14}).}
\label{hsm_fig_mesh_layout_orthogonal}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_utimaco_mesh_gore.jpg}
\caption{Combining orthogonal layers with area-covering pattern (sample~\sampleno{H30}).}
\label{hsm_fig_mesh_layout_utimaco}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_mesh_stack_epp.jpg}
\caption{Spacing mesh layers apart to constrict angular freedom of an attack tool (sample~\sampleno{H28}).}
\label{hsm_fig_mesh_layout_epp}
\end{subfigure}
\caption{Mesh trace layout approaches for multi-layer meshes.}
\label{hsm_fig_mesh_layout}
\end{figure}
A key goal in tamper sensing mesh design is to avoid any gaps in coverage. In single-layer meshes, gaps between adjacent
mesh traces cannot be avoided, and provide an easy approach for an attack. In multi-layer meshes, these structure
size-dependent gaps can be mitigated in multiple ways as shown in Figure~\ref{hsm_fig_mesh_layout}. In the following
list, we will address several common structural features that we observed across samples.
\begin{enumerate}
\item\textbf{Offset patterns.} In a two-sided foil mesh, most of the gaps between adjacent traces can be covered by
simply offsetting the pattern by one structure size in both axes between the foil's top and bottom layers as
shown in Figure~\ref{hsm_fig_mesh_layout_offset}. Depending on the mesh layout, only a small number of
point-shaped gaps remain at corners in mesh traces on one of the layers. The number of these gaps can be reduced
by reducing the number of misaligned corners between both layers for instance by choosing a systematic
serpentine or spiral trace layout.
\item \textbf{Orthogonal patterns.} In some other specimens, the manufacturer chose the opposite approach of keeping
the mesh pattern mostly orthogonal on the mesh's two layers as shown in
Figure~\ref{hsm_fig_mesh_layout_orthogonal}. While this leads to a larger amount of gaps compared to offset
patterns as described above, it also reduces the largest gap size to about one structure size by one structure
size.
\item \textbf{Combined approaches.} Figure~\ref{hsm_fig_mesh_layout_utimaco} shows the layout of a Gore tamper
sensing mesh foil used in an Utimaco HSM. This mesh consists of two foil layers bonded to each other. The outer
foil is patterned on both sides with a sparse pattern of thin serpentine traces with the patterns on both layers
being orthogonal to each other. Both patterns are oriented at a \qty{45}{\degree} angle relative to the sides of
the rectangular enclosed volume. The inner foil is only patterned on one side, and contains a thicker serpentine
trace laid out in a zigzag pattern. The two foil layers are aligned such that no gaps remain between the
layers.\todo{sample number here and below (ingenico)}
\item \textbf{Using layer spacing.} Figure~\ref{hsm_fig_mesh_layout_epp} shows how an ATM Encrypting Pin Pad (EPP)
implemented the mesh on its keypad. Off-the-shelf metal snap dome contacts were used on the surface of a
conventional rigid PCB to create the keys. On top of the rigid PCB and contact domes, a two-layer
copper/polyimide FPC with an additional polyimide cover layer was glued down. Meshes were placed on both layers
of the FPC, as well as on one internal layer of the rigid PCB. The resulting structure had the FPC mesh layers
separated from the rigid PCB mesh layer by several hundred micrometers of the rigid PCB's substrate. The meshes
on both the FPC and the rigid PCB used a structure size of \qty{150}{\micro\meter}. The vertical separation
between the two meshes was several times that structure size, which limits the possible angles an attack tool
could be inserted through both mesh layers.
\end{enumerate}
\subsubsection{Contact and trace construction.}
\begin{figure}
\centering
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_copper_pcb.jpg}
\caption{Standard photolithographic copper PCB process on rigid FR-4 fiberglass substrate
(sample~\sampleno{H10}).}
\label{hsm_fig_materials_pcb_rigid}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_copper_flex.jpg}
\caption{Standard photolithographic copper PCB process on flexible polyimide substrate (sample~\sampleno{H15}).}
\label{hsm_fig_materials_pcb_flex}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_silver.jpg}
\caption{Screen printing process using silver ink with some carbon ink contact pads for embedded buttons
(sample~\sampleno{H14}).}
\label{hsm_fig_materials_silver_ink}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_contact_gold_lds.jpg}
\caption{Laser direct structuring using electroless gold plating (sample~\sampleno{H32}).}
\label{hsm_fig_materials_gold_lds}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{trace_material_carbon.jpg}
\caption{Screen printing process using carbon ink (sample~\sampleno{H30}).}
\label{hsm_fig_materials_carbon_ink}
\end{subfigure}
\caption[Mesh materials]{Materials and manufacturing processes used for mesh traces and contacts.}
\label{hsm_fig_materials}
\end{figure}
Regular Printed Circuit Boards are frequently used to implement tamper sensing meshes as shown in
Figure~\ref{hsm_fig_materials_pcb_rigid}. PCB production is a highly advanced, large-scale industry and PCBs are
inexpensive, commodity products. PCBs can be manufactured with many layers, at almost arbitrary total thickness, and
offer small structure sizes enabling the creation of fine features down to approximately \qty{100}{\micro\meter} even on
commodity processes. The primary disadvantage of using PCBs to implement tamper sensing meshes is that PCBs are
fundamentally designed to be as robust as possible. The traces on the top of a PCB are etched from a thick (usually
\qty{35}{\micro\meter} on the outer layers) copper foil adhered to the PCB substrate. As a result, the PCB and the
traces on its surface are easy to manipulate by hand using tools like knives and techniques like soldering. For a
tamper sensing mesh, trace patterns manufactured to be more fragile might be advantageous. Additionally, standard PCBs
are made using a rigid FR-4 fiberglass/epoxy substrate. Since a tamper sensing mesh must often enclose all sides of a
payload, flexible foils offer benefits over rigid PCBs.
Figure~\ref{hsm_fig_materials_pcb_flex} shows a Flexible Printed Circuits (FPCs) produced in a standard commercial
process similar to PCB production. In FPCs, a copper foil adhered to a substrate is etched, but the substrate here
usually is a thin foil made from polyimide, an orange, temperature-resistant polymer that survives common reflow (hot
air) soldering temperatures. In contrast to rigid PCBs, FPCs are usually limited to no more than four layers before
losing flexibility. Flexible PCBs are often used for tamper sensing meshes that wrap around a payload, but they come
with the same limitation as standard PCBs: Due to their robust substrate and thick copper layers, they are easily
manipulated by hand.
Figure~\ref{hsm_fig_materials_silver_ink} shows an FPC created in a different process. Here, instead of
photolithographically etching a continuous copper foil adhered to a flexible substrate, the substrate is instead printed
using a conductive ink. A variety of printing processes are suitable for this technique. The conductive ink is based on
small conductive particles suspended in a hardening binder. Common conductive ink materials are silver and carbon.
Silver-based inks offer lower resistance compared to carbon-based inks, but are prone to surface oxitation and as such
are not suitable for contacts. As such, they are often combined with a carbon ink used in contact areas. Carbon-based
inks have high resistance, and can be used to create embedded resistors. The circuit shown in
Figure~\ref{hsm_fig_materials_silver_ink} contains a tamper sensing mesh on a lower layer, and a keypad matrix with
carbon contacts on its surface.
Figure~\ref{hsm_fig_materials_gold_lds} shows part of a mesh and a contact created using Laser Direct Structuring, a
technique combining selective activation of a plastic surface using a scanning laser and electroless gold plating. Where
in electroplating electrical current is used to deposit metal atoms on a surface, in electroless plating a series of
chemical reactions is used. Electroplating requires all traces to be electrically connected to form a single electrode,
while electroless plating can be used on the finished circuit. Laser Direct Structuring allows patterning complex
surfaces with fine structures made from metal deposited in a thin layer. In Figure~\ref{hsm_fig_materials_gold_lds}, it
is visible how the trace was created using three parallel passes by the laser. The micrograph also shows the rather
coarse edge structure created by LDS, which is caused by the rough surface left after pulsed laser ablation. The uneven,
thin layer of metallization created by LDS results in mechanically fragile contacts that must be contacted using a soft
material, usually an elastomeric connector.
\subsubsection{Connection methods}
\begin{figure}
\centering
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_castellated_edge.jpg}
\caption{Direct soldering (sample~\sampleno{H05}).}
\label{hsm_fig_connector_castellations}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_stacking.jpg}
\caption{Elastomeric connector landing pattern as well as stacking board-to-board connector
(sample~\sampleno{H17}).}
\label{hsm_fig_connector_stack}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_zif_fpc_2.jpg}
\caption{Landing pads for tactile contact domes as well as FPC connector (sample~\sampleno{H20}).}
\label{hsm_fig_connector_fpc}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_elastomeric.jpg}
\caption{Direct soldering of an FPC and an elastomeric connector (sample~\sampleno{H31}).}
\label{hsm_fig_connector_elastomeric}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_rf_gasket.jpg}
\caption{Soft, conductive EM shielding gaskets used as connectors (sample~\sampleno{H14}).}
\label{hsm_fig_connector_gasket}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{connector_metal_dome.jpg}
\caption{Tactile dome (sample~\sampleno{H06}).}
\label{hsm_fig_connector_dome}
\end{subfigure}
\caption[Mesh connecting methods]{Connecting methods used between tamper sensing mesh assemblies and their base PCBs}
\label{hsm_fig_connector}
\end{figure}
In our survey, we found a wide variety of connecting methods used to connect tamper sensing mesh assemblies with their
base PCBs with a selection shown in Figure~\ref{hsm_fig_connector}. Both rigid PCBs and FPCs can be soldered directly to
a PCB using either a Land Grid Array (LGA) technique where pads on both PCBs are soldered facing each other, or using
\emph{castellated} edges, where pads on the base PCB are soldered sideways to holes on the top PCB that have been milled
in half as shown in Figure~\ref{hsm_fig_connector_castellations}. FPCs can also be soldered by dragging a blob of solder
across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but this technique is only suitable for hand
soldering. Hand soldering increases unit cost over mechanized soldering techniques such as wave soldering or reflow
soldering.
FPCs are suitable for use with standard Zero Insertion Force (ZIF) FPC connectors as shown in
Figure~\ref{hsm_fig_connector_fpc} that directly mate to a contact area, called \emph{gold fingers} in industry terms,
on the FPC. Both FPCs and rigid PCBs can be used with standard board-to-board stacking connectors such as the one
visible in the center of Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's
back side to ensure the solder joints don't break from mechanical stress when connecting or disconnecting.
In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper sensing mesh
assemblies. Elastomeric connectors such as the one shown in the center of Figure~\ref{hsm_fig_connector_elastomeric} are
usually used in LCD construction to contact a PCB to the LCD's Indium Tin Oxide (ITO)-coated conductive glass, but they
can be used between any two parallel, conductive surfaces~\cite{andreaElectronicConnectorBook2022}. Elastomeric
connectors consist of two insulating elastic polymer layers on the outside, with a thin strip of fine, alternating
conductive and insulating elastic polymer layers sandwiched in between. In Figure~\ref{hsm_fig_connector_elastomeric}
the outer insulating layers are the blue polymer, and the alternating pattern can be seen embedded in their middle. The
fine alternating pattern mates to much larger pads on the two contact surfaces, ensuring that adjacent contacts are
electrically insulated. In tamper sensing mesh applications, elastomeric connectors provide an intrinsic disassembly
detection since they require continuous pressure to maintain electrical contact. In the top part of
Figure~\ref{hsm_fig_connector_stack}, a land pattern for an elastomeric connector is visible.
Elastomeric connectors are elegant and allow for multiple contacts to be made in a small area using a single elastomeric
connector strip, but they are not off-the-shelf components and are always custom made to order. We found several
instances where other, off-the-shelf technologies were used instead to create a pressure-sensitive connection.
Figure~\ref{hsm_fig_connector_gasket} shows a connection made using conductive gaskets intended for creating gapless
connections between PCBs and enclosures to shield Electromagnetic Emissions (EMI). Unlike elastomeric connectors, they
are not anisotropic and thus they must be cut into pieces to maintain isolation between adjacent pads. This results in a
much larger contact pitch compared to other solutions.
Figure~\ref{hsm_fig_connector_dome} shows another technique, here used to connect the mesh layer embedded into a key pad
to a base PCB. Here, a tactile metal dome intended to be used for creating buttons in low-profile keypads is used to
connect the mesh to the base PCB.
An alternative to soldering and elastomeric connectors that we did not observe during our survey but that deserves
mention here is Anisotropic Conductive Film (ACF)~\cite{huangHardwareHackerAdventures2019}. Similar to elastomeric
connectors, ACF is industrially used to contact flexible PCBs to ITO-coated glass in TFT displays. ACF comes as a
double-sided tape that is bonded using pressure and sometimes high temperatures, and creates a connection between
conductive surfaces on both sides of the tape. This connection has an anisotropic nature, meaning that the tape only
electrically conducts from one face to the other, and not laterally. Technically, this is achieved by embedding a large
number of tiny conductive spheres inside the tape that when the tape is mounted get squished between the two contact
surfaces. During ACF manufacturing, the distribution of these spheres is carefully controlled to provide a reliable
connection while guaranteeing adjacent spheres never touch each other.
\subsubsection{3D construction.}
\begin{figure}
\centering
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_overlap.jpg}
\caption{Folded with overlap (sample~\sampleno{H03})}
\label{hsm_fig_3d_struct_folded_overlap}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_no_overlap.jpg}
\caption{Folded without overlap (sample~\sampleno{H14})}
\label{hsm_fig_3d_struct_folded_no_overlap}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{hsm_3d_style_vacform.jpg}
\caption{Thermoformed (sample~\sampleno{H12})}
\label{hsm_fig_3d_struct_vacuum_form}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_cards_standalone.jpg}
\caption{House-of-Cards construction (sample~\sampleno{H08})}
\label{hsm_fig_3d_struct_house_of_cards}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.3\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_lds_top.jpg}
\caption{Laser Direct Structuring (sample~\sampleno{H32})}
\label{hsm_fig_3d_struct_lds}
\end{subfigure}
\caption[3D mesh construction styles]{Construction styles used to fit tamper sensing meshes into 3D envelopes. Grids
in the background are \qty{10}{\milli\meter}, subdivisions are \qty{5}{\milli\meter}.}
\label{hsm_fig_3d_struct}
\end{figure}
While practical meshes are almost always manufactured in planar processes first, their applications usually require at
least partially covering a three-dimensional volume. In our survey, we saw a number of methods being used to create
three-dimensional structures from planar meshes. Figure~\ref{hsm_fig_3d_struct}
\subref{hsm_fig_3d_struct_folded_overlap}-\subref{hsm_fig_3d_struct_house_of_cards} show the major construction styles
we saw among our samples. Figure~\ref{hsm_fig_3d_struct_folded_overlap} and
Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} have meshes produced as flexible printed circuits, in
Figure~\ref{hsm_fig_3d_struct_folded_overlap} using a standard photolithographic copper/polyimide FPC process usually
used for flexible PCBs, and in Figure~\ref{hsm_fig_3d_struct_folded_nooverlap} using a standard silver ink
screenprinting process. The choice in Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} not to overlap the mesh in the
corner is likely caused by manufacturing considerations, since it might be difficult to ensure proper folding of a small
foil tab with adhesive pre-applied.
Figure~\ref{hsm_fig_3d_struct_vacuum_form} shows a sample of a flexible circuit manufactured in a screenprinted
silver-ink process thermoformed into a three-dimensional shape~\cite{weidnerHardwareschutzFormHalbschalen2007}. The
flexible circuit mesh is first produced in a standard planar printing process. After printing and curing, the resulting
foil is then heated to soften it, and forced into a three-dimensional shape using a mold. Depending on the process, one
or two molds, and vacuum or pressured air can be used to shape the foil. The process requires a screenprinted flexible
circuit, and would not work with copper/polyimide flexible PCBs since their copper layer is too thick to plastically
deform without tearing, and because polyimide is not sufficiently thermoplastic at low temperatures.
Thermoforming is a cheap industry standard process, but applied to flexible circuits it has some limitations. First,
only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet
cannot be cut or contain slots or large holes before forming since it needs to be kept under a constant tension from all
sides to ensure it evenly stretches into the mold. Finally, the depth achievable in such a process is rather limited,
with no sample in our survey exceeding \qty{2}{\milli\meter}\todo{Get proper number}. Higher depths would require
extensive deformation of the mesh circuit's plastic substrate, which could lead to tears in the mesh traces since the
particle-based conductive inks used for screen-printed electronics are inelastic. Among our samples, we saw two
instances of thermoformed meshes. First, all recent Ingenico terminals (\sampleno{H06,H13,H23,H24}) integrated an ink
printed mesh with thermoformed cavities into their key pad overlay. These terminals implement their key pad using
tactile domes with contacts patterned on their main PCBs' surface. These domes are commonly placed on an adhesive sheet
that is die cut to size so that the whole sheet can be placed on the PCB in one assembly step, instead of individually
placing each dome. In these samples, a mesh was integrated into this adhesive sheet using a silver ink printing process,
and two additional domes were used to provide contact between this integrated mesh and the main PCB. Cavities were
formed into this mesh to enclose the upper side of the main cryptographic processor and associated components.
Figure~\ref{fig_ingenico_forming} shows the mesh of sample~\sampleno{H24} both before and after removing the black
opaque cover lacquer used on the bottom side of these meshes to obscure their features. The lacquer was removed by
gently rubbing it with a cotton swap soaked with acetone. In Figure~\ref{fig_ingenico_forming_after}, we see how the
mesh's structure was adapted around the formed cavities to reduce the risk of a break during the forming process: The
mesh's traces were kept parallel to the direction the foil was stretched, and the feature size of the mesh was increased
by a large factor in these areas. In the corners of the formed cavity, where the foil experiences stretching in both
directions, the features were scaled even larger than along the cavity's edges. This increase in structure size
compromises the mesh's security level, especially given that the edges of the cavity are at a convenient direction for
access by probes.
\begin{figure}
\begin{center}
\begin{subfigure}[t]{0.4\textwidth}
\includegraphics[width=\linewidth]{survey_formed_mesh_before.jpg}
\caption{Before removing opaque cover lacquer.}
\label{fig_ingenico_forming_before}
\end{subfigure}
\begin{subfigure}[t]{0.4\textwidth}
\includegraphics[width=\linewidth]{survey_formed_mesh_after.jpg}
\caption{After removing opaque cover lacquer.}
\label{fig_ingenico_forming_after}
\end{subfigure}
\end{center}
\caption{Formed cavities in printed foil mesh in sample~\sampleno{H24}.}
\label{fig_ingenico_forming}
\end{figure}
Sample~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
shown does not extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a
PCB to protect components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the
PCB surface, through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry.
A similar design defect was mitigated in the specimens manufactured by Banksys, card payment terminal \sampleno{H08} and
ATM encrypting pin pads \sampleno{H03} and \sampleno{H04}. These specimens all have a polyimide/copper FPC mesh glued to
the inside of a casted zinc lid form five sides of a cuboid. These meshes sit atop their base PCBs, and a possible
vulnerability would be the interface between the mesh and the PCB, where there will be an unavoidable gap of at least
several hundred micrometers. In sample~\sampleno{H03}, this was mitigated by milling a slot into the base PCB for the
mesh to sit inside, thereby placing the top layer of the base PCB as well as any internal mesh layers inside the cavity
of the mesh lid. In sample~\sampleno{H04}, the payload circuit was instead placed on a daughterboard sitting inside
the lid using board-to-board stacking connectors (cf. Figure~\ref{hsm_fig_connector_stack}). Here, an additional rigid
mesh PCB was soldered flat on top of the base PCB to cover the open side of the mesh lid, creating an overlap at the
edges. In sample~\sampleno{H08}, a card payment terminal, a simpler construction was used with a simple metal ring
soldered to the base PCB mechanically shielding the edge. We are unable to ascertain why this purely mechanical
shielding technique was used instead of the more secure overlapping technique seen in sample~\ref{H03}, which should
have a similar, low manufacturing cost.
Figure~\ref{hsm_fig_3d_struct_lds} shows the result of Laser Direct Structuring (LDS), a process that avoids some of the
limitations of thermoformed planar meshes. In LDS, a plastic part is covered in a conductive pattern in a combination of
selective laser erosion of its surface and a series of preparation and electroless metal plating steps. LDS allows
covering complex three-dimensional shapes, with the main limitation being that all patterned areas must have a direct
line of sight to the outside for the scanning laser to reach it. Thus, the outside of complex parts can be covered, but
internal cavities cannot. LDS is commonly used to create complex antenna shapes on the surface of internal structural
plastic parts for smartphones, but is more costly compared to screenprinting processes due to its complexity. A further
disadvantage of LDS is that it is only suitable for single-layer patterns, while two layers are easily achievable in
silkscreen and photolithographic PCB processes by patterning both sides of the substrate. More layers can be achived in
these processes by simply stacking multiple foil layers and adding vias (through contacts), or by folding.
Figure~\ref{hsm_fig_3d_struct_house_of_cards} shows an assembly of several rigid PCBs assembled into a three-dimensional
structure to protect a card slot. Solder connections between large pads are used to mechanically and electrically join
the boards. While the rigid PCBs used in such as structure can be produced in a highly inexpensive, standard process,
this style of construction requires manual assembly leading to increased labor cost. Furthermore, the construction
leaves large gaps at edges and corners, which is not a problem for card slot protection in payment applications but
which would be a flaw in a more standard HSM application.
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_offset_mesh_delayered_contrast_improved.jpg}
\caption{Small obstacle mesh coupons (sample~\sampleno{H17}).}
\label{hsm_fig_3d_sandwich_obstacle}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_via_stitch_mesh_delayer_2.jpg}
\caption{Via-fence meshes (sample~\sampleno{H24}).}
\label{hsm_fig_3d_sandwich_via_fence}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_planar_stack.jpg}
\caption{Planar sandwich stack protecting the back of a connector (sample~\sampleno{H24}).}
\label{hsm_fig_3d_sandwich_stack}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering\includegraphics[width=\linewidth]{3d_construction_cavity_2.jpg}
\caption{PCB lid with routed cavity and embedded planar and via-fence meshes (sample~\sampleno{H14}).}
\label{hsm_fig_3d_sandwich_lid}
\end{subfigure}
\caption[Sandwich mesh construction styles]{Construction styles used to cover 3D volumes using sandwich-style
construction.}
\label{hsm_fig_3d_sandwich}
\end{figure}
Besides the house of cards construction style shown in Figure~\ref{hsm_fig_3d_struct_house_of_cards} where PCBs are
hand-assembled into a 3D shape, rigid PCBs are also often soldered planar on top of other PCBs to serve as meshes.
Figure~\ref{hsm_fig_3d_sandwich} shows examples of such sandwich-style constructions.
Figure~\ref{hsm_fig_3d_sandwich_obstacle} and Figure~\ref{hsm_fig_3d_sandwich_via_fence} show a widely used construction
technique where a small mesh PCB coupon is soldered using a Land Grid Array (LGA)-technique on top of a larger base PCB
containing circuitry. The goal in this technique is to project a small part of the mesh into the space above the base
PCB. While this does not prevent targeted drilling as the small coupon is easy to avoid, it does prevent an attacker
from sawing or laser-cutting into the side of the device parallel to the base PCB. In the implementation shown in
Figure~\ref{hsm_fig_3d_sandwich_obstacle}, the coupon simply contains a small mesh embedded in an inner layer.
Figure~\ref{hsm_fig_3d_sandwich_via_fence} shows a different technique, where the mesh inside the coupon is not
primarily laid out in the PCB plane, but instead a large number of vias is used to create a three-dimensional zig-zag
trace structure. While due to structure size limitations this via structure is much coarser than a planar mesh like that
in Figure~\ref{hsm_fig_3d_sandwich_obstacle} would be, it increases the fraction of the vertical space inside the coupon
that is covered by the mesh.
Figure~\ref{hsm_fig_3d_sandwich_stack} shows a variation of this coupon technique where two such coupons are stacked to
create a small overhang, here attempting to protect the back side of a magnetic stripe reader contact in a payment
terminal. While a similar result could also be achieved by milling a slot into the side of a single custom-thickness
PCB, the economics of PCB manufacturing are such that it may be more cost-effective to bond two standard-thickness PCBs
on top of one another instead.
Figure~\ref{hsm_fig_3d_sandwich_lid} finally shows an advanced construction technique that uses a custom PCB with a
large indent milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base
PCB. This PCB lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A
ground plane filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the
cavity. Below this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
Figure~\ref{hsm_fig_3d_sandwich_via_fence} in an attempt to protect the sides around the central cavity. Below these two
via fence layers, at the bottom of the PCB is one more layer containing the pads connecting it to the base PCB.
\subsubsection{Tabular results}
\begin{landscape}
\begin{table}
\footnotesize
\centering
\newcolumntype{M}{>{\centering\arraybackslash}p{4mm}}
\setlength{\tabcolsep}{0pt}
\begin{tabular}{ll|MMMMM|MMMM|MMMMM|MMMMM|MMMMM|MMM|MM}
&&\multicolumn{29}{c}{\textbf{Mesh}}\\
\textbf{Feature} & \textbf{Figures} &
1 & 2 & 3 & 4 & 5 & 6 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 27 & 28 & 30 & 31 & 32
\\\hline
\multicolumn{31}{l}{\textbf{Mesh Contacts.}} \\\hline
Elastomeric & \ref{hsm_fig_connector_elastomeric}, \ref{hsm_fig_connector_stack}
% 0 1 2 3 4 5 6 7 8 9
&&&&& & && % 0 - 9
&& && &&&&& & % 10 - 19
&&&& & & &&% 20 - 29
& &&\\ % 30 - 32
Soldered & \ref{hsm_fig_connector_castellations}
% 0 1 2 3 4 5 6 7 8 9
&& & &&&&& % 0 - 9
& & && & & &&&& % 10 - 19
& & &&&& & & % 20 - 29
& && \\ % 30 - 32
Stacking & \ref{hsm_fig_connector_stack}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & && % 0 - 9
& & & & & & & && & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
Tactile Dome & \ref{hsm_fig_connector_dome}, \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & & && & % 0 - 9
& & & && & & & & & % 10 - 19
& && &&& & & % 20 - 29
& & & \\ % 30 - 32
FPC Connector & \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & && & &% 0 - 9
&& & & &&&&&& % 10 - 19
& && & & & & & % 20 - 29
&& & \\ % 30 - 32
Mesh EMI Gasket & \ref{hsm_fig_connector_gasket}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & && & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Mesh Material}} \\
\hline
Rigid PCB & \ref{hsm_fig_materials_pcb_rigid}
% 0 1 2 3 4 5 6 7 8 9
&&&&&&&&% 0 - 9
&&&&&&&&&& % 10 - 19
& &&&&& &&% 20 - 29
& &&\\ % 30 - 32
Copper FPC & \ref{hsm_fig_materials_pcb_flex}
% 0 1 2 3 4 5 6 7 8 9
& & &&& &&& % 0 - 9
& & &&& & &&& & % 10 - 19
&&& &&& &&% 20 - 29
& && \\ % 30 - 32
Printed silver ink & \ref{hsm_fig_materials_silver_ink}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
&& &&&& & &&& % 10 - 19
& && &&& & & % 20 - 29
& & & \\ % 30 - 32
\hline
Printed carbon ink & \ref{hsm_fig_materials_carbon_ink}
% 0 1 2 3 4 5 6 7 8 9
&& & & & & & &% 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
&& & \\ % 30 - 32
Gold (Laser Direct Structuring) & \ref{hsm_fig_materials_gold_lds}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & &\\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{3D Construction}} \\
\hline
Folded mesh & \ref{hsm_fig_3d_struct_folded_overlap}, \ref{hsm_fig_3d_struct_folded_no_overlap}
% 0 1 2 3 4 5 6 7 8 9
&& &&&&&&% 0 - 9
&& &&& & &&&& % 10 - 19
&&& &&& && % 20 - 29
&&& \\ % 30 - 32
House of cards & \ref{hsm_fig_3d_struct_house_of_cards}
% 0 1 2 3 4 5 6 7 8 9
&& & & & & && % 0 - 9
&& & & & & & & && % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
Laser Direct Structuring & \ref{hsm_fig_3d_struct_lds}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & & & & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & &\\ % 30 - 32
\hline
Thermoformed & \ref{hsm_fig_3d_struct_vacuum_form}, \ref{fig_ingenico_forming}
% 0 1 2 3 4 5 6 7 8 9
& & & & & && & % 0 - 9
& & && & & & & & & % 10 - 19
& & & &&& & & % 20 - 29
& & & \\ % 30 - 32
Planar obstacle & \ref{hsm_fig_3d_sandwich_obstacle}, \ref{hsm_fig_3d_sandwich_via_fence}
% 0 1 2 3 4 5 6 7 8 9
&& & &&& & & % 0 - 9
& & & &&& &&& & % 10 - 19
& & & && & & & % 20 - 29
& & & \\ % 30 - 32
Complex planar & \ref{hsm_fig_3d_sandwich_stack}, \ref{hsm_fig_3d_sandwich_lid}
% 0 1 2 3 4 5 6 7 8 9
& & & && & & & % 0 - 9
& & & & && & & & & % 10 - 19
& & & & & & & & % 20 - 29
& & & \\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Obscurity Features}} \\
\hline
Metal enclosure & \ref{hsm_fig_3d_struct_folded_overlap}
% 0 1 2 3 4 5 6 7 8 9
& &&&& & && % 0 - 9
& & & & & & && & & % 10 - 19
& && & & & && % 20 - 29
&& & \\ % 30 - 32
Potting & \ref{hsm_fig_ingenico_potted_seated}
% 0 1 2 3 4 5 6 7 8 9
& & & & && & & % 0 - 9
& & & & & & & & && % 10 - 19
& & & & & & & & % 20 - 29
&& & \\ % 30 - 32
\hline
Opaque foil & \ref{hsm_fig_connector_dome}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& &% 0 - 9
&& & && & & && & % 10 - 19
&&& && & & & % 20 - 29
&& & \\ % 30 - 32
Opaque lacquer & \ref{fig_ingenico_forming}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
& & & && & & && & % 10 - 19
&& & && & & & % 20 - 29
&& &\\ % 30 - 32
\hline
\multicolumn{31}{l}{\textbf{Other Features}} \\
\hline
Integrated tactile domes & \ref{hsm_fig_connector_dome}
% 0 1 2 3 4 5 6 7 8 9
& & & & &&& & % 0 - 9
& & & && & & && & % 10 - 19
& && &&& && % 20 - 29
& && \\ % 30 - 32
Integrated contact pads & \ref{hsm_fig_connector_fpc}
% 0 1 2 3 4 5 6 7 8 9
& & & & & & & & % 0 - 9
& & & & && && & & % 10 - 19
& && & & & && % 20 - 29
& & & \\ % 30 - 32
\end{tabular}
\caption{Feature matrix of all specimens analyzed.}
\label{tab_hsm_survey_sample_results}
\end{table}
\end{landscape}
\subsubsection{CT Imaging}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
\caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.}
\label{hsm_fig_ingenico_potted_ct_cut}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_geom.pdf}
\caption{CT 3D reconstruction of the mesh's trace geometry.}
\label{hsm_fig_ingenico_potted_ct_3d}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(sample~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
% FIXME put the CT people in the acknowledgements! Also the microwave people!
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}).
\todo{Pictures/refs of opaque materials, mention sample numbers}
To circumvent such attempts, an obvious attack vector is to use radiographical imaging techniques such as X-ray or CT
imaging. To evaluate CT imaging as an attack method, we experimentally imaged the potted HSM module of
sample~\sampleno{H18}, an Ingenico payment terminal, using an industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows
the module we analyzed and two images exported from the resulting CT scan data.
Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In this cut, we can
clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil, and two unused
contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this information to
target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that the mesh of the
device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through one of the mesh's
traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
mesh.
\section{Discussion}
% FIXME intro here
%\subsection{tamper sensing meshes then and now}
Concluding both our patent research and our experimental survey, we find that tamper sensing meshes have been a
commonplace technology throughout the past 150 years. While mesh manufacturing technology has experienced some
advancements from historical wire-wound meshes to modern meshes always being constructed in printed circuit processes,
mesh monitoring approaches have received surprisingly little attention through the centuries and even in recent,
state-of-the-art systems, a simple comparator monitoring a mesh arranged in a bridge configuration is still considered
sufficient by manufacturers.
% FIXME todo above: show wheatstone bridge schematic
\subsection{Mesh construction techniques}
We found that in almost all cases, practical tamper sensing meshes are constructed using standard manufacturing
processes. In some card payment terminals, we found meshes that used slightly customized standard processes and e.g.
integrated a mesh layer produced in a carbon printing process into a membrane keypad, but customizations were minimal.
We only found one mesh manufactured in a bespoke process in the datacenter HSM appliance we examined, and that bespoke
process turns out to be a turnkey solution used by at least two HSM vendors. Underscoring stagnating development in the
field, this particular mesh manufacturing process seems to have seen only minimal changes since the first patents
covering it were published in the late 1990ies.\todo{source}
\subsection{Mesh monitoring circuits}
We observed that in general, academic research leads before patent literature, which is ahead of actual implementations
in the field. Practical monitoring circuitry seems basic. Particularly the datacenter HSM appliance we examined showed a
contrast between a mesh manufactured in a bespoke process combined with an unsophisticated, discrete monitoring circuit
based around a number of voltage comparators.\todo{refer sample number}
\subsection{Computed Tomography Imaging}
CT imaging presents a serious threat to any HSM design that relies on its mesh layout remaining secret. For instance,
the Gore tamper sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
are lasered into a specially preparte area on the mesh foil to randomize the connection pattern of the mesh on a
unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used
to provide sub-millimeter accurate positioning for an attack, even if the sample to be attacked has large production
tolerances. We found that CT imaging can be made more difficult using three complementary techniques.
\begin{figure}
\centering
\includegraphics[width=0.7\textwidth]{mesh_fold_screenshot.pdf}
\caption[HSM appliance CT scan]{Computed Tomography (CT) scan of a corner of the PCIe HSM module from an Utimaco
rackmount HSM appliance. Visible are several capacitors, the edge of a large IC, and a large Flat Flexible Cable
(FFC) connector. Two layers of metal enclosures with resin potting in between are visible, and the security mesh
can be seen folded between layers of the folded FFC cable connecting to the outside.}
\label{hsm_fig_utimaco_ct}
\end{figure}
\paragraph{Low-contrast trace materials.}
CT imaging can be made more difficult by manufacturing the mesh with very thin conductive traces, and using a trace
material that has low atomic number, corresponding to low X-ray absorption. For instance, the Gore mesh sample used a
carbon-based ink that judging by structure size was screen-printed, which leads to an economical yet relatively secure
solution.
\paragraph{Use of X-ray attenuating materials.}
We found that placing any highly X-ray attenuating material in the HSM makes CT imaging more difficult.
Figure~\ref{hsm_fig_utimaco_ct} shows a CT image taken from an Utimaco HSM. The device has two thick metal layers with a
potting resin and the tamper sensing mesh in between, so high-energy X-rays were necessary to penetrate both metal
layers and image the device. As a result, the contrast on X-ray-transparent features like polymers is low. In
comparison, the Ingenico sample was easy to image since it consisted of a PCB wrapped with a mesh foil and encased in
resin inside of an injection-molded plastic enclosure. Thus, we were able to image it at a low X-ray energy and we were
able to easily reconstruct detail on both the mesh's layout and the PCB's circuitry. To apply X-ray dense materials for
defense in a practical design, a sheet made from elementary tin or a tin alloy would be a suitable choice for such an
X-ray absorbing feature since tin is cheap, non-hazardous and absorbs X-rays almost as well as lead. Alternatively to a
sheet-metal enclosure, an X-ray absorbing material could also be incorporated into a potting compound as a powder.
\paragraph{Size.}
Finally, we found that a larger module size makes CT imaging more difficult simply due to the thickness of material that
the X-rays need to penetrate. Ideally, a HSM should aim for a cuboid form factor, as the common flat construction style
is easily penetrated by X-rays along at least one axis.
\paragraph{Radiation sensors.}
Besides engineering techniques making CT imaging harder, in battery-powered devices with active tamper sensing, CT
imaging can be actively detected to trigger a tamper alarm. During CT imaging, a large amount of high-energy X-ray
images are taken. X-ray radiation can be reliably detected using off-the-shelf sensors that usually consist of a
large-area photodiode coupled to a scintillator crystal converting X-ray photons to visible light.
\subsection{Application of Inertial HSM technology}
The widespread use of inexpensive but low-security commodity processes shows that in practical applications, cost is
often prioritized over security. The IHSM approach naturally complements such a system that uses a low-security mesh
material and increases its security without needing a more advanced mesh material. The beneficial construction
techniques that we identified above such as the use of multiple, spaced layers and low-contrast trace materials
complement IHSM technology naturally. The three-dimensional layout of a mesh becomes easier in an IHSM implementation
since features like corners between mesh panels or gaps between mesh layers in most layouts are protected by the mesh's
motion. An unintended advantage that results in IHSM implementations over conventional meshes is that they would provide
a level of intrinsic resistance to X-ray and CT imaging. In contrast to optical cameras in the visible spectrum, X-ray
image sensors need integration times in the hundreds of milliseconds or longer, which makes them unsuitable to image a
quickly moving target.
\section{Conclusion}
In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also
carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards
are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push
the boundaries of achievable structure size for a given process.
The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's
traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this
regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found
copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and
can even be forcibly separated from some potting compounds without destroying their traces.
The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices
marketed as hardware security modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
sensing meshes despite their low cost. The primary security standard that is most often cited for the certification of
HSMs is the US government's FIPS-140\todo{cite}, now in its third version. A peculiarity of this standard is that it
only requires active tamper sensing meshes in the highest of the four security levels it defeies. Overall, we can
conclude that the term ``HSM'' does not imply state-of-the-art physical tamper sensing.
From an academic point of view, the core finding of our survey is that for academic research on mesh manufacturing,
monitoring or attacks on meshese, realistic tamper sensing mesh samples can easily be created. A number of commercial
manufacturing processes would yield acceptable standins for real devices found in the wild. With the exception of a
single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range approaching the limit of
inexpensive PCB manufacturing processes, none of the devices we examined utilized particularly non-obvious construction
techniques.
From an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
be achievable to most engineers.
We find that the IHSM approach is a natural extension of the state of the art that we saw reflected in tamper sensing
mesh implementations in the field, and that the construction techniques that have been applied to improve their security
can be carried over to IHSM implementations.
Reference in a new issue View git blame Copy permalink