phd-thesis/chapter-hsms/chapter.tex

\chapterquote{An unnamed atomic bomb designer~\cite{blechmanTechnologyLimitationInternational1989}}{
    Bypassing a PAL [atomic bomb ignition code lock] should be about as complex as performing a tonsillectomy while
    entering the patient from the wrong end.
}

\chaptertitle{Hardware Security Modules in the Wild}

In this chapter we will take a look at how Hardware Security Modules are built and what they are used for. We will
analyze the gaps left by the current state of the industry, and evaluate how Inertial HSMs could close these gaps to
make secure hardware accessible to everyone. We will start with a brief history of secure hardware with a particular
focus on tamper-sensing meshes since the tamper-sensing mesh is the primary line of defense that delineates a hardware
security module from other, weaker secure hardware primitives such as Smart Cards or Trusted Platform Modules (TPMs).

% FIXME include stuff from hsm survey paper
% FIXME include stuff from EPA paper

\section{The History of Tamper Sensing Meshes}

\subsection{Use by the US Military}

Electronic tamper sensing meshes are documented in literature beginning around World War \RN{2}. The earliest mention of
such a system we are aware of is from notes on a series of lectures given by Dr.~David~G. Boak, a specialist in
communications security and signal intelligence at the US National Security
Agency\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak
does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more
exciting--exploding the device.

\subsection{Use in Nuclear Weapons}

Communications security was not the earliest use of tamper-sensing membranes in the US military, with Boak mentioning
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The
concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The
stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To
achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional
tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental
conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by
the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear
explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
when triggered in just the right way.

While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper-sensing
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.

\subsection{Use in Nuclear Safeguards}

Besides being used in nuclear weapons, tamper-sensing systems have another, more peaceful application in the nuclear
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
history of nuclear material passing through these facilities.

When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
brigh color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
that drilling or cutting into something like a steel enclosure will leave detectable traces, and that perfectly
replicating an object including features such as minute surface imperfections is infeasible even to a nation
state~\cite{iaea2011}.

In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
readings~\cite{simmonsHowInsureThat1988}

With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not
yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing
System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is
used in contemporary hardware security modules to detect attempts at drilling or cutting into the
system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of
the tamper sensing mesh such as materials used or structure sizes are publically available.

\subsection{Commercial Use}

Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially
in then-new HSMs, cryptographic coprocessors primarily aimed at the financial
industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters
and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds
of card payment terminals. We will analyze two such ATM pin pads later in this paper.

HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
paper, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.

Beyond finance, tamper-sensing meshes have found applications in a variety of other use cases as well. For instance, we
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
analyzed in this paper. Furthermore, we have identified at least one model of key safe that in Germany is mounted
externally on public buildings to provide keys to emergency services, and which includes a tamper sensing mesh on its
outside-facing wall to detect attempts at drilling into it. Finally, we have found a processing unit used in a series of
mid-2000s era slot machines in Germany that includes a tamper-sensing mesh, presumably to prevent modification or
cloning. This device will also be analyzed later in this chapter.

\section{The Principles of Tamper-Sensing Mesh Construction and Monitoring}

\subsection{Tamper-sensing Mesh Manufacturing}

The manufacturing technology of a tamper sensing mesh is a critical factor in its security. While in many applications,
meshes manufactured from off-the-shelf processes such as Flexible Printed Circuit (FPC) processes are used, these
processes tend to be optimzed to maximize the robustness of the produced circuits to mechanical stress. In contrast, the
ideal tamper-sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal
handling, but should not be more robust than that. As a result, more secure meshes tend to be manufactured in bespoke
manufacturing processes.
% FIXME cite Immler et al

One more widely cited tamper-sensing mesh implementation is a commercial product developed by IBM in collaboration with
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately 2020.
% FIXME mention that Immler et al. cite them
This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are
printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces
are printed. The flexible circuit layers are joined with a opaque black, stretchy glue and after installation embedded
in an elastic opaque resin. The plastic substrate foil is thinner and significantly less resistant to tearing than
plastic substrates commonly used in the electronics industry for applications like key pads and circuit boards, which
improves its security against tampering. Furthermore, both the glue fusing the foil layers together and the resin the
mesh is embedded inside after installation are clearly co-designed with the carbon trace material such that the trace
material adheres well to both, leading to the traces being destroyed when either are peeled off.

The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name.
% FIXME list actual patents as citations or table.

\subsection{Tamper-sensing Mesh Monitoring}

\subsection{Other Tamper Sensing Techniques}

\subsection{Hardware Security Module Applications}

\subsection{The Patent Landscape}

Tamper-sensing meshes can be implemented in many different ways. Their design offers various degrees of freedom from the
precise conductor layout, through the manufacturing technology of the mesh and how it is wrapped around the payload
during manufacturing up to its monitoring circuitry. As a result, manufacturers across application domains from
datacenter appliance HSMs through card payment terminals and including niche applications like mail franking machines
have historically used patents on parts of their tamper-sensing mesh implementations as a means to prevent copying of
their designs. While most original tamper sensing mesh implementations are covered by at least one patent, we want to
highlight IBM for dwarfing the efforts of most other companies and fielding industry's widest portfolio of related
patents.

\section{A Survey of Meshes in the Wild}

Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive,
high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that
include tamper-sensing meshes to gain an understanding of how they are implemented, and what security level they are
targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
meshes.

\subsection{Sample Selection}

Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
this survey, we chose 21 different models of card payment terminals, and 6 other devices. All devices were procured from
ebay, and the majority were sold by electronic waste recycling companies.

\subsubsection{Card Payment Terminals}

Card payment terminals commonly include advanced tamper sensing features to discourage physical attacks such as
skimming that aim to exfiltrate card data and PINs entered by the customer. The Payment Card Industry Security Standards
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
standardization organization in the card payment space. Due to the international scale of the large credit card
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
of security than one might expect from an industry association.

Physical security standards in card payment applications both on the client side -- payment terminals -- and on the
server side -- HSM appliances -- are more stringent than one might expect since the finance industry has been reluctant
to adopt modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
ancient ciphers such as Triple DES are still commonly referenced in industry
standards~\cite{pci_security_standards_council_payment_2025}. As a result, increased hardware security is necessary to
safeguard weak symmetric keys, compensating for the systems' modest cryptographic security.

Since card payment terminals are widely deployed, many different models from various manufacturers are available. Each
manufacturer tends to have their own, patented tamper-sensing implementation. Being manufactured at scale, card payment
terminals are cost-sensitive devices, which is reflected in the construction of their tamper-sensing implementations.

\subsubsection{HSM Appliances}

For datacenter applications, HSMs are sold both as add-in cards and as standalone rackmount appliances with a network
interface. In practice, the standalone appliances are just low-end computers in a rackmount enclosure that expose the
API of an internal HSM add-in card to the network. In this survey, we were only able to procure a single such HSM since
these devices are expensive, and even used specimens of older models are usually listed for several hundreds to several
thousands of EUR. The one sample we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a white-label
variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce
cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on
datacenter components. The device was sold with any HDDs removed. The device consisted of an older mainboard for
embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of DDR2 RAM, which was connected to the
HSM add-in card through PCI. The device contained a small Lithium backup battery on the add-in card, and another, larger
battery in an enclosure at the front of the device that was connected to the card through a cable. The device did not
contain any obvious case intrusion sensors.

\subsubsection{ATM Encrypting Pin Pads}

ATMs are built in a modular construction approach. Physically, the enclosure of an ATM is not its only security
barrier. Besides the enclosure, there are two security barriers worthy of note. First, the bank notes in the machine are
stored in an automatic cash dispenser that is built into a traditional vault inside the machine. This vault primarily
acts as a mechanical barrier to discourage theft, but it also often includes tamper sensors that activate an Intelligent
Banknote Neutralisation System (IBNS). The IBNS is designed to spread hard-to-remove ink over the bank notes inside the
vault when tampered. The permanently stained bank notes are not accepted by banks or retailers anymore.
% FIXME cite https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
% archive: https://web.archive.org/web/20250822134238/https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
% FIXME cite https://www.ecb.europa.eu/euro/banknotes/damaged/html/index.en.html
% FIXME cite https://www.bcl.lu/en/Banknotes-and-Coins/remboursement/billets-macules1/index.html

Besides the vault, the other secondary security barrier is located inside the ATM's pin pad. While all communication
with the customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's
smartcard IC, the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the
PIN is encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption.
Often, both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a
tamper-sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and
transmit the plaintex PIN.

We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by
Cryptera and Diebold, respectively, and one made by and branded NCR. All three devices have robust stainless steel front
cases.

\subsubsection{Other miscellaneous devices}

Sometimes, tamper-sensing meshes show up in other types of devices. We acquired two such devices. First, we acquired a
Neopost mail franking machine, a type of device that is used to directly print a code on an envelope that replaces a
conventional postage stamp.

\section{Conclusion}

In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also
carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards
are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push
the boundaries of achievable structure size for a given process.

The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's
traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this
regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found
copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and
can even be forcibly separated from some potting compounds without destroying their traces.

The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices
marketed as hardware secuirty modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
sensing meshes. We conclude from this observation that the term ``HSM'' does not imply state-of-the-art physical tamper
sensing.

From an academic point of view, the core finding of our survey is that tamper sensing meshes manufactured in a number of
commercial manufacturing processes would yield acceptable surrogates for real devices found in the wild. With the
exception of a single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range, none of
the devices we examined utilized particularly non-obvious construction techniques.

Form an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
be achievable to most engineers.