851 lines
61 KiB
TeX
851 lines
61 KiB
TeX
|
|
\chapterquote{An unnamed atomic bomb designer~\cite{blechmanTechnologyLimitationInternational1989}}{
|
|
Bypassing a PAL [atomic bomb ignition code lock] should be about as complex as performing a tonsillectomy while
|
|
entering the patient from the wrong end.
|
|
}
|
|
|
|
\chaptertitle{Active Tamper Sensing in the Wild}
|
|
|
|
% FIXME introduction
|
|
|
|
\section{The History of Tamper Sensing Meshes}
|
|
|
|
Tamper-sensing meshes are highly effective at preventing a large array of physical attacks and provide the core of the
|
|
tamper-response system of a Hardware Security Module. In this chapter we will take a look at a range of real-world
|
|
devices using tamper-sensing meshes and analyze their implementation. We will analyze the gaps left by the current state
|
|
of the industry, and evaluate how Inertial HSMs could close these gaps to make secure hardware accessible to a wider
|
|
range of applications. We will start with a brief history of secure hardware with a particular focus on tamper-sensing
|
|
meshes.
|
|
|
|
Tamper-sensing meshes offer many degrees of freedom in their design ranging from the precise conductor layout, through
|
|
the manufacturing technology of the mesh and how it is wrapped around the payload during manufacturing up to their
|
|
monitoring circuitry. As a result, manufacturers across application domains from datacenter appliance HSMs through card
|
|
payment terminals have historically used patents on parts of their tamper-sensing mesh implementations as a means to
|
|
prevent copying of their designs~\cite{
|
|
razaghiCircuitBoardHold2019,
|
|
heitmannTamperBarrierElectronic2005,
|
|
clarkTamperDetectionSystem2005,
|
|
heitmannMethodMakingTamper2009,
|
|
perreaultSystemMethodInstalling2005,
|
|
}. The basic principle of modern tamper-sensing meshes, preventing physical intrusion using an embedded looped conductor
|
|
to cover a surface traces back as far as at least 1870~\cite{
|
|
ImprovementProtectingSafes1870,
|
|
ImprovementElectromagneticEnvelopes1870}, when it was applied to the protection of bank vaults from robbers
|
|
attempting to dig, drill and saw through the vault's floor and walls. Even multi-layer, orthogonal tamper-sensing meshes
|
|
are documented as far back as 1902~\cite{suttonElectricallyprotectedStructure1902}. Using printed circuits instead of
|
|
wires for this purpose occurs in literature as soon as printed circuit technology finds widespread commercial adoption
|
|
in the 1960ies~\cite{hamPrintedcircuitTypeSecurity1971}. The history of more HSM-like devices begins in the 1990ies with
|
|
the widespread adoption of cryptography in commercial applications~\cite{
|
|
kleijneSecurityDeviceSecure1986,
|
|
joyceMethodDetectPenetration1996,
|
|
droegeSicherheitsmodulMitEinteiliger1997,
|
|
cesanaTamperResistantCard2001,
|
|
cesanaSecurityClothDesign2006,
|
|
elbertSecureCircuitAssembly2006,
|
|
cookTamperDetectionCircuit2020,
|
|
brodskyCircuitLayoutsTamperrespondent2018,
|
|
cobianuLargeAreaDistributed2008,
|
|
phamAntitamperMesh2011,
|
|
} when instead of protecting an entire device it became feasible to create a protected cryptographic coprocessor.
|
|
|
|
|
|
\subsection{Use by the US Military}
|
|
|
|
One of the earliest practical uses of tamper sensing meshes is documented in notes on a series of lectures given by
|
|
Dr.~David~G. Boak, a specialist in communications security and signal intelligence at the US National Security
|
|
Agency\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
|
|
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
|
|
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
|
|
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
|
|
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
|
|
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
|
|
response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak
|
|
does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more
|
|
exciting--exploding the device.
|
|
|
|
\subsection{Use in Nuclear Weapons}
|
|
|
|
Communications security was not the earliest use of tamper-sensing membranes in the US military, with Boak mentioning
|
|
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
|
|
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
|
|
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
|
|
developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The
|
|
concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The
|
|
stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To
|
|
achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional
|
|
tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental
|
|
conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by
|
|
the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear
|
|
explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very
|
|
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
|
|
when triggered in just the right way.
|
|
|
|
While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper-sensing
|
|
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
|
|
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.
|
|
|
|
\subsection{Use in Nuclear Safeguards}
|
|
|
|
Besides being used in nuclear weapons, tamper-sensing systems have another, more peaceful application in the nuclear
|
|
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
|
|
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
|
|
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
|
|
history of nuclear material passing through these facilities.
|
|
|
|
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
|
|
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
|
|
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
|
|
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
|
|
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
|
|
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
|
|
brigh color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
|
|
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
|
|
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
|
|
that drilling or cutting into something like a steel enclosure will leave detectable traces, and that perfectly
|
|
replicating an object including features such as minute surface imperfections is infeasible even to a nation
|
|
state~\cite{iaea2011}.
|
|
|
|
In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
|
|
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
|
|
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
|
|
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
|
|
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
|
|
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
|
|
readings~\cite{simmonsHowInsureThat1988}
|
|
|
|
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
|
|
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
|
|
transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not
|
|
yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing
|
|
System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is
|
|
used in contemporary hardware security modules to detect attempts at drilling or cutting into the
|
|
system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of
|
|
the tamper sensing mesh such as materials used or structure sizes are publically available.
|
|
|
|
\subsection{Commercial Use}
|
|
|
|
Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially
|
|
in then-new HSMs, cryptographic coprocessors primarily aimed at the financial
|
|
industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters
|
|
and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds
|
|
of card payment terminals. We will analyze two such ATM pin pads later in this chapter.
|
|
|
|
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
|
|
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
|
|
chapter, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
|
|
|
|
Beyond finance, tamper-sensing meshes have found applications in a variety of other use cases as well. For instance, we
|
|
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
|
|
analyzed in this chapter. Furthermore, we have identified at least one model of key safe that in Germany is mounted
|
|
externally on public buildings to provide keys to emergency services, and which includes a tamper sensing mesh on its
|
|
outside-facing wall to detect attempts at drilling into it. Finally, we have found a processing unit used in a series of
|
|
mid-2000s era slot machines in Germany that includes a tamper-sensing mesh, presumably to prevent modification or
|
|
cloning. This device will also be analyzed later in this chapter.
|
|
|
|
\section{The Principles of Tamper-Sensing Mesh Construction and Monitoring}
|
|
|
|
%\subsection{Tamper-sensing Mesh Manufacturing}
|
|
|
|
The manufacturing technology of a tamper sensing mesh is a critical factor in its security. While in many applications,
|
|
meshes manufactured from off-the-shelf processes such as Flexible Printed Circuit (FPC) processes are used, these
|
|
processes tend to be optimzed to maximize the robustness of the produced circuits to mechanical stress. In contrast, the
|
|
ideal tamper-sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal
|
|
handling, but should not be more robust than that. As a result, more secure meshes tend to be manufactured in bespoke
|
|
manufacturing processes~\cite{
|
|
immlerBTREPIDBatterylessTamperresistant2018,
|
|
immlerSecurePhysicalEnclosures2018,
|
|
ImprovementProtectingSafes1870}.
|
|
% TODO cite hennigApparatusMethodComprising2020 and obermaierPUFfilmMethodProducing2023 on immler et al PUF tech
|
|
|
|
One more widely cited tamper-sensing mesh implementation is a commercial product developed by IBM in collaboration with
|
|
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately 2020.
|
|
This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are
|
|
printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces
|
|
are printed. The flexible circuit layers are joined with a opaque black, stretchy glue and after installation embedded
|
|
in an elastic opaque resin. The plastic substrate foil is thinner and significantly less resistant to tearing than
|
|
plastic substrates commonly used in the electronics industry for applications like key pads and circuit boards, which
|
|
improves its security against tampering. Furthermore, both the glue fusing the foil layers together and the resin the
|
|
mesh is embedded inside after installation are clearly co-designed with the carbon trace material such that the trace
|
|
material adheres well to both, leading to the traces being destroyed when either are peeled off.
|
|
|
|
The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name. Its
|
|
basic construction and layout has not changed much since the early 1990ies~\cite{
|
|
macphersonImprovementsSecurityEnclosures1993,
|
|
macphersonTamperRespondentEnclosure1999}.
|
|
|
|
\subsection{Tamper-sensing Mesh Monitoring}
|
|
|
|
Tamper-sensing meshes are most effective when they are continuously monitored using a backup power supply when the
|
|
larger system is powered off. In practice, the main challenge with continuous monitoring of tamper-sensing meshes is in
|
|
the design of the monitoring circuit. A large portion of industry attention has been spent on designing low-power
|
|
monitoring circuits that are sensitive to tampering with the mesh while using little enough power to enable years of
|
|
operation from a battery. Commonly, one or two cylindrical or large coin cell Lithium primary batteries are used,
|
|
providing in the order of \qtyrange{10}{20}{\watt\hour} over their lifetime. Broken down to an unpowered storage life of
|
|
e.g.\ 5 years, this corresponds to a maximum average power consumption of \qty{450}{\micro\watt}.
|
|
|
|
% relevant categories: (H01L23/576), (G06K19/07372)
|
|
% keyword: wire covering
|
|
To achieve low power consumption, a popular technique known since at least
|
|
1902~\cite{suttonElectricallyprotectedStructure1902} and still used
|
|
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's
|
|
end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a
|
|
mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Using a bridge circuit was already used
|
|
in early tamper-sensing mesh implementations~\cite{
|
|
ElektrischeSicherheitseinrichtungSchutze1932,
|
|
hamPrintedcircuitTypeSecurity1971,
|
|
dalphinEnceinteProtegeeAvec1987,
|
|
} and makes it possible to detect small changes in the mesh's resistance with little complexity.
|
|
|
|
\subsection{Other Tamper Sensing Techniques}
|
|
|
|
Besides tamper-sensing meshes, environmental sensors such as temperature or light sensors are frequently used as a
|
|
secondary line of defence in HSMs and similar devices. By placing such sensors in the device and verifying the device is
|
|
within its nominal operating environment, tampering can be made less convenient. Modern security standards often mandate
|
|
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other
|
|
sensors have been proposed, including humidity sensors, vibration sensors, light sensors, magnetometers, and radiation
|
|
sensors such as X-ray sensors have been proposed. While the implementation cost of most sensor types is low, each
|
|
additional environmental sensor comes with an increased false alarm rate. Anecdotally, we have heard of light sensors
|
|
being removed from a datacenter HSM product because they caused frequent false alarms despite extensive efforts like
|
|
custom injection-molded plastic light baffles at all air vents of the device designed to prevent ingress of outside
|
|
light.
|
|
% FIXME citations?
|
|
|
|
\section{A Survey of Meshes in the Wild}
|
|
|
|
Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive
|
|
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
|
|
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
|
|
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
|
|
adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive,
|
|
high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that
|
|
include tamper-sensing meshes to gain an understanding of how they are implemented, and what security level they are
|
|
targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial
|
|
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
|
|
meshes.
|
|
|
|
\subsection{Sample Selection}
|
|
|
|
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
|
|
this survey, we chose 21 different models of card payment terminals, and 6 other devices. All devices were procured from
|
|
ebay, and the majority were sold by electronic waste recycling companies.
|
|
|
|
\subsubsection{Card Payment Terminals}
|
|
|
|
Card payment terminals commonly include advanced tamper sensing features to discourage physical attacks such as
|
|
skimming that aim to exfiltrate card data and PINs entered by the customer. The Payment Card Industry Security Standards
|
|
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
|
|
standardization organization in the card payment space. Due to the international scale of the large credit card
|
|
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
|
|
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
|
|
of security than one might expect from an industry association.
|
|
|
|
Physical security standards in card payment applications both on the client side -- payment terminals -- and on the
|
|
server side -- HSM appliances -- are more stringent than one might expect since the finance industry has been reluctant
|
|
to adopt modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or
|
|
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
|
|
ancient ciphers such as Triple DES are still commonly referenced in industry
|
|
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is necessary to
|
|
safeguard weak symmetric keys, compensating for the systems' modest cryptographic security.
|
|
|
|
Since card payment terminals are widely deployed, many different models from various manufacturers are available. Each
|
|
manufacturer tends to have their own, patented tamper-sensing implementation. Being manufactured at scale, card payment
|
|
terminals are cost-sensitive devices, which is reflected in the construction of their tamper-sensing implementations.
|
|
|
|
\subsubsection{HSM Appliances}
|
|
|
|
For datacenter applications, HSMs are sold both as add-in cards and as standalone rackmount appliances with a network
|
|
interface. In practice, the standalone appliances are just low-end computers in a rackmount enclosure that expose the
|
|
API of an internal HSM add-in card to the network. In this survey, we were only able to procure a single such HSM since
|
|
these devices are expensive, and even used specimens of older models are usually listed for several hundreds to several
|
|
thousands of EUR. The one sample we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a white-label
|
|
variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce
|
|
cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on
|
|
datacenter components. The device was sold with any HDDs removed. The device consisted of an older mainboard for
|
|
embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of DDR2 RAM, which was connected to the
|
|
HSM add-in card through PCI. The device contained a small Lithium backup battery on the add-in card, and another, larger
|
|
battery in an enclosure at the front of the device that was connected to the card through a cable. The device did not
|
|
contain any obvious case intrusion sensors.
|
|
|
|
\subsubsection{ATM Encrypting Pin Pads}
|
|
|
|
ATMs are built in a modular construction approach. Physically, the enclosure of an ATM is not its only security
|
|
barrier. Besides the enclosure, there are two security barriers worthy of note. First, the bank notes in the machine are
|
|
stored in an automatic cash dispenser that is built into a traditional vault inside the machine. This vault primarily
|
|
acts as a mechanical barrier to discourage theft, but it also often includes tamper sensors that activate an Intelligent
|
|
Banknote Neutralisation System (IBNS). The IBNS is designed to spread hard-to-remove ink over the bank notes inside the
|
|
vault when tampered. The permanently stained bank notes are not accepted by banks or retailers anymore.
|
|
% FIXME cite https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
|
|
% archive: https://web.archive.org/web/20250822134238/https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
|
|
% FIXME cite https://www.ecb.europa.eu/euro/banknotes/damaged/html/index.en.html
|
|
% FIXME cite https://www.bcl.lu/en/Banknotes-and-Coins/remboursement/billets-macules1/index.html
|
|
|
|
Besides the vault, the other secondary security barrier is located inside the ATM's pin pad. While all communication
|
|
with the customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's
|
|
smartcard IC, the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the
|
|
PIN is encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption.
|
|
Often, both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a
|
|
tamper-sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and
|
|
transmit the plaintex PIN.
|
|
|
|
We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by
|
|
Cryptera and Diebold, respectively, and one made by and branded NCR. All three devices have robust stainless steel front
|
|
cases.
|
|
|
|
\subsubsection{Other miscellaneous devices}
|
|
|
|
Sometimes, tamper-sensing meshes show up in other types of devices. We acquired two such devices. First, we acquired a
|
|
Neopost mail franking machine, a type of device that is used to directly print a code on an envelope that replaces a
|
|
conventional postage stamp.
|
|
|
|
\subsection{Methodology}
|
|
|
|
We proceeded by first photographing every test specimen from multiple angles, then disassembling them. After
|
|
disassembly, we photographed each major component. After photos were taken, we proceeded with destructive techniques
|
|
where necessary to obtain microscope photos of each tamper-sensing mesh component. PCBs were sectioned using a sanding
|
|
drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling, cutting and prying, applying
|
|
heat from a heat gun as necessary to soften polymer compounds and to break glue joints.
|
|
|
|
\subsection{Results}
|
|
|
|
\subsubsection{Mesh materials.}
|
|
We found meshes constructed from rigid PCBs as well as a number of Flexible Printed Circuit (FPC) processes.
|
|
Tamper-sensing meshes constructed from PCBs sometimes used parts of an existing PCB, and sometimes additional PCBs only
|
|
containing a mesh were added. Sometimes, multiple rigid PCB meshes were assembled in a house of cards fashion to enclose
|
|
part of a device. For flexible meshes, with the exception of the Utimaco HSM appliance's HSM card that used an
|
|
off-the-shelf Gore tamper sensing mesh foil were all clearly manufactured either entirely or mostly in standard
|
|
processes. We found silkscreened silver ink and silkscreened carbon ink-based foils similar to those used for membrane
|
|
keyboards, as well as conventional photolithographically etched copper/polyimide Flexible Printed Circuits (FPCs).
|
|
Overall, etched PCBs showed better resolution compared to silkscreen-printed meshes. Feature size for both rigid and
|
|
flexible etched PCB meshes was generally in the order of \qtyrange{100}{200}{\micro\meter}, while feature size for
|
|
printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}.
|
|
|
|
\subsubsection{Mesh layout.}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{hsm_mesh_offset.jpg}
|
|
\caption{Offset layers for more complete coverage}
|
|
\label{hsm_fig_mesh_layout_offset}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{hsm_mesh_orthogonal.jpg}
|
|
\caption{Orthogonal patterns on subsequent layers}
|
|
\label{hsm_fig_mesh_layout_orthogonal}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{hsm_utimaco_mesh_gore.jpg}
|
|
\caption{Combining orthogonal layers with area-covering pattern}
|
|
\label{hsm_fig_mesh_layout_utimaco}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{hsm_mesh_stack_epp.jpg}
|
|
\caption{Spacing mesh layers apart to constrict angular freedom of an attack tool}
|
|
\label{hsm_fig_mesh_layout_epp}
|
|
\end{subfigure}
|
|
\caption{Mesh trace layout approaches for multi-layer meshes.}
|
|
\label{hsm_fig_mesh_layout}
|
|
\end{figure}
|
|
|
|
A key goal in tamper-sensing mesh design is to avoid any gaps in coverage. In single-layer meshes, gaps between adjacent
|
|
mesh traces cannot be avoided, and provide an easy approach for an attack. In multi-layer meshes, these structure
|
|
size-dependent gaps can be mitigated in multiple ways as shown in Figure~\ref{hsm_fig_mesh_layout}.
|
|
|
|
\paragraph{Offset patterns.} In a two-sided foil mesh, most of the gaps between adjacent traces can be covered by simply
|
|
offsetting the pattern by one structure size in both axes between the foil's top and bottom layers as shown in
|
|
Figure~\ref{hsm_fig_mesh_layout_offset}. Depending on the mesh layout, only a small number of point-shaped gaps remain
|
|
at corners in mesh traces on one of the layers. The number of these gaps can be reduced by reducing the number of
|
|
misaligned corners between both layers for instance by choosing a systematic serpentine or spiral trace layout.
|
|
|
|
\paragraph{Orthogonal patterns.} In some other specimens, the manufacturer chose the opposite approach of keeping the
|
|
mesh pattern mostly orthogonal on the mesh's two layers as shown in Figure~\ref{hsm_fig_mesh_layout_orthogonal}. While
|
|
this leads to a larger amount of gaps compared to offset patterns as described above, it also reduces the largest gap
|
|
size to about one structure size by one structure size.
|
|
|
|
\paragraph{Combined approaches.} Figure~\ref{hsm_fig_mesh_layout_utimaco} shows the layout of a Gore tamper-sensing mesh
|
|
foil used in an Utimaco HSM. This mesh consists of two foil layers bonded to each other. The outer foil is patterned on
|
|
both sides with a sparse pattern of thin serpentine traces with the patterns on both layers being orthogonal to each
|
|
other. Both patterns are oriented at a \qty{45}{\degree} angle relative to the sides of the rectangular enclosed volume.
|
|
The inner foil is only patterned on one side, and contains a thicker serpentine trace laid out in a zigzag pattern. The
|
|
two foil layers are aligned such that no gaps remain between the layers.
|
|
|
|
\paragraph{Using layer spacing.} Figure~\ref{hsm_fig_mesh_layout_epp} shows how an ATM Encrypting Pin Pad (EPP)
|
|
implemented the mesh on its keypad. Off-the-shelf metal snap dome contacts were used on the surface of a conventional
|
|
rigid PCB to create the keys. On top of the rigid PCB and contact domes, a two-layer copper/polyimide FPC with an
|
|
additional polyimide cover layer was glued down. Meshes were placed on both layers of the FPC, as well as on one
|
|
internal layer of the rigid PCB. The resulting structure had the FPC mesh layers separated from the rigid PCB mesh layer
|
|
by several hundred micrometers of the rigid PCB's substrate. The meshes on both the FPC and the rigid PCB used a
|
|
structure size of \qty{150}{\micro\meter}. The vertical separation between the two meshes was several times that
|
|
structure size, which limits the possible angles an attack tool could be inserted through both mesh layers.
|
|
|
|
\subsubsection{Contact and trace construction.}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{trace_material_copper_pcb.jpg}
|
|
\caption{Standard photolithographic copper PCB process on rigid FR-4 fiberglass substrate}
|
|
\label{hsm_fig_materials_pcb_rigid}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{trace_material_copper_flex.jpg}
|
|
\caption{Standard photolithographic copper PCB process on flexible polyimide substrate}
|
|
\label{hsm_fig_materials_pcb_flex}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{trace_material_silver.jpg}
|
|
\caption{Screen printing process using silver ink with some carbon ink contact pads for embedded buttons}
|
|
\label{hsm_fig_materials_silver_ink}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{trace_material_contact_gold_lds.jpg}
|
|
\caption{Laser direct structuring using electroless gold plating}
|
|
\label{hsm_fig_materials_gold_lds}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{trace_material_carbon.jpg}
|
|
\caption{Screen printing process using carbon ink}
|
|
\label{hsm_fig_materials_carbon_ink}
|
|
\end{subfigure}
|
|
\caption[Mesh materials]{Materials and manufacturing processes used for mesh traces and contacts.}
|
|
\label{hsm_fig_materials}
|
|
\end{figure}
|
|
|
|
Regular Printed Circuit Boards are frequently used to implement tamper-sensing meshes as shown in
|
|
Figure~\ref{hsm_fig_materials_pcb_rigid}. PCB production is a highly advanced, large-scale industry and PCBs are
|
|
inexpensive, commodity products. PCBs can be manufactured with many layers, at almost arbitrary total thickness, and
|
|
offer small structure sizes enabling the creation of fine features down to approximately \qty{100}{\micro\meter} even on
|
|
commodity processes. The primary disadvantage of using PCBs to implement tamper-sensing meshes is that PCBs are
|
|
fundamentally designed to be as robust as possible. The traces on the top of a PCB are etched from a thick (usually
|
|
\qty{35}{\micro\meter} on the outer layers) copper foil adhered to the PCB substrate. As a result, the PCB and the
|
|
traces on its surface are easy to manipulate by hand using tools like knives and techniques like soldering. For a
|
|
tamper-sensing mesh, trace patterns manufactured to be more fragile might be advantageous. Additionally, standard PCBs
|
|
are made using a rigid FR-4 fiberglass/epoxy substrate. Since a tamper-sensing mesh must often enclose all sides of a
|
|
payload, flexible foils offer benefits over rigid PCBs.
|
|
|
|
Figure~\ref{hsm_fig_materials_pcb_flex} shows a Flexible Printed Circuits (FPCs) produced in a standard commercial
|
|
process similar to PCB production. In FPCs, a copper foil adhered to a substrate is etched, but the substrate here
|
|
usually is a thin foil made from polyimide, an orange, temperature-resistant polymer that survives common reflow (hot
|
|
air) soldering temperatures. In contrast to rigid PCBs, FPCs are usually limited to no more than four layers before
|
|
losing flexibility. Flexible PCBs are often used for tamper-sensing meshes that wrap around a payload, but they come
|
|
with the same limitation as standard PCBs: Due to their robust substrate and thick copper layers, they are easily
|
|
manipulated by hand.
|
|
|
|
Figure~\ref{hsm_fig_materials_silver_ink} shows an FPC created in a different process. Here, instead of
|
|
photolithographically etching a continuous copper foil adhered to a flexible substrate, the substrate is instead printed
|
|
using a conductive ink. A variety of printing processes are suitable for this technique. The conductive ink is based on
|
|
small conductive particles suspended in a hardening binder. Common conductive ink materials are silver and carbon.
|
|
Silver-based inks offer lower resistance compared to carbon-based inks, but are prone to surface oxitation and as such
|
|
are not suitable for contacts. As such, they are often combined with a carbon ink used in contact areas. Carbon-based
|
|
inks have high resistance, and can be used to create embedded resistors. The circuit shown in
|
|
Figure~\ref{hsm_fig_materials_silver_ink} contains a tamper-sensing mesh on a lower layer, and a keypad matrix with
|
|
carbon contacts on its surface.
|
|
|
|
Figure~\ref{hsm_fig_materials_gold_lds} shows part of a mesh and a contact created using Laser Direct Structuring and
|
|
electroless gold plating. Where in electroplating electrical current is used to deposit metal atoms on a surface, in
|
|
electroless plating a series of chemical reactions is used. Electroplating requires all traces to be electrically
|
|
connected to form a single electrode, while electroless plating can be used on the finished circuit. In
|
|
Figure~\ref{hsm_fig_materials_gold_lds}, it is visible how the trace was created using three parallel passes by the
|
|
laser. The micrograph also shows the rather coarse edge structure created by LDS, which is caused by the rough surface
|
|
left after pulsed laser ablation. The uneven, thin layer of metallization created by LDS results in mechanically fragile
|
|
contacts. They must be contacted using a soft material, usually an elastomeric connector.
|
|
|
|
\subsubsection{Connection methods}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{connector_castellated_edge.jpg}
|
|
\caption{}
|
|
\label{hsm_fig_connector_castellations}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{connector_stacking.jpg}
|
|
\caption{}
|
|
\label{hsm_fig_connector_stack}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{connector_zif_fpc_2.jpg}
|
|
\caption{}
|
|
\label{hsm_fig_connector_fpc}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{connector_elastomeric.jpg}
|
|
\caption{}
|
|
\label{hsm_fig_connector_elastomeric}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{connector_rf_gasket.jpg}
|
|
\caption{}
|
|
\label{hsm_fig_connector_gasket}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{connector_metal_dome.jpg}
|
|
\caption{}
|
|
\label{hsm_fig_connector_dome}
|
|
\end{subfigure}
|
|
\caption[Mesh connecting methods]{Connecting methods used between tamper-sensing mesh assemblies and their base PCBs}
|
|
\label{hsm_fig_connector}
|
|
\end{figure}
|
|
|
|
In our survey, we found a wide variety of connecting methods used to connect tamper-sensing mesh assemblies with their
|
|
base PCBs with a selection shown in Figure~\ref{hsm_fig_connector}. Both rigid PCBs and FPCs can be soldered directly to
|
|
a PCB using either a Land Grid Array (LGA) technique where pads on both PCBs are soldered facing each other, or using
|
|
\emph{castellated} edges, where pads on the base PCB are soldered sideways to holes on the top PCB that have been milled
|
|
in half as shown in Figure~\ref{hsm_fig_connector_castellations}. FPCs can also be soldered by draggin a solder blob
|
|
across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but this technique is only suitable for hand
|
|
soldering.
|
|
|
|
FPCs are suitable for use with standard Zero Insertion Force (ZIF) FPC connectors as shown in
|
|
Figure~\ref{hsm_fig_connector_fpc} that directly mate to a contact area, called \emph{gold fingers} in industry terms,
|
|
on the FPC. Both FPCs and rigid PCBs can be used with standard board-to-board stacking connectors such as the one
|
|
visible in the center of Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's
|
|
back side to ensure the solder joints don't break from mechanical stress when connecting or disconnecting.
|
|
|
|
In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper-sensing mesh
|
|
assemblies. Elastomeric connectors such as the one shown in the center of Figure~\ref{hsm_fig_connector_elastomeric} are
|
|
usually used in LCD construction to contact a PCB to the LCD's Indium Tin Oxide (ITO)-coated conductive glass, but they
|
|
can be used between any two parallel, conductive surfaces\cite{andreaElectronicConnectorBook2022}. Elastomeric
|
|
connectors consist of two insulating elastic polymer layers on the outside, with a thin strip of fine, alternating
|
|
conductive and insulating elastic polymer layers sandwiched in between. In Figure~\ref{hsm_fig_connector_elastomeric}
|
|
the outer insulating layers are the blue polymer, and the alternating pattern can be seen embedded in their middle. The
|
|
fine alternating pattern mates to much larger pads on the two contact surfaces, ensuring that adjacent contacts are
|
|
electrically insulated. In tamper-sensing mesh applications, elastomeric connectors provide an intrinsic disassembly
|
|
detection since they require continuous pressure to maintain electrical contact. In the top part of
|
|
Figure~\ref{hsm_fig_connector_stack}, a land pattern for an elastomeric connector is visible.
|
|
|
|
Elastomeric connectors are elegant and allow for multiple contacts to be made in a small area using a single elastomeric
|
|
connector strip, but they are not off-the-shelf components and are always custom made to order. We found several
|
|
instances where other, off-the-shelf technologies were used instead to create a pressure-sensitive connection.
|
|
Figure~\ref{hsm_fig_connector_gasket} shows a connection made using conductive gaskets intended for creating gapless
|
|
connections between PCBs and enclosures to shield Electromagnetic Emissions (EMI). Unlike elastomeric connectors, they
|
|
are not anisotropic and thus they must be cut into pieces to maintain isolation between adjacent pads. This results in a
|
|
much larger contact pitch compared to other solutions.
|
|
|
|
Figure~\ref{hsm_fig_connector_dome} shows another technique, here used to connect the mesh layer embedded into a key pad
|
|
to a base PCB. Here, a tactile metal dome intended to be used for creating buttons in low-profile keypads is used to
|
|
connect the mesh to the base PCB.
|
|
|
|
An alternative to soldering and elastomeric connectors that we did not observe during our survey but that deserves
|
|
mention here is Anisotropic Conductive Film (ACF)\cite{huangHardwareHackerAdventures2019}. Similar to elastomeric
|
|
connectors, ACF is industrially used to contact flexible PCBs to ITO-coated glass in TFT displays. ACF comes as a
|
|
double-sided tape that is bonded using pressure and sometimes high temperatures, and creates a connection between
|
|
conductive surfaces on both sides of the tape. This connection has an anisotropic nature, meaning that the tape only
|
|
electrically conducts from one face to the other, and not laterally. Technically, this is achieved by embedding a large
|
|
number of tiny conductive spheres inside the tape that when the tape is mounted get squished between the two contact
|
|
surfaces. During ACF manufacturing, the distribution of these spheres is carefully controlled to provide a reliable
|
|
connection while guaranteeing adjacent spheres never touch each other.
|
|
|
|
\subsubsection{3D construction.}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_overlap.jpg}
|
|
\caption{Folded with overlap}
|
|
\label{hsm_fig_3d_struct_folded_overlap}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{hsm_3d_style_fold_no_overlap.jpg}
|
|
\caption{Folded without overlap}
|
|
\label{hsm_fig_3d_struct_folded_no_overlap}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{hsm_3d_style_vacform.jpg}
|
|
\caption{Thermoformed}
|
|
\label{hsm_fig_3d_struct_vacuum_form}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{3d_construction_cards_standalone.jpg}
|
|
\caption{House-of-Cards construction}
|
|
\label{hsm_fig_3d_struct_house_of_cards}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.3\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{3d_construction_lds_top.jpg}
|
|
\caption{Laser Direct Structuring}
|
|
\label{hsm_fig_3d_struct_lds}
|
|
\end{subfigure}
|
|
\caption[3D mesh construction styles]{Construction styles used to fit tamper sensing meshes into 3D envelopes. Grids
|
|
in the background are \qty{10}{\milli\meter}, subdivisions are \qty{5}{\milli\meter}.}
|
|
\label{hsm_fig_3d_struct}
|
|
\end{figure}
|
|
|
|
In practice, meshes are almost always manufactured in planar processes first, and then transformed into a
|
|
three-dimensional shape. Figure~\ref{hsm_fig_3d_struct}
|
|
\subref{hsm_fig_3d_struct_folded_overlap}-\subref{hsm_fig_3d_struct_house_of_cards} show the construction styles we saw
|
|
among our samples that shape a planar mesh into a three-dimensional structure.
|
|
Figure~\ref{hsm_fig_3d_struct_folded_overlap} and Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} have meshes produced
|
|
as flexible printed circuits, in Figure~\ref{hsm_fig_3d_struct_folded_overlap} using a standard photolithographic
|
|
copper/polyimide FPC process usually used for flexible PCBs, and in Figure~\ref{hsm_fig_3d_struct_folded_overlap} using
|
|
a standard silver ink screenprinting process. The choice in Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} not to
|
|
overlap the mesh in the corner is likely caused by manufacturing considerations, since it mig~ht be difficult to ensure
|
|
proper folding of a small foil tab with adhesive pre-applied.
|
|
~
|
|
Figure~\ref{hsm_fig_3d_struct_vacuum_form} shows a sample of a flexible circuit manufactured in a screenprinted
|
|
silver-ink process thermoformed into a three-dimensional shape~\cite{weidnerHardwareschutzFormHalbschalen2007}. The
|
|
flexible circuit mesh is first produced in a standard planar printing process. After printing and curing, the resulting
|
|
foil is then heated to soften it, and forced into a three-dimensional shape using a mold. Depending on the process, one
|
|
or two molds, and vacuum or pressured air can be used to shape the foil. The process requires a screenprinted flexible
|
|
circuit, and would not work with copper/polyimide flexible PCBs since their copper layer is too thick to plastically
|
|
deform without tearing, and because polyimide is not sufficiently thermoplastic at low temperatures.
|
|
|
|
Thermoforming is a cheap industry standard process, but applied to flexible circuits it has some limitations. First,
|
|
only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet
|
|
cannot be cut or contain slots or large holes before forming since it needs to be kept under a constant tension from all
|
|
sides to ensure it evenly stretches into the mold. Finally, the depth achievable in such a process is rather limited,
|
|
with no sample in our survey exceeding \qty{2}{\milli\meter}\todo{Get proper number}. Higher depths would require
|
|
extensive deformation of the mesh circuit's plastic substrate, which could lead to tears in the mesh traces since the
|
|
particle-based conductive inks used for screen-printed electronics are inelastic.
|
|
|
|
The specimen in Figure~\ref{hsm_fig_3d_struct_vacuum_form} shows one further design defect. The mesh shown does not
|
|
extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a PCB to protect
|
|
components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the PCB surface,
|
|
through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry.
|
|
\todoplaceholder{take pic of sample H08 card slot cover}
|
|
|
|
Figure~\ref{hsm_fig_3d_struct_lds} shows the result of Laser Direct Structuring (LDS), a process that avoids some of the
|
|
limitations of thermoformed planar meshes. In LDS, a plastic part is covered in a conductive pattern in a combination of
|
|
selective laser erosion of its surface and a series of preparation and electroless metal plating steps. LDS allows
|
|
covering complex three-dimensional shapes, with the main limitation being that all patterned areas must have a direct
|
|
line of sight to the outside for the scanning laser to reach it. Thus, the outside of complex parts can be covered, but
|
|
internal cavities cannot. LDS is commonly used to create complex antenna shapes on the surface of internal structural
|
|
plastic parts for smartphones, but is more costly compared to screenprinting processes due to its complexity. A further
|
|
disadvantage of LDS is that it is only suitable for single-layer patterns, while two layers are easily achievable in
|
|
silkscreen and photolithographic PCB processes by patterning both sides of the substrate. More layers can be achived in
|
|
these processes by simply stacking multiple foil layers and adding vias (through contacts), or by folding.
|
|
|
|
Figure~\ref{hsm_fig_3d_struct_house_of_cards} shows an assembly of several rigid PCBs assembled into a three-dimensional
|
|
structure to protect a card slot. Solder connections between large pads are used to mechanically and electrically join
|
|
the boards. While the rigid PCBs used in such as structure can be produced in a highly inexpensive, standard process,
|
|
this style of construction requires manual assembly leading to increased labor cost. Furthermore, the construction
|
|
leaves large gaps at edges and corners, which is not a problem for card slot protection in payment applications but
|
|
which would be a flaw in a more standard HSM application.
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{3d_construction_offset_mesh_delayered_contrast_improved.jpg}
|
|
\caption{Small obstacle mesh coupons}
|
|
\label{hsm_fig_3d_sandwich_obstacle}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{3d_construction_via_stitch_mesh_delayer_2.jpg}
|
|
\caption{Via-fence meshes}
|
|
\label{hsm_fig_3d_sandwich_via_fence}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{3d_construction_planar_stack.jpg}
|
|
\caption{Planar sandwich stack protecting the back of a connector}
|
|
\label{hsm_fig_3d_sandwich_stack}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering\includegraphics[width=\linewidth]{3d_construction_cavity_2.jpg}
|
|
\caption{PCB lid with routed cavity and embedded planar and via-fence meshes}
|
|
\label{hsm_fig_3d_sandwich_lid}
|
|
\end{subfigure}
|
|
\caption[Sandwich mesh construction styles]{Construction styles used to cover 3D volumes using sandwich-style
|
|
construction.}
|
|
\label{hsm_fig_3d_sandwich}
|
|
\end{figure}
|
|
|
|
Besides the house of cards construction style shown in Figure~\ref{hsm_fig_3d_struct_house_of_cards} where PCBs are
|
|
hand-assembled into a 3D shape, rigid PCBs are also often soldered planar on top of other PCBs to serve as meshes.
|
|
Figure~\ref{hsm_fig_3d_sandwich} shows examples of such sandwich-style constructions.
|
|
Figure~\ref{hsm_fig_3d_sandwich_obstacle} and Figure~\ref{hsm_fig_3d_sandwich_via_fence} show a popular construction
|
|
technique where a small mesh PCB coupon is soldered using a Land Grid Array (LGA)-technique on top of a larger base PCB
|
|
containing circuitry. The goal in this technique is to project a small part of the mesh into the space above the base
|
|
PCB. While this does not prvevent targeted drilling, as the small coupon is easy to avoid, it does prevent an attacker
|
|
from sawing or laser-cutting into the side of the device parallel to the base PCB. In the implementation shown in
|
|
Figure~\ref{hsm_fig_3d_sandwich_obstacle}, the coupon simply contains a small mesh embedded in an inner layer.
|
|
Figure~\ref{hsm_fig_3d_sandwich_via_fence} shows a different technique, where the mesh inside the coupon is not
|
|
primarily laid out in the PCB plane, but instead a large number of vias is used to create a three-dimensional zig-zag
|
|
trace structure. While due to structure size limitations this via structure is much coarser than a planar mesh like that
|
|
in Figure~\ref{hsm_fig_3d_sandwich_obstacle} would be, it increases the fraction of the vertical space inside the coupon
|
|
that is covered by the mesh.
|
|
|
|
Figure~\ref{hsm_fig_3d_sandwich_stack} shows a variation of this coupon technique where two such coupons are stacked to
|
|
create a small overhang, here attempting to protect the back side of a magnetic stripe reader contact in a payment
|
|
terminal. While a similar result could also be achieved by milling a slot into the side of a single custom-thickness
|
|
PCB, the economics of PCB manufacturing are such that it may be more cost-effective to bond two standard-thickness PCBs
|
|
on top of one another instead.
|
|
|
|
Figure~\ref{hsm_fig_3d_sandwich_lid} finally shows an advanced construction technique that uses a custom PCB with a
|
|
large indent milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base
|
|
PCB. This PCB lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A
|
|
ground plane filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the
|
|
cavity. Below this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
|
|
Figure~\ref{hsm_fig_3d_sandwich_via_fence} in an attempt to protect the sides around the central cavity. Below these two
|
|
via fence layers, at the bottom of the PCB is one more layer containing the pads connecting it to the base PCB.
|
|
|
|
\subsubsection{CT Imaging}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
|
|
\caption{CT section cut with part of a mesh layer and the riveted metal mesh contacts visible.}
|
|
\label{hsm_fig_ingenico_potted_ct_cut}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{mesh_geom.pdf}
|
|
\caption{CT 3D reconstruction of the mesh's trace geometry.}
|
|
\label{hsm_fig_ingenico_potted_ct_3d}
|
|
\end{subfigure}
|
|
\quad
|
|
\begin{subfigure}[t]{0.45\textwidth}
|
|
\centering
|
|
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
|
|
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
|
|
\label{hsm_fig_ingenico_potted_seated}
|
|
\end{subfigure}
|
|
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module.}
|
|
\label{hsm_fig_ingenico_potted}
|
|
\end{figure}
|
|
|
|
% FIXME put the CT people in the acknowledgements! Also the microwave people!
|
|
To evaluate CT imaging as an attack method, we performed CT imaging of the potted HSM module of an Ingenico payment
|
|
terminal. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the resulting
|
|
CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In this cut,
|
|
we can clearly identify a mesh layer with multiple traces, four solid metal contacts riveted to the mesh foil, and two
|
|
unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this information
|
|
to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that the mesh of
|
|
the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through one of the
|
|
mesh's traces should be possible without breaking the trace.
|
|
|
|
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
|
|
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
|
|
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
|
|
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
|
|
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
|
|
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
|
|
mesh.
|
|
|
|
\section{Discussion}
|
|
|
|
% FIXME intro here
|
|
|
|
\subsection{Tamper-sensing meshes then and now}
|
|
|
|
Concluding both our patent research and our experimental survey, we find that tamper-sensing meshes have been a
|
|
commonplace technology throughout the past 150 years. While mesh manufacturing technology has experienced some
|
|
advancements from historical wire-wound meshes to modern meshes always being constructed in printed circuit processes,
|
|
mesh monitoring approaches have received surprisingly little attention through the centuries and even in recent,
|
|
state-of-the-art systems, a simple comparator monitoring a mesh arranged in a wheatstone bridge configuration is still
|
|
considered sufficient by manufacturers.
|
|
% FIXME todo above: show wheatstone bridge schematic
|
|
|
|
\subsection{Mesh construction techniques}
|
|
|
|
We found that in almost all cases, practical tamper-sensing meshes are constructed using standard manufacturing
|
|
processes. In some card payment terminals, we found meshes that used slightly customized standard processes and e.g.
|
|
integrated a mesh layer produced in a carbon printing process into a membrane keypad, but customizations were minimal.
|
|
We only found one mesh manufactured in a bespoke process in the datacenter HSM appliance we examined, and that bespoke
|
|
process turns out to be a turnkey solution used by at least two HSM vendors.
|
|
|
|
\subsection{Mesh monitoring circuits}
|
|
|
|
We observed that in general, academic research leads before patent literature, which is ahead of actual implementations
|
|
in the field. Practical monitoring circuitry seems basic. Particularly the datacenter HSM appliance we examined showed a
|
|
contrast between a mesh manufactured in a bespoke process combined with a unsophisticated, discrete monitoring circuit
|
|
based around a number of voltage comparators.
|
|
|
|
\subsection{Computed Tomography Imaging}
|
|
|
|
CT imaging presents a serious threat to any HSM design that relies on its mesh layout remaining secret. For instance,
|
|
the Gore tamper-sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
|
|
are lasered into a specially preparte area on the mesh foil to randomize the connection pattern of the mesh on a
|
|
unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used
|
|
to provide sub-millimeter accurate positioning for an attack, even if the sample to be attacked has large production
|
|
tolerances. We found that CT imaging can be made more difficult using three complementary techniques.
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=0.7\textwidth]{mesh_fold_screenshot.pdf}
|
|
\caption[HSM appliance CT scan]{Computed Tomography (CT) scan of a corner of the PCIe HSM module from an Utimaco
|
|
rackmount HSM appliance. Visible are several capacitors, the edge of a large IC, and a large Flat Flexible Cable
|
|
(FFC) connector. Two layers of metal enclosures with resin potting in between are visible, and the security mesh
|
|
can be seen folded between layers of the folded FFC cable connecting to the outside.}
|
|
\label{hsm_fig_utimaco_ct}
|
|
\end{figure}
|
|
|
|
\paragraph{Low-contrast trace materials.}
|
|
CT imaging can be made more difficult by manufacturing the mesh with very thin conductive traces, and using a trace
|
|
material that has low atomic number, corresponding to low X-ray absorption. For instance, the Gore mesh sample used a
|
|
carbon-based ink that judging by structure size was screen-printed, which leads to an economical yet relatively secure
|
|
solution.
|
|
|
|
\paragraph{Use of X-ray attenuating materials.}
|
|
We found that placing any highly X-ray attenuating material in the HSM makes CT imaging more difficult.
|
|
Figure~\ref{hsm_fig_utimaco_ct} shows a CT image taken from an Utimaco HSM. The device has two thick metal layers with a
|
|
potting resin and the tamper-sensing mesh in between, so high-energy X-rays were necessary to penetrate both metal
|
|
layers and image the device. As a result, the contrast on X-ray-transparent features like polymers is low. In
|
|
comparison, the Ingenico sample was easy to image since it consisted of a PCB wrapped with a mesh foil and encased in
|
|
resin inside of an injection-molded plastic enclosure. Thus, we were able to image it at a low X-ray energy and we were
|
|
able to easily reconstruct detail on both the mesh's layout and the PCB's circuitry. To apply X-ray dense materials for
|
|
defense in a practical design, a sheet made from elementary tin or a tin alloy would be a suitable choice for such an
|
|
X-ray absorbing feature since tin is cheap, non-hazardous and absorbs X-rays almost as well as lead. Alternatively to a
|
|
sheet-metal enclosure, an X-ray absorbing material could also be incorporated into a potting compound as a powder.
|
|
|
|
\paragraph{Size.}
|
|
Finally, we found that a larger module size makes CT imaging more difficult simply due to the thickness of material that
|
|
the X-rays need to penetrate. Ideally, a HSM should aim for a cuboid form factor, as the common flat construction style
|
|
is easily penetrated by X-rays along at least one axis.
|
|
|
|
\paragraph{Radiation sensors.}
|
|
Besides engineering techniques making CT imaging harder, in battery-powered devices with active tamper sensing, CT
|
|
imaging can be actively detected to trigger a tamper alarm. During CT imaging, a large amount of high-energy X-ray
|
|
images are taken. X-ray radiation can be reliably detected using off-the-shelf sensors that usually consist of a
|
|
large-area photodiode coupled to a scintillator crystal converting X-ray photons to visible light.
|
|
|
|
\section{Conclusion}
|
|
|
|
In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
|
|
implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also
|
|
carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards
|
|
are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push
|
|
the boundaries of achievable structure size for a given process.
|
|
|
|
The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's
|
|
traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this
|
|
regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found
|
|
copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and
|
|
can even be forcibly separated from some potting compounds without destroying their traces.
|
|
|
|
The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices
|
|
marketed as hardware secuirty modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
|
|
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
|
|
sensing meshes. We conclude from this observation that the term ``HSM'' does not imply state-of-the-art physical tamper
|
|
sensing.
|
|
|
|
From an academic point of view, the core finding of our survey is that tamper sensing meshes manufactured in a number of
|
|
commercial manufacturing processes would yield acceptable surrogates for real devices found in the wild. With the
|
|
exception of a single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range, none of
|
|
the devices we examined utilized particularly non-obvious construction techniques.
|
|
|
|
Form an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
|
|
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
|
|
be achievable to most engineers.
|
|
|
|
|