Tamperproofing, conceptually, is a methodology used to hinder, deter or detect unauthorised access to a device or circumvention of a security system. Since any device or system can be foiled by a person with sufficient knowledge, equipment, and time, the term "tamperproof" is a
misnomer
A misnomer is a name that is incorrectly or unsuitably applied. Misnomers often arise because something was named long before its correct nature was known, or because an earlier form of something has been replaced by a later form to which the name ...
unless some limitations on the tampering party's resources is explicit or assumed.
''Tamper resistance'' is resistance to
tampering (intentional malfunction or
sabotage
Sabotage is a deliberate action aimed at weakening a polity, effort, or organization through subversion, obstruction, disruption, or destruction. One who engages in sabotage is a ''saboteur''. Saboteurs typically try to conceal their identitie ...
) by either the normal users of a product, package, or system or others with physical access to it.
Tamper resistance ranges from simple features like
screws with special drives, more complex devices that render themselves inoperable or encrypt all data transmissions between individual chips, or use of materials needing special tools and knowledge. Tamper-resistant devices or features are common on packages to deter package or product tampering.
Anti-tamper devices have one or more components: tamper resistance, tamper detection, tamper response, and tamper evidence.
In some applications, devices are only
tamper-evident
Tamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings, or other techniques may be tamper indicating.
Tampering
Tampering involves the deliberate altering or adultera ...
rather than tamper-resistant.
Tampering
Tampering involves the deliberate altering or adulteration of a product, package, or system. Solutions may involve all phases of product production,
packaging
Packaging is the science, art and technology of enclosing or protecting products for distribution, storage, sale, and use. Packaging also refers to the process of designing, evaluating, and producing packages. Packaging can be described as a co ...
, distribution,
logistics
Logistics is generally the detailed organization and implementation of a complex operation. In a general business sense, logistics manages the flow of goods between the point of origin and the point of consumption to meet the requirements of ...
, sale, and use. No single solution can be considered as "tamper-proof". Often multiple levels of
security
Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
need to be addressed to reduce the risk of tampering.
Some considerations might include:
* Identify who a potential tamperer might be: average user, child, person under medical care, misguided joker, prisoner, saboteur, organized criminals, terrorists, corrupt government. What level of knowledge, materials, tools, etc. might they have?
* Identify all feasible methods of unauthorized access into a product, package, or system. In addition to the primary means of entry, also consider secondary or "back door" methods.
* Control or limit access to products or systems of interest.
* Improve the tamper resistance to make tampering more difficult, time-consuming, etc.
* Add
tamper-evident
Tamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings, or other techniques may be tamper indicating.
Tampering
Tampering involves the deliberate altering or adultera ...
features to help indicate the existence of tampering.
* Educate people to watch for evidence of tampering.
Methods
Mechanical
Some devices contain non-standard screws or bolts in an attempt to deter access. Examples are telephone switching cabinets (which have triangular bolt heads that a hex socket fits), or bolts with 5-sided heads used to secure doors to outdoor electrical distribution transformers. A standard
Torx
Torx (pronounced ) is a trademark for a type of screw drive characterized by a 6-point star-shaped pattern, developed in 1967, Bernard F. Reiland, "Coupling arrangement and tools for same", filed 1967-03-21 by Camcar Textron. A popular generic ...
screw head can be made in a tamper-resistant form with a pin in the center, which excludes standard Torx drivers. Various other security
screw
A screw and a bolt (see '' Differentiation between bolt and screw'' below) are similar types of fastener typically made of metal and characterized by a helical ridge, called a ''male thread'' (external thread). Screws and bolts are used to fa ...
heads have been devised to discourage casual access to the interior of such devices as consumer electronics.
Electrical
This style of tamper resistance is most commonly found in
burglar alarm
A security alarm is a system designed to detect intrusion, such as unauthorized entry, into a building or other areas such as a home or school. Security alarms used in residential, commercial, industrial, and military properties protect against ...
s. Most trip devices (e.g.
pressure pads
Pressure (symbol: ''p'' or ''P'') is the force applied perpendicular to the surface of an object per unit area over which that force is distributed. Gauge pressure (also spelled ''gage'' pressure)The preferred spelling varies by country and e ...
,
passive infrared sensor
A passive infrared sensor (PIR sensor) is an electronic sensor that measures infrared (IR) light radiating from objects in its field of view. They are most often used in PIR-based motion detectors. PIR sensors are commonly used in security alarms ...
s (
motion detector
A motion detector is an electrical device that utilizes a sensor to detect nearby motion. Such a device is often integrated as a component of a system that automatically performs a task or alerts a user of motion in an area. They form a vital co ...
s),
door switches) use two signal wires that, depending on configuration, are
normally open
In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type of ...
or
normally closed
In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type of ...
. The sensors sometimes need power, so to simplify cable runs, multi-core cable is used. While 4 cores is normally enough for devices that require power (leaving two spare for those that don't), cable with additional cores can be used. These additional cores can be wired into a special so-called "tamper circuit" in the alarm system. Tamper circuits are monitored by the system to give an alarm if a disturbance to devices or wiring is detected. Enclosures for devices and control panels may be fitted with anti-tamper switches. Would-be intruders run the risk of triggering the alarm by attempting to circumvent a given device.
Sensors such as movement detectors, tilt detectors, air-pressure sensors, light sensors, etc., which might be employed in some burglar alarms, might also be used in a
bomb
A bomb is an explosive weapon that uses the Exothermic process, exothermic reaction of an explosive material to provide an extremely sudden and violent release of energy. Detonations inflict damage principally through ground- and atmosphere-t ...
to hinder defusing.
Safety
Nearly all appliances and accessories can only be opened with the use of a tool. This is intended to prevent casual or accidental access to energized or hot parts, or damage to the equipment. Manufacturers may use tamper-resistant screws, which cannot be unfastened with common tools. Tamper-resistant screws are used on electrical fittings in many public buildings to reduce tampering or vandalism that may cause a danger to others.
Warranties and support
A user who breaks equipment by modifying it in a way not intended by the manufacturer might deny they did it, in order to claim the warranty or (mainly in the case of PCs) call the helpdesk for help in fixing it.
Tamper-evident
Tamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings, or other techniques may be tamper indicating.
Tampering
Tampering involves the deliberate altering or adultera ...
seals may be enough to deal with this. However, they cannot easily be checked remotely, and many countries have statutory warranty terms that mean manufacturers may still have to service the equipment. Tamper proof screws will stop most casual users from tampering in the first place. In the US, the
Magnuson-Moss Warranty Act prevents manufacturers from voiding warranties solely due to tampering. A warranty may be dishonored only if the tampering actually affected the part that has failed, and could have caused the failure.
Chips
Tamper-resistant
microprocessor
A microprocessor is a computer processor where the data processing logic and control is included on a single integrated circuit, or a small number of integrated circuits. The microprocessor contains the arithmetic, logic, and control circu ...
s are used to store and process private or sensitive information, such as
private key
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
s or
electronic money
Digital currency (digital money, electronic money or electronic currency) is any currency, money, or money-like asset that is primarily managed, stored or exchanged on digital computer systems, especially over the internet. Types of digital cu ...
credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures.
Examples of tamper-resistant chips include all
secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike crypt ...
s, such as the
IBM 4758 and chips used in
smartcards
A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
, as well as the
Clipper chip
The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured "voice and data messages" with a built-in backdoor that was intended to "allow Federal, State, ...
.
It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including:
* physical attack of various forms (microprobing, drills, files, solvents, etc.)
* freezing the device
* applying out-of-spec voltages or power surges
* applying unusual clock signals
* inducing software errors using radiation (e.g.,
microwave
Microwave is a form of electromagnetic radiation with wavelengths ranging from about one meter to one millimeter corresponding to frequencies between 300 MHz and 300 GHz respectively. Different sources define different frequency ran ...
s or
ionising radiation
Ionizing radiation (or ionising radiation), including nuclear radiation, consists of subatomic particles or electromagnetic waves that have sufficient energy to ionize atoms or molecules by detaching electrons from them. Some particles can travel ...
)
* measuring the precise time and power requirements of certain operations (see
power analysis
Power analysis is a form of side channel attack in which the attacker studies the power consumption of a cryptographic hardware device. These attacks rely on basic physical properties of the device: semiconductor devices are governed by the l ...
)
Tamper-resistant chips may be designed to
zeroise their sensitive data (especially
cryptographic key
A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key c ...
s) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has been crippled. In addition, the custom-made encapsulation methods used for chips used in some cryptographic products may be designed in such a manner that they are internally pre-stressed, so the chip will fracture if interfered with.
Nevertheless, the fact that an attacker may have the device in their possession for as long as they like, and perhaps obtain numerous other samples for testing and practice, means that it is impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should "
fail gracefully
Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of one or more faults within some of its components. If its operating quality decreases at all, the decrease is proportional to the ...
" by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost more than the expected return from compromising a single device. Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.
In the United States, purchasing specifications require anti-tamper (AT) features on military electronic systems.
[
Altera]
"Anti-Tamper Capabilities in FPGA Designs"
p. 1.
DRM
Tamper resistance finds application in
smart card
A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
s,
set-top box
A set-top box (STB), also colloquially known as a cable box and historically television decoder, is an information appliance device that generally contains a TV-tuner input and displays output to a television set and an external source of sign ...
es and other devices that use
digital rights management
Digital rights management (DRM) is the management of legal access to digital content. Various tools or technological protection measures (TPM) such as access control technologies can restrict the use of proprietary hardware and copyrighted works. ...
(DRM). In this case, the issue is not about stopping the user from breaking the equipment or hurting themselves, but about either stopping them from extracting codes, or acquiring and saving the decoded bitstream. This is usually done by having many subsystem features buried within each chip (so that internal signals and states are inaccessible) and by making sure the
buses
A bus (contracted from omnibus, with variants multibus, motorbus, autobus, etc.) is a road vehicle that carries significantly more passengers than an average car or van. It is most commonly used in public transport, but is also in use for cha ...
between chips are encrypted.
DRM mechanisms also use certificates and
asymmetric key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
in many cases. In all such cases, tamper resistance means not allowing the device user access to the valid device certificates or public-private keys of the device. The process of making software robust against tampering attacks is referred to as "software anti-tamper".
Packaging
Tamper resistance is sometimes needed in
packaging
Packaging is the science, art and technology of enclosing or protecting products for distribution, storage, sale, and use. Packaging also refers to the process of designing, evaluating, and producing packages. Packaging can be described as a co ...
, for example:
* Regulations for some pharmaceuticals require it.
* High value products may be subject to theft.
* Evidence needs to remain unaltered for possible legal proceedings.
Resistance to tampering can be built in or added to
packaging
Packaging is the science, art and technology of enclosing or protecting products for distribution, storage, sale, and use. Packaging also refers to the process of designing, evaluating, and producing packages. Packaging can be described as a co ...
.
Examples include:
* Extra layers of packaging (no single layer or component is "tamper-proof")
* Packaging that requires tools to enter
* Extra-strong and secure packaging
* Packages that cannot be resealed
*
Tamper-evident
Tamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings, or other techniques may be tamper indicating.
Tampering
Tampering involves the deliberate altering or adultera ...
seals,
security tape
Security tape (or security label) is a type of adhesive tape used to help reduce shipping losses due to pilfering and theft. It helps reduce tampering or product adulteration. Often it is a pressure sensitive tape or label with special tamper ...
s, and features
Software
Software is also said to be tamper-resistant when it contains measures to make
reverse engineering
Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...
harder, or to prevent a user from modifying it against the manufacturer's wishes (removing a restriction on how it can be used, for example). One commonly used method is
code obfuscation
In software development, obfuscation is the act of creating source or machine code that is difficult for humans or computers to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statem ...
.
However, effective tamper resistance in software is much harder than in hardware, as the software environment can be manipulated to near-arbitrary extent by the use of emulation.
If implemented,
trusted computing
Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of Confidential Computing. The core ide ...
would make software tampering of protected programs at least as difficult as hardware tampering, as the user would have to hack the trust chip to give false certifications in order to bypass remote attestation and sealed storage. However, the current specification makes it clear that the chip is not expected to be tamper-proof against any reasonably sophisticated physical attack;
Microsoft Word – TPM 1_2 Changes final.doc
/ref> that is, it is not intended to be as secure as a tamper-resistant device.
A side effect of this is that software maintenance gets more complex, because software updates need to be validated and errors in the upgrade process may lead to a false-positive triggering of the protection mechanism.
See also
* Chicago Tylenol murders
The Chicago Tylenol murders were a series of poisoning deaths resulting from drug tampering in the Chicago metropolitan area in 1982. The victims had all taken Tylenol-branded acetaminophen capsules that had been laced with potassium cyanide. S ...
* Child-resistant packaging
Child-resistant packaging or CR packaging is special packaging used to reduce the risk of children ingesting hazardous materials. This is often accomplished by the use of a special safety cap. It is required by regulation for prescription drugs, o ...
* FIPS 140-2
The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. The title is ''Security Requirements for Cryptographic Modules''. Initial publ ...
* Ink tag
Ink tags are a form of retail loss prevention most commonly used by clothing retailers. Special equipment is required to remove the tags from the clothing. When the tags are forcibly removed, one or more glass vials containing permanent ink will ...
* Packaging and labelling
Packaging is the science, art and technology of enclosing or protecting products for distribution, storage, sale, and use. Packaging also refers to the process of designing, evaluating, and producing packages. Packaging can be described as a co ...
* Package pilferage
Package pilferage is the theft of part of the contents of a package. It may also include theft of the contents but leaving the package, perhaps resealed with bogus contents. Small packages can be pilfered from a larger package such as a shippin ...
* Tamper-resistant switch
* Tamper-evident technology
* Wrap rage
Wrap rage, also called package rage, is the common name for heightened levels of anger and frustration resulting from the inability to open packaging, particularly some heat-sealed plastic blister packs and clamshells. People can be injured whi ...
References
Bibliography
*
*
External links
Tamper Resistance – a Cautionary Note
Design Principles for Tamper-Resistant Smartcard Processors
Low cost attacks on tamper resistant devices
{{Packaging
Security