Tamperproofing

Last updated April 11, 2024

Tamperproofing, conceptually, is a methodology used to hinder, deter or detect unauthorised access to a device or circumvention of a security system. Since any device or system can be foiled by a person with sufficient knowledge, equipment, and time, the term "tamperproof" is a misnomer unless some limitations on the tampering party's resources is explicit or assumed.

Tamper resistance ranges from simple features like screws with special drives, more complex devices that render themselves inoperable or encrypt all data transmissions between individual chips, or use of materials needing special tools and knowledge. Tamper-resistant devices or features are common on packages to deter package or product tampering.

Anti-tamper devices have one or more components: tamper resistance, tamper detection, tamper response, and tamper evidence.^[1] In some applications, devices are only tamper-evident rather than tamper-resistant.

Tampering

Tampering involves the deliberate altering or adulteration of a product, package, or system. Solutions may involve all phases of product production, packaging, distribution, logistics, sale, and use. No single solution can be considered as "tamper-proof". Often multiple levels of security need to be addressed to reduce the risk of tampering.^[2]

Some considerations might include:

Identify who a potential tamperer might be: average user, child, person under medical care, misguided joker, prisoner, saboteur, organized criminals, terrorists, corrupt government. What level of knowledge, materials, tools, etc. might they have?
Identify all feasible methods of unauthorized access into a product, package, or system. In addition to the primary means of entry, also consider secondary or "back door" methods.
Control or limit access to products or systems of interest.
Improve the tamper resistance to make tampering more difficult, time-consuming, etc.
Add tamper-evident features to help indicate the existence of tampering.
Educate people to watch for evidence of tampering.

Methods

Mechanical

Some devices contain non-standard screws or bolts in an attempt to deter access. Examples are telephone switching cabinets (which have triangular bolt heads that a hex socket fits), or bolts with 5-sided heads used to secure doors to outdoor electrical distribution transformers. A standard Torx screw head can be made in a tamper-resistant form with a pin in the center, which excludes standard Torx drivers. Various other security screw heads have been devised to discourage casual access to the interior of such devices as consumer electronics.

Electrical

This style of tamper resistance is most commonly found in burglar alarms. Most trip devices (e.g. pressure pads, passive infrared sensors (motion detectors), door switches) use two signal wires that, depending on configuration, are normally open or normally closed. The sensors sometimes need power, so to simplify cable runs, multi-core cable is used. While 4 cores is normally enough for devices that require power (leaving two spare for those that don't), cable with additional cores can be used. These additional cores can be wired into a special so-called "tamper circuit" in the alarm system. Tamper circuits are monitored by the system to give an alarm if a disturbance to devices or wiring is detected. Enclosures for devices and control panels may be fitted with anti-tamper switches. Would-be intruders run the risk of triggering the alarm by attempting to circumvent a given device.

Sensors such as movement detectors, tilt detectors, air-pressure sensors, light sensors, etc., which might be employed in some burglar alarms, might also be used in a bomb to hinder defusing.

Safety

Nearly all appliances and accessories can only be opened with the use of a tool. This is intended to prevent casual or accidental access to energized or hot parts, or damage to the equipment. Manufacturers may use tamper-resistant screws, which cannot be unfastened with common tools. Tamper-resistant screws are used on electrical fittings in many public buildings to reduce tampering or vandalism that may cause a danger to others.

Warranties and support

Warranty label on top of a hard disk

Warranty label lifted. The word "VOID" is shown multiple times

A user who breaks equipment by modifying it in a way not intended by the manufacturer might deny they did it, in order to claim the warranty or (mainly in the case of PCs) call the helpdesk for help in fixing it. Tamper-evident seals may be enough to deal with this. However, they cannot easily be checked remotely, and many countries have statutory warranty terms that mean manufacturers may still have to service the equipment. Tamper proof screws will stop most casual users from tampering in the first place. In the US, the Magnuson-Moss Warranty Act prevents manufacturers from voiding warranties solely due to tampering.^{[ citation needed ]} A warranty may be dishonored only if the tampering actually affected the part that has failed, and could have caused the failure.

Chips

Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures.

Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip.

It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including:

physical attack of various forms (microprobing, drills, files, solvents, etc.)
freezing the device
applying out-of-spec voltages or power surges
applying unusual clock signals
inducing software errors using radiation (e.g., microwaves or ionising radiation)
measuring the precise time and power requirements of certain operations (see power analysis)

Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has been crippled. In addition, the custom-made encapsulation methods used for chips used in some cryptographic products may be designed in such a manner that they are internally pre-stressed, so the chip will fracture if interfered with.^{[ citation needed ]}

Nevertheless, the fact that an attacker may have the device in their possession for as long as they like, and perhaps obtain numerous other samples for testing and practice, means that it is impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost more than the expected return from compromising a single device. Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.

In the United States, purchasing specifications require anti-tamper (AT) features on military electronic systems. ^[1]

Digital rights management

Tamper resistance finds application in smart cards, set-top boxes and other devices that use digital rights management (DRM). In this case, the issue is not about stopping the user from breaking the equipment or hurting themselves, but about either stopping them from extracting codes, or acquiring and saving the decoded bitstream. This is usually done by having many subsystem features buried within each chip (so that internal signals and states are inaccessible) and by making sure the buses between chips are encrypted. ^{[ citation needed ]}

DRM mechanisms also use certificates and asymmetric key cryptography in many cases. In all such cases, tamper resistance means not allowing the device user access to the valid device certificates or public-private keys of the device. The process of making software robust against tampering attacks is referred to as "software anti-tamper".

Packaging

Tamper resistance is sometimes needed in packaging, for example:

Regulations for some pharmaceuticals require it.
High value products may be subject to theft.
Evidence needs to remain unaltered for possible legal proceedings.

Resistance to tampering can be built in or added to packaging.^[3] Examples include:

Extra layers of packaging (no single layer or component is "tamper-proof")
Packaging that requires tools to enter
Extra-strong and secure packaging
Packages that cannot be resealed
Tamper-evident seals, security tapes, and features

Software

Software is also said to be tamper-resistant when it contains measures to make reverse engineering harder, or to prevent a user from modifying it against the manufacturer's wishes (such as removing a restriction on how it can be used). One commonly-used method is code obfuscation.

However, effective tamper resistance in software is much harder than in hardware, as the software environment can be manipulated to near-arbitrary extent by the use of emulation.

If implemented, trusted computing would make software tampering of protected programs at least as difficult as hardware tampering, as the user would have to hack the trust chip to give false certifications in order to bypass remote attestation and sealed storage. However, the current specification makes it clear that the chip is not expected to be tamper-proof against any reasonably sophisticated physical attack;^[4] that is, it is not intended to be as secure as a tamper-resistant device.

That has the side effect that software maintenance gets more complex because software updates need to be validated, and errors in the upgrade process may lead to a false-positive triggering of the protection mechanism.

Related Research Articles

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of confidential computing. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key that is inaccessible to the rest of the system and the owner.

<span class="mw-page-title-main">Physical security</span> Measures designed to deny unauthorized access

Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property from damage or harm. Physical security involves the use of multiple layers of interdependent systems that can include CCTV surveillance, security guards, protective barriers, locks, access control, perimeter intrusion detection, deterrent systems, fire protection, and other systems designed to protect persons and property.

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

SCADA is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery.

A screw cap or closure is a common type of closure for bottles, jars, and tubes.

A software protection dongle is an electronic copy protection and content protection device. When connected to a computer or other electronics, they unlock software functionality or decode content. The hardware key is programmed with a product key or other cryptographic protection mechanism and functions via an electrical connector to an external bus of the computer or appliance.

An over-the-air update, also known as over-the-air programming, is an update to an embedded system that is delivered through a wireless network, such as Wi-Fi or a cellular network. These embedded systems include mobile phones, tablets, set-top boxes, cars and telecommunications equipment. OTA updates for cars and internet of things devices can also be called firmware over-the-air (FOTA). Various components may be updated OTA, including the device's operating system, applications, configuration settings, or parameters like encryption keys.

A closure is a device used to close or seal a container such as a bottle, jug, jar, tube, or can. A closure may be a cap, cover, lid, plug, liner, or the like. The part of the container to which the closure is applied is called the finish.

A security alarm is a system designed to detect intrusions, such as unauthorized entry, into a building or other areas, such as a home or school. Security alarms protect against burglary (theft) or property damage, as well as against intruders. Examples include personal systems, neighborhood security alerts, car alarms, and prison alarms.

Tamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings, or other techniques may be tamper indicating.

Building automation (BAS), also known as building management system (BMS) or building energy management system (BEMS), is the automatic centralized control of a building's HVAC, electrical, lighting, shading, access control, security systems, and other interrelated systems. Some objectives of building automation are improved occupant comfort, efficient operation of building systems, reduction in energy consumption, reduced operating and maintaining costs and increased security.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889.

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

Vandal-resistant switches are electrical switches designed to be installed in a location and application where they may be subject to abuse and attempts to damage them, as in the case of pedestrian crossing switches. Vandal-resistant switches located on devices that are outdoors must be able to withstand extreme temperatures, dust, rain, snow, and ice. Many vandal-resistant switches are intended to be operated by the general public, and must withstand heavy use and even abuse, such as attempts to damage the switch with metal tools. These switches must also resist dirt and moisture.

A tamper-evident band or security ring serves as a tamper resistant or tamper evident function to a screw cap, lid, or closure. The term tamper-proof is sometimes used but is considered a misnomer given that pilfering is still technically possible.

A Secure End Node is a trusted, individual computer that temporarily becomes part of a trusted, sensitive, well-managed network and later connects to many other (un)trusted networks/clouds. SEN's cannot communicate good or evil data between the various networks. SENs often connect through an untrusted medium and thus require a secure connection and strong authentication. The amount of trust required is commensurate with the risk of piracy, tampering, and reverse engineering. An essential characteristic of SENs is they cannot persist information as they change between networks.

A trusted execution environment (TEE) is a secure area of a main processor. It helps code and data loaded inside it to be protected with respect to confidentiality and integrity. Data integrity prevents unauthorized entities from outside the TEE from altering data, while code integrity prevents code in the TEE from being replaced or modified by unauthorized entities, which may also be the computer owner itself as in certain DRM schemes described in SGX. This is done by implementing unique, immutable, and confidential architectural security such as Intel Software Guard Extensions which offers hardware-based memory encryption that isolates specific application code and data in memory. Intel SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. A TEE as an isolated execution environment provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets. In general terms, the TEE offers an execution space that provides a higher level of security for trusted applications running on the device than a rich operating system (OS) and more functionality than a 'secure element' (SE).

Security tape is a type of adhesive tape used to help reduce shipping losses due to pilfering and theft. It helps reduce tampering or product adulteration. It is often is a pressure sensitive tape or label with special tamper-resistant or tamper-evident features. It can be used as a security seal in addition to a container closure or can be used as a security label. They are sometimes used as or with authentication products and as an anti-pilferage seal.

A secure element (SE) is a secure operating system (OS) in a tamper-resistant processor chip or secure component. It can protect assets (root of trust, sensitive data, keys, certificates, applications) against high-level software and hardware attacks. Applications that process this sensitive data on an SE are isolated and so operate within a controlled environment not affected by software (including possible malware) found elsewhere on the OS.

References

1 2 Altera. "Anti-Tamper Capabilities in FPGA Designs". p. 1.
↑ Johnston, R G (1997). "Physical Security and Tamper-Indicating Devices". LA-UR-96-3827. Vulnerability Assessment Team, Los Alamos National Laboratory. Retrieved 30 August 2019.
↑ Rosette, J L (2009), "Tamper-Evident Packaging", in Yam, K L (ed.), Encyclopedia of Packaging Technology, Wiley (published 2010), ISBN 978-0-470-08704-6
↑ Microsoft Word – TPM 1_2 Changes final.doc

Bibliography

Smith, Sean; Weingart, Steve (1999). "Building a High-Performance, Programmable Secure Coprocessor". Computer Networks. 31 (9): 831–860. CiteSeerX 10.1.1.22.8659 . doi:10.1016/S1389-1286(98)00019-X.
Rosette, Jack L (1992). Improving tamper-evident packaging: Problems, tests, and solutions. ISBN 978-0877629061.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[altera-1] 1 2 Altera. "Anti-Tamper Capabilities in FPGA Designs". p. 1.

[2] Johnston, R G (1997). "Physical Security and Tamper-Indicating Devices". LA-UR-96-3827. Vulnerability Assessment Team, Los Alamos National Laboratory. Retrieved 30 August 2019.

[3] Rosette, J L (2009), "Tamper-Evident Packaging", in Yam, K L (ed.), Encyclopedia of Packaging Technology, Wiley (published 2010), ISBN 978-0-470-08704-6

[4] Microsoft Word – TPM 1_2 Changes final.doc

[1]

[2]

[3]

[4]

v t e Packaging
General topics	Active packaging Child-resistant packaging Contract packager Edible packaging Modified atmosphere/modified humidity packaging Overpackaging Package delivery Package pilferage Package testing Package theft Packaging engineering Resealable packaging Reusable packaging Reuse of bottles Shelf life Shelf-ready packaging Shelf-stable Sustainable packaging Tamper-evident Tamper resistance Wrap rage
Product packages	Alternative wine closure Banana box Beer bottle Box wine Case-ready meat Coffee bag Cosmetic packaging Currency packaging Disposable food packaging Drink can Egg carton Evidence packaging Field ration Flour sack Foam food container Food packaging Fuel container Gas cylinder Glass milk bottle Growler Juicebox Low plastic water bottle Luxury packaging Milk bag Optical disc packaging Oyster pail Popcorn bag Pharmaceutical packaging Plastic milk container Purdue Improved Crop Storage bags Sand bag Seasonal packaging Self-heating food packaging Screw cap (wine) Single-serve coffee container Toothpaste pump dispenser Water bottle Wine bottle
Containers	Aerosol spray Aluminium bottle Aluminum can Ampoule Antistatic bag Bag-in-box Bag Barrel Biodegradable bag Blister pack Boil-in-bag Bottle Box Bulk box Cage Case Carboy Carton Chub Clamshell Corrugated box design Crate Disposable cup Drum Endcap Envelope Euro container Flexible intermediate bulk container Flexi-bag Folding carton Glass bottle Gunny sack Inhaler Insulated shipping container Intermediate bulk container Jar Jerrycan Jug Keg Mesh bag Multilayered packaging Multi-pack Packet (container) Padded envelope Pail Paper bag Paper sack Plastic bag Plastic bottle Retort pouch Salvage drum Sachet Water sachet Security bag Shipping container Shipping tube Skin pack Spray bottle Squround Stand-up pouch Steel and tin cans Tetra Brik Thermal bag Tub (container) Tube Unit load Vial Wooden box
Materials and components	Adhesive Aluminium foil Bail handle Bioplastic Biodegradable plastic BoPET Bubble wrap Bung Cellophane Closure Coated paper Coating Coextrusion Corrugated fiberboard Corrugated plastic Cushioning Desiccant Double seam Flip-top Foam peanut Gel pack Glass Hot-melt adhesive Humidity indicator card Kraft paper Label Lid Linear low-density polyethylene Liquid packaging board Living hinge Low-density polyethylene Metallised film Modified atmosphere Molded pulp Nonwoven fabric Overwrap Oxygen scavenger Package handle Packaging gas Pallet Paper Paper pallet Paperboard Plastic-coated paper Plastic film Plastic pallet Plastic wrap Polyester Polyethylene Polypropylene Pressure-sensitive tape Pump dispenser Screw cap Screw cap (wine) Security printing Security tape Shock detector Shock and vibration data logger Shrink wrap Slip sheet Staple (fastener) Strapping Stretch wrap Susceptor Tamper-evident band Tear tape Temperature data logger Time temperature indicator Tinplate Velostat
Processes	Aseptic processing Authentication Automatic identification and data capture Blow fill seal Blow molding Calendering Canning Coating Containerization Converting Corona treatment Curtain coating Die cutting Die forming (plastics) Electronic article surveillance Extrusion Extrusion coating Flame treatment Glass production Graphic design Hazard analysis and critical control points Hermetic seal Induction sealing Injection moulding Lamination Laser cutting Molding Package tracking Papermaking Plastic extrusion Plastic welding Printing Product development Production control Quality assurance Radio-frequency identification Roll slitting Shearing (manufacturing) Thermoforming Track and trace Ultrasonic welding Vacuum forming Vacuum packaging Verification and validation
Machinery	Barcode printer Barcode reader Bottling line Calender Can seamer Cartoning machine Case sealer Check weigher Conveyor system Drum pump Extended core stretch wrapper Filler Heat gun Heat sealer Industrial robot Injection molding machine Label printer applicator Lineshaft roller conveyor Logistics automation Material-handling equipment Mechanical brake stretch wrapper Multihead weigher Orbital stretch wrapper Packaging machinery Pallet inverter Palletizer Rotary wheel blow molding systems Seed-counting machine Shrink tunnel Staple gun Tape dispenser Turntable stretch wrapper Vertical form fill sealing machine
Environment, post-use	Biodegradation Closed-loop box reuse Environmental engineering Glass recycling Industrial ecology Life-cycle assessment Litter Packaging waste Paper recycling PET bottle recycling Plastic recycling Recycling Reusable packaging Reverse logistics Source reduction Sustainable packaging Waste management
Category: Packaging