Blog: How Tos
Tamper proofing review: the iZettle card payment terminal
Tamper resistance is an increasingly important factor in smart devices. Together with secure hardware design and defensive coding, it can deliver a very secure device.
One of the most common areas the average consumer will encounter tamper resistant devices is in payment terminals, or Pin Entry Devices (PEDs)
Placing a hardware back door inside a PED was an excellent route for fraudsters to skim credit cards.
So, I spent some time examining the tamper resistance features of the iZettle, a popular smart card payment device
Why the iZettle?
As with most IoT projects, I started with the FCC documentation. https://fccid.io/YRWCRONE.
There was very little in the docs discussing tamper resistant features, so I thought I’d buy one and investigate.
So, £50 later here’s what I found one evening
It has plenty of tamper resistant features. It’s certainly in-line with bigger PEDs that I have opened in the past.
To open the device, there are 4 Torx screws on the back – two concealed under the label.
As soon as the outer two screws are removed, you detect a slight click and the unit detects a tamper.
To open, the back part slides down. This has the battery and contacts for power. The orange part on the right is a flex PCB tamper grid.
You can see the pseudo-random pattern of the grid here. On high end devices, this pattern will differ from unit to unit. It’s not clear how random this is on the iZettle.
Break the grid and the unit will detect a tamper. Sometimes, the grid can be shorted and bypassed, but this can take quite a lot of skill.
With a few more screws out, and we can see the mag stripe reader (3 track), Bluetooth module, USB power. This part is not protected by a grid, so it may be possible to intercept data, but bear in mind we have already tripped several anti-tampers at this point.
Now the whole thing is apart. Tamper grid covers the membrane keys. Two more screws and the tamper grid comes apart.
So the rear part of the grid connects using zebra strips. This is folded under the rear part of the grid so it is hard to get at.
This explains the slight click felt when removing the screws. The black plastic with the brass insert presses a small clicker button and triggers the anti-tamper.
This is a better way of dealing with screw removal than a simple break circuit, as one could simply cut the head off the screw, remove the case and potentially avoid triggering the anti-tamper detection
The zebra strip contacts with the main PCB and the other side of the tamper grid.
Notice this debug connector. Tamper behind PCB and above (but removed). One for another time!
A close up of the mag reader. Notice the flex PCB signal wire also has quirky routing, to prevent sniffing.
This is the Bluetooth module. I haven’t looked up anything about it.
What’s this hiding under the flex PCB to the mag reader?
Flash memory! Will be interesting to see if this has anything left on it after the tamper has been triggered. It’s almost certainly encrypted, with the keys stored inside the main microcontroller.
So this is the main processor. I don’t know what the strange white hexagon sticker is for – it removes very easily.
Ooh look! A MAX32250 DeepCover Cortex-M3 https://www.maximintegrated.com/en/products/microcontrollers/MAX32550.html
The MAX32550 doesn’t have fully open datasheets, so we can’t tell that much about it. What we do know is that it has a lot of security functionality: a hardware random number generator, battery backed key storage (so the second power is removed, keys are wiped), a die shield with tamper detection to mitigate decapping attacks, and more.
We can’t tell how much of this is used, but it is a much better starting point that a general purpose SoC or microcontroller.
A close up of the pin pad tamper grid. This is here because some previous tamper bypasses have gone through the front of the pin pad.
I don’t understand what the black layer is. It has a conductive (graphite) layer and is very friable. We’ll look at this another time.
So, as it stands, I believe the iZettle device has a comfortable level of tamper detection. Significant effort has been made to frustrate an attacker attempting to compromise it.
That’s not to say that it cannot be compromised, but the skill level of the attacker and effort/investment involved has to be much higher than if these protections were not present.
It also shows that tamper resistant features don’t necessarily incur huge cost (this was only £50), particularly for a device dealing with very sensitive data such as credit card transactions.