Invenco Group Ltd G7UPC Manuel D’Utilisation
CHAPTER
3
Tampers
3.1 Background – Tamper Types
Many Invenco products support two types of tamper protection; in increasing order of security they are:
• removal tamper
• destructive tamper, also known as “Destructive Secure Reset” (DSR).
3.1.1 Tamper Indications
A DSR is a dramatic response to what a unit interprets as an integrity violation: the device shuts down
instantly, wiping its security keys and other sensitive information. The device is not ruined but it is
“bricked”: it cannot operate in any capacity and can be disassembled, repaired and reinitialized only
by Invenco – a return-to-base procedure. Returning a destructive-tampered unit to Invenco requires an
auditable process with formal changes of custody, probably including packaging, transport and staging.
instantly, wiping its security keys and other sensitive information. The device is not ruined but it is
“bricked”: it cannot operate in any capacity and can be disassembled, repaired and reinitialized only
by Invenco – a return-to-base procedure. Returning a destructive-tampered unit to Invenco requires an
auditable process with formal changes of custody, probably including packaging, transport and staging.
The G7SDC will display a “DT event” screen; the G7UPC will display a fast (twice a second) red keypad
LED indication:
LED indication:
Fig. 3.1:
SDC Destructive Tamper (DT) event screen
In contrast, the removal tamper response is intentionally less drastic. Removal tamper sensors protect
a unit that is intact: it may have been removed – even maliciously – from a system in which it was
integrated, but the unit’s integrity has not been violated and it is still operational (albeit in a restricted
mode). Significantly its cryptographic keys have not been erased, although it remains incapable of
financial transactions until restored to normal operation from the removal-tampered state. If necessary
the unit can still perform a DSR.
a unit that is intact: it may have been removed – even maliciously – from a system in which it was
integrated, but the unit’s integrity has not been violated and it is still operational (albeit in a restricted
mode). Significantly its cryptographic keys have not been erased, although it remains incapable of
financial transactions until restored to normal operation from the removal-tampered state. If necessary
the unit can still perform a DSR.
DWI-00175 S1 R15
13