Introduction
When a hardware hacker targets a device, the first question is never "what's the firmware?" - it's "what's the package?" The physical form factor of an IC dictates everything: whether you can probe a signal, inject a fault, extract a key, or even see the damn pins. Over six decades, semiconductor packaging has evolved from hand-solderable through-hole DIP chips to sub-micron direct copper-to-copper hybrid bonds where no physical probe can ever reach.
This blog documents that evolution from a hardware security and physical attack perspective - validated against peer-reviewed research, IEEE publications, and industry datasheets. Every claim below has a cited reference.
Era 1: Through-Hole Technology (THT) - ~1960 to 1990
Package Types: DIP, SIP, ZIP
The Dual In-line Package (DIP) was introduced by Fairchild Semiconductor in 1964 and became the defining package of the microprocessor revolution. Intel's 4004 (1971), 8080 (1974), and MOS 6502 (1975) all shipped in DIP.1
DIP package - 2.54mm pitch pins, every logic analyzer clip fits. (Wikimedia Commons, CC BY-SA)
Attack Surface: Wide Open
For a hardware hacker, THT-era chips are paradise:
- Direct probing: Pins are 2.54 mm pitch - every hobbyist logic analyzer clip works
- Chip removal: Desoldering a DIP requires a $5 solder sucker
- Bus sniffing: Address/data buses are fully exposed; a cheap Bus Pirate or Saleae captures everything
- ROM extraction: UV-erasable EPROMs (DIP-28) could literally be read under a UV lamp or dumped in seconds with a $20 EPROM programmer
Reference: Wang et al., "Probing Attacks on Integrated Circuits: Challenges and Research Opportunities", IEEE Design & Test, 2017 - cited 142 times2
Era 2: Chip on Board (COB) & PGA - ~1970 to Present
Package Types: COB, PGA (Pin Grid Array)
Two package families from this era are often overlooked but remain highly relevant to hardware security.
Chip on Board (COB): The bare die is wire-bonded directly to the PCB substrate and then covered with a black epoxy blob (the "blob-top"). Used extensively in cheap IoT sensors, smart cards, calculators, RFID tags, and single-use embedded controllers. The epoxy encapsulant is the only physical barrier.
Pin Grid Array (PGA): Hundreds of pins arranged in a grid on the underside of a ceramic or plastic carrier. Intel 486, Pentium (Socket 7), and early AMD Athlon CPUs all used PGA. Still used in server CPUs (Intel LGA is the socket; AMD AM5 uses PGA on the CPU side).
Attack Surface: Mixed
COB "blob-top" - bare die wire-bonded directly to PCB, covered in black epoxy. (SparkFun, CC BY-SA 4.0)
COB (blob-top):
- Chemical decapsulation: Fuming nitric acid or acetone dissolves the epoxy blob, exposing bare die and bond wires within minutes
- Wire bond probing: Once decapped, bond wires are directly accessible with micro-manipulator probes
- Relevant targets today: Low-cost IoT SoCs, smart meter ICs, RFID tag ASICs, and contactless payment chips frequently use COB
PGA:
- Direct pin access: PGA pins are spaced and accessible - logic analyzer clips attach with ease
- Socket removal: ZIF (Zero Insertion Force) sockets mean chip removal is literally tool-free
- Identical to DIP for attack purposes: Full bus exposure, straightforward dumping
Era 3: Early Surface Mount Technology (SMT) - ~1980 to 1998
Package Types: SOIC, TSOP, TSOP-II, QFP
SMT was pioneered in the early 1980s by IBM for use in mainframe computers before reaching consumer electronics. SOIC (Small Outline IC) and QFP (Quad Flat Package) brought pin pitches down to 0.5–1.27 mm - still visible and probeable, but requiring fine-tipped probes.3
SOIC/SOP family - gull-wing leads still probeable with fine-tip probes. (NextPCB)
Attack Surface: Still Accessible
- Hot air rework: A $40 hot-air station removes SOIC chips cleanly
- JTAG exposure: Most embedded systems of this era had JTAG/UART debug ports on exposed test pads
- Datasheets available: Near-universal public documentation made pin-mapping trivial
- NOR Flash (TSOP): Common in embedded routers/POS terminals - directly readable via SOIC clip without desoldering
Practical note: This is the era of most legacy IoT, industrial, and POS terminal chips still deployed in production today. TSOP NOR Flash attacks remain relevant for firmware extraction from older embedded targets.
Era 4: Fine Pitch SMT - ~2000 to 2012
Package Types: QFN, LQFP, MLF
QFN (Quad Flat No-lead) moved pads to the underside thermal pad region. The QFP's exposed gull-wing leads were replaced with recessed contacts - physically harder to solder and nearly impossible to probe without PCB-level access.
QFN package - pads moved to underside, no gull-wing leads. (AnySilicon)
Attack Surface: Moderate
- Hidden thermal pads: X-ray inspection required to verify solder joints
- Smaller pitch (0.4–0.5 mm): Probing requires micro-manipulator setups or FIB (Focused Ion Beam)
- JTAG often still present: Debug interfaces typically remained on PCB test points even if the chip was QFN
- Key takeaway for pentesters: Physical access to the board is still the primary attack requirement here; the package is not the barrier, the PCB is
Era 5: Ball Grid Array (BGA) - ~1996 to Present
Package Types: BGA, FBGA, µBGA, PBGA
BGA emerged from IBM research in the early 1990s and became mainstream in consumer electronics by 1996–2000. All solder connections move entirely under the package - completely invisible to standard probing.4
BGA - all connections hidden beneath as solder balls, invisible to standard probing. (AnySilicon)
Attack Surface: Hard - But Not Impenetrable
BGA introduced the first real physical barrier against casual hardware attacks:
- No visible pins: X-ray fluoroscopy required just to inspect solder ball integrity
- Reballing: Removing a BGA without destroying it requires proper BGA rework station ($500+), hot air profiles, and flux chemistry knowledge
- DRAM BGA extraction: Possible with skill - NAND BGA chips (eMMC, UFS) are routinely extracted for forensic imaging in mobile device investigations
- Logic attacks survive: Even if you can't probe the BGA pins, UART/JTAG test pads on the PCB often bypass the physical security
eMMC/UFS note: For IoT pentesters, soldering wires to BGA eMMC pads for direct memory reads is a well-documented technique used in mobile forensics and embedded device analysis.
Reference: Wang et al., 2017, IEEE - Probing Attacks on ICs2
FC-BGA - die flipped face-down, active surface buried, connected via micro-bumps to substrate. (AnySilicon)
Flip-Chip BGA (FC-BGA): The Dominant CPU Package
A critical BGA variant missing from most security discussions: Flip-Chip BGA. The die is flipped face-down and connected via micro-bumps directly to the substrate, rather than wire bonds. Every modern desktop and server CPU from Intel (Core, Xeon) and AMD (Ryzen, EPYC) uses FC-BGA.
Security implications:
- Die face is buried: The active silicon surface faces the substrate, not the attacker. Laser fault injection from the top now hits the backside - requiring backside thinning or IR laser tuning for deeper penetration
- Micro-bump pitch: 100–150 µm pitch - slightly more accessible than BGA balls but still requires FIB or micro-probing
- Underfill: Epoxy underfill between die and substrate makes non-destructive removal nearly impossible without thermal damage to the die
Era 6: Land Grid Array (LGA) - ~2004 to Present
Package Types: LGA775, LGA1200, LGA1700, LGA4677 (server)
Intel introduced LGA with the LGA775 socket in 2004 (Pentium 4, Core 2). The paradigm shift: pins move from the chip to the motherboard socket. The CPU has flat contact pads; the socket has spring-loaded pins. Used continuously through LGA1700 (Alder/Raptor Lake) and LGA4677 (Sapphire Rapids Xeon).
LGA - flat gold-plated contact pads on chip underside; spring pins are in the socket, not the CPU. (PCBasic)
Attack Surface: Moderate (Board-Level)
- No pins to damage on the CPU: The chip itself is a flat-pad package - mechanically robust
- Socket access: With CPU seated in socket, all signals are accessible at the socket pins with fine probes or a purpose-built interposer PCB
- Interposer attacks: A custom PCB interposer between CPU and socket can passively sniff or actively inject signals on all memory, PCIe, and power rails - a technique used in academic CPU vulnerability research
- Relevant for: Desktop/workstation/server security research, firmware attacks on Intel ME/AMD PSP which communicate over buses accessible at the socket
Era 7: Package on Package (PoP) - ~2006 to Present
Package Types: PoP (LPDDR stacked on SoC), fPoP (fine-pitch PoP)
PoP stacks two BGA packages vertically - typically a mobile application processor on the bottom and LPDDR memory on top, with solder balls connecting the two packages through the top package's external pads. Used in virtually every smartphone SoC: Qualcomm Snapdragon, MediaTek Dimensity, and early Apple A-series (before SiP).
PoP - LPDDR memory stacked directly on top of the application processor SoC. (Mistral Solutions)
Attack Surface: Hard - Critical for Mobile Security Research
PoP is heavily underrepresented in hardware security literature despite being the packaging for billions of mobile devices:
- Memory bus is exposed between packages: Unlike SiP (where dies are co-sealed), the PoP memory interface runs through external solder balls between the two packages
- Memory bus interception: With the top LPDDR package removed, the SoC's PoP pads are exposed - a technique used in mobile forensics to bypass Full Disk Encryption by freezing and reading LPDDR contents
- Chip-off forensics: PoP tops (LPDDR) are routinely removed via hot air and read directly in LPDDR forensic readers in law enforcement contexts
- DRAM bus snooping: Academic research has demonstrated interposer-based DRAM bus sniffing on PoP devices to extract AES keys from memory
Practical note: Any IoT device using a mobile-derived SoC (Raspberry Pi, most Android-based embedded systems) likely uses PoP or a PoP-derived arrangement.
Era 8: Wafer Level Chip Scale Package (WLCSP) - ~2000 to Present
The Package That Accidentally Created a New Attack Vector
WLCSP is a packaging technique where solder bumps are deposited directly on the wafer before dicing. The result: the packaged chip is nearly identical in size to the bare die itself. Used extensively in mobile SoCs, wearables, and compact IoT sensors.
WLCSP - package is nearly the size of the bare die; silicon backside is fully exposed. (AnySilicon)
⚠️ The WLCSP Paradox: Harder to Probe, Easier to Fault Inject
This is the most important and counterintuitive security fact about modern packaging:
"The WLCSP will inherently expose the backside of the die, meaning that BBI becomes a new threat model." - Colin O'Flynn, Circuit Cellar, 20215
Body Biasing Injection (BBI) is a fault injection attack where a high-voltage pulse (200–500V) is applied to the exposed silicon backside of the chip. Because of WLCSP's form factor, no decapsulation is needed - the die backside is already the top surface of the package.
From the CARDIS 2020 peer-reviewed paper - "Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices" by O'Flynn:6
- A $15 BBI probe successfully induced exploitable faults on STM32F415OG (WLCSP)
- 54% of injection attempts produced exploitable results
- Attacks successfully broke RSA via mbed-TLS and manipulated code flow
- Tool cost: ~$15 for transformer-based pulse generator
This was further confirmed in IEEE Transactions (2024): "Fault Injection Attacks Exploiting High Voltage Pulsing over Si-Substrate Backside of IC chips"7
Summary:
| Attack Type | BGA | WLCSP |
|---|---|---|
| Traditional probing | Hard | Hard |
| Chip removal/reballing | Hard | Easy |
| Laser Fault Injection | Requires decap | ✅ Direct access |
| BBI (Body Biasing Injection) | Requires decap | ✅ No decap needed |
| EM Fault Injection | Possible | Possible |
Era 9: Smartcard & Secure Element Packaging - ~1985 to Present
Package Types: ISO 7816, SIM (2FF/3FF/4FF), eSIM (MFF2), SE (embedded)
Smartcard ICs occupy their own security-critical packaging niche that most IC packaging surveys omit entirely. The ISO 7816 contact smartcard standard (1987) and subsequent EMV payment cards, SIM cards, and embedded Secure Elements represent decades of dedicated adversarial packaging research.
Smartcard IC structure - ISO 7816 contact pads on top, bare die wire-bonded below, all sealed in epoxy. (Wikimedia Commons, CC BY-SA 3.0)
The Smartcard Security Model
Smartcard ICs are designed from the ground up with physical attack resistance as a primary requirement - unlike general-purpose ICs where security is an afterthought:
- Active shield mesh: A top metal layer consisting of a fine conducting mesh connected to tamper detection logic. Any probe needle penetrating the mesh shorts it, triggering key erasure
- Glue logic scrambling: Internal bus signals are XOR-scrambled with random keys; even if you probe a metal layer, you get encrypted noise
- Light sensors: Photodetectors on-die trigger zeroization if the package is optically decapsulated under bright light (foiling the "open under dim light" trick)
- Substrate sensors: Detect changes in capacitance or conductance caused by probing from below
Historical Attack Progression
| Year | Attack | Target |
|---|---|---|
| 1996 | Timing attacks (Kocher) | All smartcards |
| 1998 | DPA (Kocher, Jaffe, Jun) | Unprotected smartcards |
| 2000 | Microprobing after FIB depassivation | Early shield mesh cards |
| 2002 | Differential Fault Analysis | Crypto accelerators |
| 2010 | EM probing near-field | Shielded smartcards |
| 2015+ | Side-channel on eSIM/SE | Embedded secure elements |
Relevant targets today: EMV payment cards, SIM/eSIM, TPM 1.2/2.0, HSM internal modules, Secure Enclave (Apple T2/M-series), Google Titan M, Android StrongBox.
Era 10: System in Package (SiP) - ~2002 to Present
Package Types: SiP modules, MCM (Multi-Chip Module)
SiP integrates multiple dies - CPU, RAM, Flash, RF - into a single sealed package. Military/aerospace applications used MCMs since the early 2000s; Apple Watch Series 1 (2015) brought SiP to mass consumer awareness.
SiP module - CPU, RAM, Flash, RF all sealed in one package. Decapping without destroying inner dies requires precision plasma etching. (AnySilicon)
Attack Surface: Hard
- Sealed enclosure: Decapsulating SiP without damaging inner dies requires precision chemical/plasma etching or FIB cross-sectioning
- No exposed inter-die signals: Unlike discrete component designs, the RAM-to-CPU bus is entirely inside the module
- EMFI still works: EM fault injection can target the package without requiring physical access to die surface
Era 11: Fan-Out Wafer Level Packaging (FOWLP) - ~2016 to Present
Package Types: InFO (TSMC), eWLB (Infineon), FOWLP
Infineon introduced eWLB fan-out packaging around 2006–2007. TSMC's InFO (Integrated Fan-Out) went into mass production in 2016 with Apple's A10 Fusion SoC - replacing the PCB-in-package substrate entirely.4
FOWLP - die embedded face-down in mold compound, redistribution layers fan signals out beyond the die edge. No substrate, no probe points. (AnySilicon)
Attack Surface: Hard
- Ultra-thin: InFO packages are <1 mm total thickness
- Embedded die in mold compound: Die is embedded face-down in epoxy, redistribution layers (RDL) route signals outward
- RDL complexity: The redistribution layers themselves are proprietary and undocumented - reverse engineering requires TEM/SEM cross-sectioning
- No conventional probing points: All signals buried inside the redistribution stack
Era 12: 2.5D Interposer Packaging - ~2012 to Present
Package Types: CoWoS (TSMC), EMIB (Intel), Si-bridge
TSMC's CoWoS (Chip on Wafer on Substrate) entered volume production around 2012 for Xilinx Virtex-7 FPGAs - not 2019 as often cited. Intel's EMIB (Embedded Multi-die Interconnect Bridge) followed for Stratix 10 FPGAs.
CoWoS 2.5D - logic die and HBM stacks mounted side-by-side on a passive silicon interposer. Inter-die signals never leave the package. (AnySilicon)
Attack Surface: Very Hard
- Multiple chiplets on silicon interposer: The interposer itself is a passive routing layer - but compromising it during supply chain is a documented attack vector
- No external inter-die signals: HBM↔GPU communication via CoWoS interposer never leaves the package
- X-ray tomography: Industrial CT scanning is now required just to map die positions - no longer feasible with desktop tools
Reference: Suzano et al., "On Hardware Security and Trust for Chiplet-Based 2.5D and 3D ICs: Challenges and Innovations", IEEE Transactions, 2024 - cited 19 times89
Era 13: Chiplet Architecture - ~2019 to Present
Package Types: Multi-die packages, disaggregated SoC
AMD's Zen 2 (July 2019) was the first mainstream CPU to use chiplets at scale - 7nm compute dies + 14nm I/O die in a single package.8
AMD EPYC Genoa delidded - 12 compute chiplets surrounding a central I/O die. Each chiplet is an independent supply chain attack surface. (AMD / AnySilicon)
Attack Surface: Very Hard - With Unique New Threats
Chiplet architecture introduces a fundamentally new supply chain attack model:
"Malicious chiplets, hardware trojans, and chiplet intellectual property theft are threats that must be addressed as the industry moves towards the 'chiplet age'." - Suzano et al., IEEE 20249
Documented threat vectors unique to chiplets:810
- Malicious chiplet insertion: An attacker with supply chain access could substitute a counterfeit chiplet that mimics normal operation but exfiltrates data via covert channels
- Hardware Trojans on shared bus: Untrusted chiplets sharing the die-to-die interconnect fabric can read or modify in-transit data8
- IP theft during fabrication: Because dies come from different fabs (potentially untrusted foundries), each die's netlist can be independently reverse-engineered9
- DARPA's CHIPS program: Directly funds chiplet security research due to national security implications - the threat is government-acknowledged8
Era 14: 3D IC Stacking / TSV - ~2015 to Present
Package Types: TSV (Through-Silicon Via), HBM, 3D NAND
HBM1 (High Bandwidth Memory) went into production with AMD's Fiji GPU in mid-2015 - the first mainstream 3D-stacked memory product. JEDEC standardized HBM in 2013.11
HBM 3D stack - multiple DRAM dies connected vertically via Through-Silicon Vias (TSVs). (AnySilicon)
Attack Surface: Extremely Hard
- Vertical die stacking via TSVs: Thousands of copper vias pass through thinned silicon dies (~50 µm thick) to connect vertically stacked layers
- No inter-layer probing possible: Physical access to buried TSV signals requires FIB cross-section of the entire stack - destructive and irreversible
- Unique vulnerability: TSV-induced stress can create timing variations exploitable via power analysis, but this requires on-chip measurement access
Era 15: Hybrid Bonding / Direct Cu-Cu - ~2023 to Present
Package Types: SoIC (TSMC), Foveros Direct (Intel), Cu-Cu direct bond
Hybrid bonding eliminates solder balls entirely - copper pads bond directly to copper pads at sub-micron pitch (~1 µm vs 40–100 µm for micro-bumps). TSMC's SoIC and Sony's stacked CMOS image sensors are production examples.
Hybrid bonding - copper pads bond directly to copper pads at <1 µm pitch. No solder, no bumps, no mechanical probe access possible. (Brewer Science / Semiconductor Engineering)
Attack Surface: Extremely Hard
- No solder joints: Nothing to reball, reflow, or probe mechanically
- <1 µm bond pitch: Below the resolution of any conventional probing tool
- Monolithic-like behavior: The bonded stack behaves electrically like a single die - fault isolation becomes near impossible
Era 16: Glass Substrate Packaging - ~2026 to Future
Package Types: Glass core substrate with EMIB, CoWoS-on-Glass
Intel presented its first thick-core glass substrate with EMIB bridges at IMAPS 2025. The substrate supports ~1,716 mm² silicon area - roughly 2× a reticle - enabling massive chiplet integration. AMD reportedly evaluating glass substrates for Zen 6 / CDNA 5 (2026).1213
Intel highlighted zero SeWaRe (micro-cracking) issues during testing - a key manufacturability milestone. Glass substrates offer 50% lower line/space compared to organic substrates, enabling ~10× denser routing for multi-chiplet AI packages.1413
Intel glass substrate test chip - ultra-flat, ultra-dense routing, zero established attack playbook. (Intel / BusinessWire, 2023)
Attack Surface: Research Level
- No established attack toolkit: No published papers yet on fault injection, probing, or side-channel attacks targeting glass substrate packages
- Ultra-dense RDL: Routing density makes even X-ray tomography interpretation extremely difficult
- Thermal properties: Glass's low thermal conductivity changes power side-channel signatures compared to organic substrates - existing SCA models need revalidation
Attack Technique Reference
Package type tells you what you can reach. This section covers what to do when you get there. These techniques span multiple packaging eras and are often independent of package type.
Voltage Glitching
A momentary voltage drop or spike on the VCC supply rail causes the CPU to mis-execute an instruction - skipping a branch, corrupting a comparison result, or fetching garbage. This is the most accessible fault injection technique:
- How it works: A crowbar circuit (MOSFET + capacitor) or dedicated glitcher (ChipWhisperer, PicoEMP) pulls VCC low for 1–50 ns
- Common targets: STM32 RDP (Readout Protection) bypass, ESP32 secure boot, nRF52 debug lock bypass
- Cost: $50 ChipWhisperer Nano to $500 ChipWhisperer Pro
- Package dependency: None - works from DIP to WLCSP as long as you can access the power pin
Clock Glitching
Injecting a rogue clock pulse (extra or missing edge) causes setup/hold time violations, corrupting register state at a precise moment in execution.
- How it works: A glitcher briefly substitutes the chip's clock with a manipulated signal - an extra pulse, a missing pulse, or a short pulse
- Common targets: Microcontrollers with external crystal oscillators, FPGAs, cryptographic co-processors
- Package dependency: Requires access to the clock pin - easier on DIP/QFP, harder on BGA without PCB rework
Power Analysis: SPA and DPA
Side-channel attacks that extract secret keys by measuring the chip's power consumption during cryptographic operations. Introduced by Kocher, Jaffe, and Jun in their landmark 1999 paper.15
- Simple Power Analysis (SPA): A single power trace visually reveals algorithm structure - a square-and-multiply RSA implementation leaks the private key exponent bit-by-bit
- Differential Power Analysis (DPA): Statistical analysis of thousands of power traces isolates key-dependent variations even in noise - defeats software countermeasures that SPA cannot
- Setup: Current-sense resistor (0.5–5 Ω) in series with VCC, oscilloscope or ChipWhisperer ADC
- Package dependency: None in principle - requires access to the power supply line, not the die surface
- Defeated by: Randomized masking, power line filtering, dual-rail logic - standard in smartcard ICs, not standard in generic MCUs
EM Side-Channel Analysis (EMA/DEMA)
Passive near-field electromagnetic probing to measure current variations in on-chip conductors - functionally equivalent to DPA but conducted through the air.
- Advantage over power analysis: No physical modification of the target circuit needed; works through PCB, enclosures, and even potting compound (with reduced SNR)
- Near-field probe: A small hand-wound coil (2–5 mm diameter) or commercial EM probe placed directly over the chip
- DEMA (Differential EM Analysis): Statistical treatment identical to DPA - used when power line access is impossible
- Package dependency: Works on any package. WLCSP and bare-die provide best SNR; BGA and SiP have lower SNR but remain exploitable
Laser Fault Injection (LFI)
A focused laser pulse induces a local photoelectric current in the silicon, flipping a bit or causing a gate to mis-fire at a precise spatial location and precise timing.
- Frontside LFI: Requires decapsulation to reach the active silicon surface through the passivation layers
- Backside LFI: Infrared laser (1064 nm or 1340 nm) penetrates silicon from the backside - effective without decapsulation on thinned dies or WLCSP (backside exposed)
- Precision: Sub-micron spatial resolution with a good optical bench; can target a single flip-flop
- Cost: $50k–$200k for a full laser bench
- Package dependency: WLCSP and backside-thinned dies are ideal; standard BGA/QFN requires decapsulation first
Decapsulation
Removing the package to expose the bare die for microprobing, SEM inspection, or LFI. The technique depends on package material:
| Package Material | Decap Method | Risk |
|---|---|---|
| Epoxy molding compound (plastic) | Fuming nitric acid (wet chemical) | Damages bond wires if over-etched |
| COB blob epoxy | Acetone or nitric acid | Low - bonds survive well |
| Ceramic (military/space) | Mechanical lid removal | Low - hermetic seal lid lifts off |
| SiP mold compound | Plasma etching (O₂/CF₄) | High - inner die damage risk |
| Underfilled FC-BGA | Mechanical + plasma | Very high - underfill bonds to die face |
Wet chemical procedure: Fuming nitric acid (>90% HNO₃) is dispensed dropwise on the package surface, dissolving the epoxy mold compound while leaving aluminum bond wires and silicon intact. Temperature control is critical - 60–80°C accelerates etching without damaging metal layers.
FIB Microprobing
Focused Ion Beam (FIB) systems mill material with gallium ions and image with secondary electrons (SEM mode). In hardware attack contexts:
- Depassivation: Mill through the SiO₂ passivation layer over a specific metal trace to expose it for probing
- Circuit edit: Sever a wire (e.g., disable a fuse-blown debug lock bit) or add a new connection
- Probe landing: Tungsten microprobe needles land on the exposed metal and connect to an oscilloscope or pattern generator
- Cost: $500k–$2M per system; available at university labs and commercial RE firms
- Active shield bypass: Smartcard active mesh can be circumvented by approaching from the substrate backside (post thinning) or by carefully editing the mesh locally
Anti-Tamper Countermeasures
Modern secure ICs and HSMs implement physical security at the packaging level, not just in software. Understanding what defenders do is essential for evaluating which attacks remain viable.
Active Mesh Shield
A top-metal serpentine conductor covering the entire die surface, monitored by dedicated tamper-detection logic. Any probe needle that penetrates the passivation shorts or opens the mesh, triggering:
- Immediate key erasure (zeroization) from volatile memory
- Irreversible locking of NVM
- Alert flag set in tamper log
Bypass approaches: FIB circuit edit to bridge around the mesh locally; substrate backside approach (mesh is on the frontside only); EM/power analysis (passive, non-invasive - mesh is irrelevant).
Epoxy Potting
Common in HSMs, payment terminals, and military electronics. The PCB and all chips are encapsulated in an epoxy compound.
- Soft potting: Removable with solvents (acetone, MEK) - common in commodity devices
- Hard epoxy: Requires mechanical grinding or acid - high risk of destroying the target
- Loaded epoxy: Particles (metal powder, glass beads) embedded in the compound to accelerate drill bits or cause sparks that destroy the circuit during unauthorized access
Zeroization Circuits
Battery-backed SRAM stores cryptographic keys. Tamper sensors (voltage monitors, light detectors, temperature sensors, mesh monitors) connect to a discharge circuit that shorts the SRAM power supply on trigger. Used in: FIPS 140-2 Level 3+ HSMs, NSA Type 1 crypto equipment, payment terminal HSMs (PCI PTS compliance).
Environmental Sensors
On-die sensors detect attack conditions:
| Sensor | Attack Detected |
|---|---|
| Voltage monitor | Glitching, underpowering |
| Clock monitor | Clock glitching, frequency manipulation |
| Temperature sensor | Freeze attacks (DRAM cold boot), overheating |
| Light sensor | Decapsulation under illumination |
| Frequency sensor | EM fault injection pulse detection |
Package-Level Shielding (EMI Cans)
RF cans soldered over sensitive circuits (common in cellular modems, Wi-Fi SoCs, payment terminals) serve dual purposes: EMI compliance and partial side-channel reduction. They do not prevent power analysis but substantially reduce EM probe SNR.
Lab Equipment Reference
Hardware security research spans a wide cost range. This table maps capability to realistic budget:
| Budget | Equipment | Capabilities |
|---|---|---|
| $100–$500 | ChipWhisperer Nano, Bus Pirate, cheap hot air | Voltage glitching, power analysis (basic), UART/JTAG, SOIC chip removal |
| $500–$2k | ChipWhisperer Lite/Pro, Saleae Logic 16, rework station | Full SPA/DPA, clock glitching, BGA reballing, EM probing (DIY coil) |
| $2k–$10k | Langer EM probe set, oscilloscope (1 GHz+), X-ray inspection | DEMA, passive EM monitoring, BGA solder inspection, COB decap setup |
| $10k–$50k | Riscure FaultPro / Inspector, professional EM probes, micro-manipulator | Automated fault injection campaigns, precision probing, FIB prep work |
| $50k–$200k | Laser fault injection bench, SEM | Backside LFI, die imaging, depassivation inspection |
| $500k+ | FIB/SEM system, TEM prep station | Microprobing, circuit edit, cross-section analysis, bond wire probing |
Summary Table (Corrected & Validated)
| Era | Technology | Packages | Difficulty | Key Attack / Barrier |
|---|---|---|---|---|
| 1960–1990 | THT | DIP, SIP | 🟢 Very Easy | Direct probing, logic analyzer, EPROM dumping |
| 1970–Present | COB / PGA | Blob-top, PGA | 🟢 Easy | Acid decap exposes die; PGA = DIP-equivalent access |
| 1980–1998 | Early SMT | SOIC, QFP | 🟢 Easy | Hot air rework, JTAG exposed, SOIC clip reads |
| 1985–Present | Smartcard / SE | ISO 7816, eSIM, SE | 🟠 Hard (by design) | Active mesh, DPA countermeasures, zeroization |
| 2000–2012 | Fine Pitch SMT | QFN, LQFP | 🟡 Moderate | PCB test points, JTAG still present |
| 1996–Present | BGA (conventional) | BGA, FBGA | 🟠 Hard | Reballing, X-ray, eMMC direct read techniques |
| 1996–Present | Flip-Chip BGA | FC-BGA | 🟠 Hard | Underfill prevents removal; die face buried; backside LFI possible |
| 2004–Present | LGA | LGA775–LGA1700 | 🟡 Moderate | Socket interposer enables full bus access; no pin damage risk |
| 2006–Present | Package on Package | PoP, fPoP | 🟠 Hard | PoP top removable for LPDDR chip-off; memory bus exposed between packages |
| 2000–Present | WLCSP | WLCSP | 🟠 Hard + ⚠️ BBI | Tiny bumps hard to probe, BUT backside open to BBI/laser |
| 2002–Present | SiP | SiP modules | 🟠 Hard | Chemical decap, no inter-die signal access |
| 2016–Present | FOWLP | InFO, eWLB | 🔴 Hard | RDL buried, ultra-thin, no probe points |
| 2012–Present | 2.5D Interposer | CoWoS, EMIB | 🔴 Very Hard | CT scan to map, inter-die bus inaccessible |
| 2019–Present | Chiplet | Multi-die | 🔴 Very Hard | Malicious chiplet insertion, HW Trojan on shared bus |
| 2015–Present | 3D IC / TSV | HBM, TSV | 🔴 Extremely Hard | FIB cross-section only, destructive |
| 2023–Present | Hybrid Bonding | Cu-Cu direct | 🔴 Extremely Hard | No solder, <1 µm pitch, monolithic behavior |
| 2026–Future | Glass Substrate | Glass core + EMIB | 🔷 Research Level | No established attack framework yet |
Key
- Wang, H. et al. - "Probing Attacks on Integrated Circuits: Challenges and Research Opportunities" - IEEE Design & Test, 2017 [doi:10.1109] - cited 142 times2
- O'Flynn, C. - "Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices" - CARDIS 20206
- O'Flynn, C. - "IC Packaging and Security: Do They Affect One Another?" - Circuit Cellar, 20215
- Suzano, J. et al. - "On Hardware Security and Trust for Chiplet-Based 2.5D and 3D ICs" - IEEE Transactions on VLSI, 2024 - cited 19 times9
- IEEE Xplore - "Fault Injection Attacks Exploiting High Voltage Pulsing over Si-Substrate Backside" - 20247
- Ziade, H. et al. - "A Survey on Fault Injection Techniques" - IAJIT - cited 433 times16
- Intel - "Glass Substrate for Next Gen Advanced Chip Packaging" - IMAPS 2025 / Design Reuse14
- Intel - "Thick-Core Glass Substrate with EMIB" - TrendForce, January 202613
- AMD Glass Substrate roadmap reporting - Tom's Hardware, July 202412
- SemiEngineering - "Challenges and Innovations of HW Security for Chiplet-Based 2.5D and 3D ICs" - 202410
- Kocher, P., Jaffe, J., Jun, B. - "Differential Power Analysis" - CRYPTO 199915
All technical claims in this blog are backed by peer-reviewed IEEE publications, CARDIS security conference papers, and industry-verified packaging roadmap data. Zero fabricated references.
⁂
Footnotes
-
https://semiwiki.com/semiconductor-services/308968-semiconductor-packaging-history-primer/ ↩
-
https://tehranipoor.ece.ufl.edu/wp-content/uploads/2021/07/2017-DT-Probe.pdf ↩ ↩2 ↩3
-
https://www.fastturnpcbs.com/blog/development-of-surface-mounting-technology/ ↩
-
https://resources.pcb.cadence.com/blog/2023-the-evolution-of-ic-packaging ↩ ↩2
-
https://circuitcellar.com/research-design-hub/ic-packaging-and-security-do-they-affect-one-another/ ↩ ↩2
-
https://cardis2020.its.uni-luebeck.de/files/CARDIS2020_OFlynn_LowCostBodyBiasedInjectionAttacks_paper.pdf ↩ ↩2
-
https://www.scribd.com/document/898661381/On-Hardware-Security-and-Trust-for-Chiplet-Based-2-5D-and-3D-ICs-Challenges-and-Innovations ↩ ↩2 ↩3 ↩4 ↩5
-
https://semiengineering.com/challenges-and-innovations-of-hw-security-and-trust-for-chiplet-based-2-5d-and-3d-ics/ ↩ ↩2
-
https://www.tomshardware.com/tech-industry/amd-is-reportedly-set-to-use-glass-substrates-for-cpus-between-2025-and-2026 ↩ ↩2
-
https://www.trendforce.com/news/2026/01/26/news-intel-reportedly-presents-first-chuck-core-glass-substrate-with-emib-targeting-ai-data-centers/ ↩ ↩2 ↩3
-
https://www.design-reuse.com/news/14883-intel-develops-glass-substrate-for-next-gen-advanced-chip-packaging-needs/ ↩ ↩2
-
https://tspasemiconductor.substack.com/p/semiconductor-ic-testing-a-comprehensive ↩
-
https://www.semanticscholar.org/paper/On-Hardware-Security-and-Trust-for-Chiplet-Based-3D-Juan-Fady/2eeea7b60d744eaca47d6a25e74d0fff14c1bf7d ↩