1. Home
  2. Electronics Design
  3. Malicious high voltage protection

Malicious high voltage protection

Hi,

A part client floated an RFQ by me for comments before sending it out for bid (I'm not interested in the job).

One aspect that caught my attention was the potential for malicious "subversion" of the device by manipulating the (unprotected) inputs. I.e., an "adversary" could (easily) gain physical access to the (digital) inputs and try to "confuse" the device (by presenting conditions that the device shouldn't encounter in normal operation).

I can advise him of this vulnerability and mechanisms to detect/protect against that subversion.

But, an adversary can also choose to destructively attack the device -- e.g., connecting a hand-held tesla coil to the digital I/O's (singly OR in groups!)

I've designed devices that deliberately "fail" under such assaults by leaving the input "nonfunctional". In my cases, I don't even care that the input is "dead" -- unless someone needs it to be "un-dead"!

But, in his case, he either needs the input to be robust/resilient (recovering when the assault is over) *or* an INDICATION that it has failed -- so he can decide whether or not it needs to be repaired, soon.

Assume each input is a pair of conductors that are shorted (or opened) to signal the events of interest. Assume they are low frequency (~10 Hz). Low power and low cost (always!) are the only other prerequisites.

What can I point him at? I.e., is this a reasonable criteria for him to include in the RFQ? Or, should he just see what bidders have to say (and hope some notice the vulnerability and offer good suggestions)?

Thanx!

--don

Reply to
Don Y
Loading thread data ...

If you only need to detect a closed contact, you may be able to put a high impedance between the user terminal and the sensitive circuitry. Perhaps a high value, high voltage resistor (3.5kV are fairly cheap), or a Y-capacitor if you sense the continuity with AC. Obviously after the resistor (near the sensitive circuitry) you want a clamp like a TVS etc. and another small resistor before the micro pins.

As well as putting a high impedance in series, you could put the thing in a metal box, and make sure the metal terminals are close enough to the box metalwork that the air gap will break down before the series resistors do. That way, if they do damage it with high voltage, it would have to be in the manner of melting the box with an arc welder. I expect there is limited pay-off in protecting it any more than that.

When I was young, the naughty kids would get piezo gas lighters (the big wand-shaped ones you'd use for a stove or BBQ) and expose the inner electrode to make a makeshift ESD gun. They would use these to zap the coin slots on arcade machines, to try to get free games.

Reply to
Chris Jones

I had thought of transformer coupling the input (i.e., two "floating" conductors) and driving from the "inside" of the coil (sensing the reflected impedance of an open vs short). This would protect the return path, as well (adversary couldn't "bump ground"). I suppose that would still work with some large resistance in series -- depending on how finely he could resolve the excitation current.

This is "field" wiring; hard to imagine he'd be practically able to armor the entire runs. I.e., any protection would have to be at the device end of the run (assume the device itself is secured).

Yes, a friend used to call from abroad (europe?) and his phone call was limited (in duration) to how long he could keep flicking his lighter (I guess it would crash the MCU in the phone? leaving the line intact).

Such attacks can be thwarted by simply denying the attacker ANYTHING. I.e., cause the arcade game to do a hard reset. Or, the phone to drop the connection (unless the MCU tells it to keep the connection alive -- which it can't do if it is crashing!)

Bottom line, it's not an unreasonable thing for me to suggest he add to his RFQ (as it represents a potential vulnerability). Just let their proposals suggest ways of meeting that goal...

Thanks!

--don

Reply to
Don Y

If you are protecting with high resistance in series, no need to protect the ground with a transformer. That can also have a high resistance. But you need a separate ground for each switched input.

The other end of the resistor simply needs a zener or other voltage limiting device and you are done.

But a spark gap would be useful to protect the protection resistors. I think these can be bought as specified devices. I've seen them in monitors and small TVs.

No, it might be very useful.

--

Rick
Reply to
rickman

Can the usual startup self test routine simply be repeated whenever the thing is idle - would that do it? Adding trs if necessary to toggle the inputs.

NT

Reply to
tabbypurr

Late-model Simpson VOMs were equipped with an overload button; if one over-stressed the box, a (presumably magnetic) protection relay tripped and a yellow reset button popped up. Nothing worked until you manually reset (pushed the yellow button down). It's hard to generalize this to a fancy interface, but for two or four wires, it'd be an option. One still needs a few milliseconds of other protection components, but this would keep those from overheating.

Reply to
whit3rd

Sounds like it should be in the RFQ as a *requirement*.

It should not be too difficult to protect against that kind of an attack- it's likely no worse than some conditions that happen naturally in process control (lightning strikes, RFI etc.) but I would expect it to cost somewhat more in parts and engineering, and it might take a bit more expertise than average.

--sp

--
Best regards,  
Spehro Pefhany 
Amazon link for AoE 3rd Edition:            http://tinyurl.com/ntrpwu8
Reply to
Spehro Pefhany

Yes, I have a couple of 260's with the reset button, lovely meters.

Jamie

Reply to
M Philbrook

build a test mode in and run a periodic test forcing the input open and then closed.

eg use photo transistor opto isolators so you've got three phototransitors one normally closed to pass the input signal inwards, one normally open to provide the test signal, and one feeding the signal through to the processor.

disconnect the input, check that it reads open, short the input check that it reads closed, read the input, repeat at 10Hz or faster.

how often is the customer wrong?

feels like it would add a buck or two for each input plus a couple of hours coding time.

--
  \_(?)_
Reply to
Jasen Betts

if the adversary cuts the conductors and connects a counterfeit input device how can that be detected?

if he can't be absolutely certain the input is correctly wired there's no need to be certain that it's working correctly.

one solution is tamper resistant sensors and encrypted signalling,

--
  \_(?)_
Reply to
Jasen Betts

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.