Medical devices, utility meters and many other types of enclosed electronic systems require a robust means to detect unauthorized tampering, and to protect the system and its data if tampering occurs. In medical devices, impaired performance resulting from a tampering event could cause serious harm to patients. In utility meters, tampering could be a fraudulent act leading to a loss of revenue to the utility company. A robust, permanent means of detecting tampering is therefore of critical importance in some product designs.
In evaluating the possible methods for implementing tamper detection, there are, as always, multiple design considerations to take into account. These include:
- the assembly process
- non-destructive or destructive operation
- passive or active detection
- mechanical or solid-state technology
Inevitably some choices have to be traded off against others. In the past two years, however, the very widespread adoption of infrared (IR) proximity sensing in mobile phone handsets has led to greater availability of proximity sensing modules, along with valuable improvements in performance characteristics such as lower power consumption and rejection of optical cross-talk.
This has made an integrated IR sensor module a more attractive option for tamper detection than ever before. This article compares the attributes of an IR-based solution with those of older device types, and outlines the steps involved in implementing a tamper detection circuit using a commercial off-the-shelf IR sensor module.
Conventional methods of tamper detection
At its simplest, an anti-tampering solution may be constructed with a strip of conductive material which, when intact, completes an electrical circuit. Opening the cover of the device to be protected breaks the strip apart, creating an open circuit. Via an analog-to-digital converter (ADC) the host controller can detect the open circuit and register a tampering event.
This method is simple and inexpensive, but destructive. After the cover is replaced in position, the anti-tamper mechanism remains broken, so no further tampering events can be detected. In most products, such a one-time-only detection mechanism will be inadequate.
A non-destructive alternative might use an ordinary electro-mechanical switch. Here, the host controller would monitor a GPIO or ADC input connected to the switch. If the enclosure were opened then the controller would determine that the switch had toggled. An advantage of this system over the destructive method is that the enclosure could be reassembled after the cover was removed or tampered with, and the switch reset to the default state.
The main drawback of using a mechanical switch is its susceptibility to oxidation and corrosion in the presence of atmospheric oxygen and humidity. Over time, corrosion can cause metal switches to become stuck in one position, failing to switch when the cover is moved. Especially in products such as utility meters that are expected to have an operating lifetime lasting many years, the use of mechanical switches is therefore inadvisable.
The use of solid-state technology, however, enables the implementation of a tamper detection circuit which is both permanently immune to corrosion, and non-destructive. Figure 1 illustrates such a solution, based on an IR LED emitter and photodiode detector.
When the base and cover pieces are assembled in place, a reflective tab or other obstruction on the cover overlays the photodiode detector. The proximity sensor in the base will regularly light up to check if the cover is still in place. If the photodiode detects that the intensity of light reflected from the LED is above a certain threshold value, it indicates that the cover is in place.
When the cover is moved, the intensity of light incident on the photodiode will drop dramatically, enabling the sensor to register a potential tampering event. This method is non-destructive: the IR LED and photodiode are mounted in the base, and operate continuously provided they remain connected to the system’s power supply, whether the cover is in place or has been moved.
The mechanical design and assembly of this solution are simple, since it only requires circuitry in the base, and none in the cover. This is in contrast with an alternative non-contacting detection method using a magnetic switch, which requires a permanent magnet to be mounted in the cover, aligned with the switch in the base. Here, moving the cover weakens the magnetic field to which the switch is exposed, triggering an alert. This magnetic method is more complicated to assemble and is at risk of interference from stray magnetic fields.
In the IR sensor circuit, it is helpful to modulate the pulse emitted by the IR LED. The photodiode may be configured to recognize the LED’s special modulation scheme. This enables the photodiode to distinguish light emitted by the LED from ambient IR light sources such as sunlight, and thus avoid the risk of failing to detect a tampering event because of optical interference from ambient light. Such an active tamper detection mechanism also adds another layer of difficulty for any would-be tamperer, since the sensor cannot be defeated simply by illuminating it with light from a standard IR light source.
A non-destructive, active tamper detection system can be realised with an integrated proximity sensor module such as the TMD2620 from ams AG. This module combines both the IR diode emitter and the photodiode detector in a single package (see figure 2).
Similar proximity modules are used in the backlight dimming control circuits found in many smartphone displays. In smartphones, the proximity sensor enables the system to dim the display when the handset approaches the user’s face during voice calls, thereby saving power, preventing stray light from shining into the user’s eyes, and disabling the screen’s touch sensor. Because proximity modules are so widely used in the high-volume smartphone market, their cost has fallen markedly in recent years. The latest sensor modules also offer much lower average power consumption than earlier models.
The TMD2620 module measures 3.1 mm x 2 mm x 1 mm and includes an I2C interface for communication with almost any microcontroller. The LED’s pulse output may be configured with various polling and timing patterns and frequencies.
An advantage of using a module rather than a discrete LED and photodiode is that the ams package provides optimized optical pathways that keep crosstalk – due to internal reflection from the cover glass over the LED back to the photodiode – to very low levels. Figure 3 shows various optical reflections that can affect the operation of a proximity sensor.
The IR module-based design described above, then, has a long expected operating lifetime, and will be untroubled by the risk of corrosion and failure to which mechanical switches are liable. Ready-made proximity modules make for a quicker time-to-market and are simpler to implement than a discrete design.
Of course, one advantage of a mechanical switch-based circuit, or the strip of conductive material, is their ease of implementation. Can the same be said of an IR proximity sensing solution?
Shown below is pseudo-code that could be run by the system host microcontroller for configuring the TMD2620 module’s internal registers. This indicates the scope of the coding required to get a TMD2620-based tamper-detection system up and running.
Sample code for host microcontroller for a tamper-detection application Configuration via I2C interface Write 0x80 0x01 // turn on device // set proximity parameters Write 0x8e 0x00 // Use 4µs pulses with 1 pulse per pulse train Write 0x8f 0xc0 // set proximity gain=8x, LED drive current=6mA // set wait time to 8.65s Write 0x8d 0x84 // Set wait time cycle length Write 0x83 0xff // Set wait time to maximum number of cycles // (total wait time between readings = 8.65s) // configure interrupts Write 0xdd 0x20 // Enable proximity interrupt Write 0x88 0x8f // Set low threshold. Interrupt pin will be asserted when prox // reading goes below 0x8f in this example. Write 0x8a 0xff // proximity high interrupt threshold Write 0x8c 0xf0 // Proximity interrupt persistence: // interrupt will fire after 15 consecutive prox values outside the range // begin proximity operation Write 0x80 0x0d // enable wait, prox detection Inside the Interrupt Service Routine: Read 0x9c // gives proximity data ________________________
The first step is for the MCU to enable the proximity sensor by writing to the Enable register (0x80). Enabling the device means that the IR LED can begin to emit IR pulses in synchronization with the photodiode IR detector.
Light intensity measurements from the photodiode are converted to digital values by an ADC in the TMD2620. These readings are integrated over time. If the integrated values exceed certain thresholds over a given period, then the base and the cover of the housing are determined to be in close proximity to each other, indicating that there has been no tampering.
The system’s power consumption is proportional to the frequency with which the IR LED emits light. In the example code below, the wait time registers are set by the host microcontroller to 8.65s: a proximity reading is performed every 8.65s (the maximum possible interval), a frequency which will be adequate in many applications, since it assumes that no-one tampering with the product would remove the cover for a period shorter than 8.65s.
The TMD2620 includes a proximity interrupt bit which is asserted when an object in close proximity is detected. The lower and upper proximity thresholds are set by registers 0x88 and 0x8A respectively.
The persistence filtering register (0x8C) allows interrupts to be generated only after a certain number of successive reads above the desired thresholds have occurred. The Status register (0x93) contains the proximity interrupt (bit 5). This bit is asserted when an object in proximity to the module is sensed. The interrupt bit can be configured so it is automatically cleared whenever a reading of the Status register is performed.
The system MCU would typically run an interrupt service routine (ISR) whenever the proximity interrupt is asserted. The ISR would then check the Proximity Data register (0x9C) to see if the integration value is indicating a large value (meaning the base and cover are still attached). On the other hand, a small data value indicates that the base and cover have become separated from each other, in other words that a tampering event might have occurred.
The MCU could record the time stamp showing when the tampering event occurred, and measure its duration. The proximity interrupt is a convenient feature, since it relieves the MCU of the need to manage the process of polling the sensor. The proximity interrupt is another way that the TMD2620 simplifies the operation of the host controller.
In the configuration described, the LED will draw 6 mA for a period of 4 µs at intervals of 8.65s. This yields an average current draw of 2.77 nA for the IR LED. The module as a whole typically draws around 30 µA when Power On is asserted, and somewhat more when reading data.
Tamper detection using an IR LED proximity module is mechanically simple to implement, as it only affects one side of the end product’s housing. The IR LED proximity module also offers the benefits of non-destructive operation, immunity to corrosion, and support for active monitoring.
The modulation of the IR LED’s output removes the risk of interference from ambient light, and results in permanent, reliable and robust detection of all separations of the cover from the base.
About the Author
Jim Archibald manages a US-based team of Field Applications Engineers for ams AG. He has held development and engineering management positions in hardware design as well as digital signal processing, marketing, and sales. Jim holds a Masters Degree in Electrical Engineering from Purdue University and is a licensed professional engineer (PE). He holds eight US patents for technology inventions. You can contact him via email at [email protected].