We’ve been asked several times to highlight how we protect against the kind of in-transit modifying that have been performed on other products in the past.
Many of our security features are good mitigation to this kind of interference in a general sense. The security mesh, for example, prevents things such as physical replacement of SPI flash (where BIOS is stored) or any other component for that matter. The one component that could theoretically be replaced to get around the tamper protection is the secure microcontroller itself, so we’ve designed the following:
In this way, if the unit is intercepted mid-shipment, it cannot be replaced with a dummy unit that can emulate the same behavior as the attacker will not know either the PIN or the ORWL ID. Further, the keyfob is still unpaired at this point. The pairing mechanism makes use of proper banking encryption running in a JavaCard OS on the keyfob (from G & D). The pairing applet must be a signed genuine app from Design SHIFT in order for the pairing process to proceed. So replacing a keyfob during shipment will also not create an opening.