Background Art Security of electronic information is a paramount issue in many circumstances for reasons including preservation of privacy, security of confidential information and prevention of fraud. Thus, many electronic devices incorporate security measures to prevent unauthorised access to data processed, stored or communicated by electronic devices.

An example of a device that may require such security measures is one including a keypad for entering pin numbers. Typically a keypad will include a plurality of column conductors, with each conductor corresponding to a single column, and a plurality of row conductors, with each conductor corresponding to a single row. The action of depressing a key causes a connection in a row conductor and a column conductor. This combination of row and column allow a processor in the system to identify the key being pressed.

Unauthorised acquisition of data entered into these keypads is possible by various methods. One such method involves monitoring of the electromagnetic radiation emitted by keypads when a key is in the depressed state. In keypads relying on a combination of row and column conductors to identify which key has been actuated, the keypad produces radiation with unique characteristics depending on the key actuated. In this way the key being depressed may be monitored without a physical connection to any part of the keyboard.

A limitation of this technique is the need to establish a background pattern of radiation to compare the emission associated with a specific key press with.

Randomising the scanning of the keyboard can prevent meaningful background radiation readings from being taken. This approach is described in the specification of United States Patent No. 5,025,255. However, if physical access is gained to the keyboard then more direct methods may be used to record data entered through the keypad. A disadvantage of keypads having column and row conductors is that the act of scanning any single key also conveys information to attackers on the state of other keys, simplifying their task in identifying key actuation. Therefore precautions must be taken against successful physical access to the keypad hardware. These precautions typically require complex and expensive systems which substantially increase the cost of devices requiring this level of security.

Another form of attack on the security of information within an electronic device involves directly accessing the components that contain the confidential information.

Although some chips are available with security measures to prevent access to the information by attackers, these may be anticipated by an attacker and thus additional security measures may be required to increase the burden in obtaining this information to such an extent so as to not make the attempt to secure the information worthwhile.

However, in today's competitive markets, these security measures typically must not contribute greatly to the cost of the device.

It is thus an object of a preferred embodiment of the invention to provide a method and apparatus for securing electronic information stored within, communicated to or from, and/or entered into a device which will overcome or at least ameliorate problems with such apparatus and methods at present, by providing cost effective security measures to increase the burden on unauthorised persons to obtain access to electronic information. A further or alternative object of the present invention is to at least provide the public with a useful alternative.

Further objects of the present invention may become apparent from the following description.

Any discussion of the prior art throughout the specification should in no way be considered as an admission that such prior art is widely known or forms part of common general knowledge in the field.

Disclosure of the Invention According to one aspect of the present invention, there is provided security apparatus for one or more electronic devices that in use may contain or communicate information in electronic form, the apparatus including at least one conductor resiliently secured to a potential access site to the one or more devices by a fixing means so that it cannot be easily removed from the access site without being severed, a detection means to detect severance of the conductor or one or more of the conductors and a security means that is enabled upon detection of the severance of the conductor or one or more of the conductors if there is more than one.

Preferably, the security means may be enabled if any one of the conductors is severed.

Preferably, the or each conductor may be substantially randomly distributed throughout the potential access site.

Preferably, the at least one conductor may be located within a resilient plastics or resin material.

Preferably, the plastics or resin material may be opaque.

Preferably, the at least one conductor may be located and secured so as to overlay both the device and the detection means.

Preferably, at least one conductor may be secured to both sides of the device and the detection means.

Preferably, at least one conductor may be secured to an inside surface of a case containing the device.

Preferably, the security means may include the automatic erasure of an electrically erasable programmable device.

According to another aspect of the present invention, there is provided a method of preventing access to information contained within or communicated by an electronic device, the method including resiliently securing at least one conductor to a potential access site to the device, providing a detection means for detecting severing of the or one or more of the conductors and providing means for implementing a security means on detection of the severance of one or more of the conductors.

Preferably, the method may include providing means for implementing a security means that implements the security means if any one of the conductors is severed.

Preferably, the method may include distributing the one or more conductors substantially randomly throughout the access site.

Preferably, the method may include locating the one or more conductors within a resilient plastics or resin material.

Preferably, the method may include locating and securing the or each conductor so as to overlay the device and the detection means.

Preferably, the security means may include the automatic erasure of an electrically erasable programmable read only device.

According to another aspect of the present invention, there is provided apparatus for interrogating a plurality of inputs to determine whether any of the inputs have been actuated, the apparatus including: interrogation means in independent communication with each of a plurality of inputs, wherein the interrogation means communicates with each key through a separate communication channel and wherein the interrogation means detects an actuation signal indicative of an actuation of an input through its respective communication channel; signal generation means in independent communication with each communication channel, the signal generation means suitable for generating a simulation signal that simulates the actuation signal in each communication channel;

processing means programmed to randomly or quasi-randomly select a communication channel and to either control the interrogation means to interrogate the selected channel or control the signal generation means to generate the simulation signal in the selected channel, wherein the processing means is further programmed to select between the interrogation means and the signal generation means on a random or quasi-random basis.

Preferably, the interrogation means and signal generation means may be located within a single electronic device.

Preferably, the interrogation means and signal generation means may be located within a single chip, wherein each communication channel is connected to an input/output pin of the chip.

According to another aspect of the present invention, there is provided apparatus for interrogating a plurality of inputs to determine whether any of the inputs have been actuated, the apparatus including : interrogation means in independent communication with each of a plurality of inputs, wherein the interrogation means communicates with each input through a separate communication channel and wherein the interrogation means is adapted to detect an actuation signal indicative of actuation of an input through its respective communication channel ; signal generation means in independent communication with each communication channel, the signal generation means suitable for generating a simulation signal that simulates the actuation signal in each communication channel ; and processing means programmed to randomly or quasi-randomly select a communication channel and to either control the interrogation means to interrogate the selected channel or control the signal generation means to generate the simulation signal in the selected channel, wherein the processing means is further programmed to select between the interrogation means and the signal generation means oh a random or quasi-random basis;

wherein the processing means selects communication channels at a first rate following detection by the interrogation means of an actuation signal and at a second rate, faster than the first rate otherwise.

Preferably, upon detection of an actuation signal by the interrogation means, the processing means may be programmed to continue to select communication channels at the second rate for a predetermined period before changing to the first rate.

Preferably, during the predetermined period the processing means may be programmed to control the signal generation means to generate at least one simulation signal in all or substantially all of the communication channels.

Preferably, the predetermined period may be the time taken to generate a selected number of simulation signals in each of the communication channels.

Preferably, the processing means may be programmed to select communication channels on a quasi-random rotational basis when selecting at the first rate, with a random order of selection for each cycle of rotation.

Preferably, upon detection of the absence of the actuation signal, the processing means may be programmed to select communication channels at the first rate for a transition period before changing to the second rate.

Preferably, during at least the transition period, the processing means may select communication channels on a quasi-random rotational basis, wherein the duration of the transition period is determined by the time required to complete the current cycle of rotation or a selected number of cycles of rotation through the communication channels.

Preferably, the selected number of cycles may be varied randomly or quasi- randomly.

Preferably, the inputs may include a plurality of keys.

Preferably, the keys may be momentary SPST switches.

According to another aspect of the present invention, there is provided a method of interrogating a plurality of inputs to determine whether any of the inputs have been actuated, the method including connecting each input to an independent communication

? channel so as to generate an actuation signal in the corresponding communication channel upon actuation of the key and continuously cycling through the steps of: selecting a communication channel on a random or quasi random basis; and controlling a signal generation means to either generate a simulation signal that simulates the actuation signal, or cause an interrogation means to interrogate the selected communication channel to detect whether the actuation signal is present; wherein the method includes selecting between controlling the signal generation means to generate a simulation signal and controlling the interrogation means on a random or quasi-random basis.

Preferably, the method may further include selecting communication channels at a first rate following detection of an actuation signal by the interrogation means and until after the interrogation means detects the absence of the actuation signal and at a second rate, faster than the first rate otherwise.

Preferably, the method may include selecting communication channels at the second sampling rate for a predetermined period after detection of an actuation signal before changing to the first sampling rate.

Preferably, the method may further include generating simulation signals in all or substantially all of the communication channels during the predetermined period.

Preferably, the method may include selecting communication channels on a rotational basis with a quasi-random order of selection when sampling at the first sampling rate.

Preferably, the method may include detecting for the absence of the actuation signal and continuing to select communication channels at the first rate for a transitional period after the interrogation means detects an absence of the actuation signal before changing back to the second rate.

Preferably, the transition period may be determined by the time required to complete the current cycle or a selected number of cycles of rotation.

Preferably, the selected number of cycles may be varied randomly.

Preferably, the method may be applied to keys, wherein each key represents an input.

Preferably, the present invention may be applied to a telephone.

Further aspects of the present invention, which should be considered in all its novel aspects, may become apparent from the following description, given by way of example only and with reference to the accompanying drawings.

Brief Description of Drawings FIGURE 1: Shows diagrammatically a cross-sectional view through a circuit board surrounded by a wire embedded in epoxy according to one possible embodiment of one aspect the present invention.

FIGURE 2: Shows diagrammatically a plan view of a surface showing a wire randomly distributed about the top surface of a case accommodating a keypad according to one possible embodiment of one aspect of the present invention.

Modes for Carrying Out the Invention The present invention relates to security measures for electronically stored, communicated and or input information. Thus, the present invention may have application to the protection of information such as PIN numbers, passwords, or other sensitive information. Those skilled in the art will appreciate that the invention may be applied to any number of electronic devices.

Referring first to Figure 1, a diagrammatic representation of a circuit board 1, which includes electronic components to be protected from unauthorised access, is surrounded by a volume of opaque epoxy resin 2 inside which a wire 10 (partially shown), has been wound in a substantially random pattern. The wire is insulated to prevent short-circuiting with itself. Sufficient wire is used that any object penetrating the epoxy, for example a small drill bit will highly probably sever the wire at least once before reaching any component on the circuit board 1. The wire 10 is preferably thin

and highly malleable to allow a complex and dense pattern of wire to be included within the resin 2.

The ends of the wire 10 are attached to a detection circuit, represented in Figure 1 by component group A. The detection circuit A, in this case a switch circuit, monitors the status of an electrical circuit including the wire within the epoxy resin. If the circuit is broken by severance of the wire 10, the detection circuit A causes a positive signal to be applied to a security pin of an electrically erasable programmable read only device (EEPROM), represented as chip 3, causing the chip 3 to erase its contents. Of course any alternative or further security measure may be performed depending on the requirements to secure the information and/or notify of an attack.

To construct the circuit, the wire 10 is connected to the circuit board 1 and located within a corral 4. Next, the corral 4 is filled with the epoxy resin 2. In order to protect against access from either side of the circuit board 1, a second corral 5 is placed on the opposite side the circuit board 1. The wire 10 may be threaded through an aperture 6 and distributed randomly around the underside of the circuit board within corral 5. The epoxy resin 2 may fill corral 5 through aperture 6 or by reversing the circuit board 1.

It will be appreciated that more than one wire may be used, each having a detection circuit A or other suitable detection means to detect severing of the wire. A single wire with a single detection circuit A may be used to minimise cost.

It is important to increase security that the detection circuit A and any other component which is essential in controlling whether the chip 3 erases itself is also protected against access. Therefore, these components are placed within corral 4 or 5 and the wire and epoxy resin 2 mix is located and secured over both sides of these components, thereby preventing access to them. Although the description herein is given with particular example to a chip 3, which is an EEPROM, the wire 10 in combination with a detection circuit A may be used to protect any device storing or communicating sensitive electronic information.

In many devices users enter a PIN number to allow access to certain information or functionality. The PIN may be verified by the chip 3 to allow the user or users to access this information or use the protected functionality. Therefore, protection should

be provided against access to this PIN. The wire and detection circuit A may be used to protect the chip 3, but additional protection may be required for where the user enters the PIN. A common method of entering PIN numbers is through a keypad having a number of keys. Unauthorised persons attempting to find out a PIN number entered into a device using a keypad may place a monitor within the device to detect the key- presses.

Referring now to Figure 2, a representation of the rear side of a keypad 7 having nine keys 8 is shown. To protect the rear of the keypad from being accessed through the case, a wire 9 is run at random around the inside surface of the case around the keys 8 and secured to the case. Therefore if an object is passed through the casing around the keys 8, it is likely that it will sever the wire 9. The wire 9 and fixing means used to secure to the case are selected so that if an attempt is made to pull the wire 9 off the casing it will break before coming free. A suitable fixing means may be a resilient adhesive. The wire may alternatively be embedded in the material of the case of the keypad 7 or otherwise resiliently fixed in place. The wire may be covered with a label to substantially hide its presence. The wire 9 is connected to a detection circuit (not shown) similar to that of Figure 1 so that if the wire 9 is severed confidential information is automatically erased.

Although the following description is given by way of example to one implementation of the present invention in relation to a keypad, those skilled in the relevant arts will recognise that the present invention may be applied elsewhere. The invention may have application to any device receiving an input from another device, particularly where information inputted may be determined by accessing the internal lines or components of the devices or by monitoring emitted signals.

The wire 9 may be randomly located anywhere as required. For example, it may be located around other portions of the interior or exterior surface of the casing of the keypad 7 and electronic devices, within the material forming the casing or elsewhere.

The use of wire around a keypad 7 is given for the purposes of example only. However, it is important that direct access to the wire is limited as much as possible to prevent progressive short-circuiting.

In a preferred embodiment, the wire 9 and wire 10 form part of the same circuit, hereinafter the security circuit, thereby reducing cost and providing protection from access to the casing as well as to individual sensitive components. The wire 9 is embedded in the epoxy resin 2 with no slack so as to prevent easy access between the circuit board 1 and keypad 7.

In addition to the wire within the epoxy 2 and around the keypad 8, the security circuit may also include conductive pads on the base of the circuit board 1. The corresponding mounting points for the circuit board include conductive material such that when the circuit board 1 is mounted on the case an electrical circuit is completed.

Therefore, any action separating the circuit board 1 from the mounting points will break the electrical connection, which will then be detected by the detection circuit A.

Further security measures may also be added to the same circuit, for example a switch positioned so as to open upon separation of the casing from the circuit board 1.

Despite the above described security circuit, access may still foreseeably be obtained to the communication channels (typically electrical conductors) from the keys 8 to the circuit board 1. This would allow monitoring of the actuation of the keys 8 from inside a device by connecting to these communication channels. Another technique which may be used to determine the operation of a keypad having column and row conductors is to monitor the electromagnetic radiation emitted from the keypad.

To help prevent access to information entered through a keypad by these methods, each key of the keypad 7 has an individual connection to a separate I/0 pin of chip 3. This allows the chip 3 to interrogate keys 8 independently and thus the interrogation of one key 8 does not betray the status of any other keys to someone who may have connected to a row or column conductor of a conventional keypad.

Each key 8 may be a momentary SPST switch with one leg connected to the chip 3 and the other leg connected to ground. To sample the state of any key 8, the microprocessor holds the corresponding separate !/O pin high and then reads the current pin state. If the key 8 is actuated, the I/0 pin will read low (signal sent to ground by the switch). If the key 8 is not actuated the signal will read high.

The chip 3 starts in the idle state. In the idle state keys 8 are sampled or interrogated at random at a first, high sampling rate, which may be constant or varied within a predetermined range, until a key press is detected. A suitable sampling rate may be about one sample per millisecond. Alternatively, the chip 3 may sample the keys 8 on a quasi-random basis wherein the chip 3 continually cycles through all keys 8, with the order of selection being randomised. Other methods of selection of keys 8 for sampling may be used, although there should be at least a partially random selection process.

While the chip 3 is in the idle state, it randomly replaces selected interrogations with a simulated key actuation. For keys which connect the line to ground on actuation, a simulated key actuation is the bringing of the conductor between the chip 3 and key 8 low. Alternatively, in order to regulate the number of simulated key presses, the replacement of interrogation signals with simulated key actuation signals may be performed on a quasi-random basis wherein for example, a predetermined percentage of interrogation signals are replaced. After detection of a key 8 being depressed the chip 3 enters the held state.

Immediately following detection of a key actuation and before the chip 3 enters the held state, the chip 3 may optionally continue to sample all other keys 8 at least once at the high sample rate for a predetermined period. During this period, the number of simulated key presses is controlled by the chip 3 to be high so as to prevent easy and reliable identification of which key caused the chip 3 to enter into the held state and slow its sampling.

In the held state, all keys 8 on the keyboard are sampled at random, at a lower sampling rate than during the idle state. In an alternative and preferred embodiment, the keys 8 are sampled on a quasi-random basis while sampling at the lower sampling rate wherein the sampling of keys is performed on a rotational basis, with the order of sampling in each rotation being chosen randomly. An object of sampling at a slower rate is to minimise the number of consecutive samples which show the key 8 as being actuated. The rate of sampling may therefore be chosen having regard to this objective and based on the average time a key is actuated.

After the chip 3 detects the actuated key 8 as being released, the chip 3 returns to the idle state. The chip 3 preferably remains in the held state until the current cycle or a predetermined or a selected number, which may be selected randomly or quasi- randomly, of sampling cycles has been completed. Therefore, each key 8 will have been sampled the same number of times before the chip 3 changed back to the idle state and if the number of cycles performed after the key is detected is released is varied on a random basis the change in state of the key causing the change is further obfuscated. Although separate chips or circuits may be used to interrogate the keys and create signals that simulate key actuations, it is preferable that the same chip or circuit is used.

The obfuscation technique for detecting information communicated to the chip 3 may be applied to input methods other than a keypad. For example, the technique may be used for communication between two electronic devices, where the interrogation means and simulation signal generation means have sufficiently high clock speed in comparison to the sending device. Also, some additional protection for the communication channel may be required, especially if the channel is long.

The chip 3 may be any processing means suitable for selecting and controlling the interrogation and simulation of signals within the communication channels to the keys. The chip 3 may thus include a clock to enable regulation of the sampling rate and an input/output port for each communication channel to enable interrogation of the channel and simulation of actuation signals in the channel. The interrogation method and type of simulation signal produced may vary depending on the relationship between the keys 8 and the chip 3. For example, the keys 8 may actively send a high signal to an interrupt line of the chip 3 and the chip may thus bring the line high to simulate an actuation signal.

The information requiring protection may also be located in the chip 3 or may be located in an associated memory or in an entirely separate device.

Thus, there is provided security measures that utilise one or more conductive wires to prevent access to a device and obfuscated sampling of keys to prevent determination of input information. The measures may be-used separately, optionally with other security measures or in combination. A particular implementation may be to

apply both security measures to a communication terminal such as a telephone. The wires 10,9 may assist to prevent access to the internal devices of the phone and the obfuscated sampling method used to assist in the prevention of the detection of information input to the device through the keypad.

Where in the foregoing description reference has been made to specific components or integers of the invention having known equivalents then such equivalents are herein incorporated as if individually set forth.

Although this invention has been described by way of example and with reference to possible embodiments thereof, it is to be understood that modifications or improvements may be made thereto without departing from the scope of the invention as defined in the appended claims.