Methods of defeating potting compound on electronics

At a previous employer I had the opportunity to tackle devices which had been potted in resin for security purposes. While assessing the devices, one goal was to determine the level of effort and skill required to defeat this anti-tamper feature and get access to the electronics. It was an interesting task, and very much up my alley as the resident “this is weird, give it to him” person. I had originally planned to write this up as a blog post for said employer, but unfortunately they shut down my department and laid us all off before I got around to it, so I figured I might as well write it up here.

The three most common types of potting used in electronics are silicone gel, polyester resin, and epoxy resin. Silicone gel is immediately identifiable because it has the feel of bathroom sealant. You can remove it with very little effort, so I won’t go into it any further here. Polyester resin is generally the cheaper of the two resins. It’s easy to work with (aside from the smell, which is horrible) - it has relatively low viscosity before setting, it is slightly flexible which makes it good for anything likely to experience thermal cycling or mechanical shock, and it can be machined and drilled easily if that is required. It is, however, not the strongest potting compound, and it isn’t very well suited to exposure to the elements, as long-term exposure to water and UV can cause cracking and weakening of the compound. The other option is epoxy resin. It cures rock hard, is completely waterproof, and isn’t as susceptible to UV exposure. The attack techniques I describe here work with both types, but polyester resin is typically a bit easier to break through.

Note: I do not have any experience with the type of potting compounds that used to be used for things like core memory in the space industry. If you’re working on anything old or valuable like that, especially if you suspect that it has fine wires inside, consult a specialist.

Both types of resin typically come as a two-part system which is mixed before being poured into a mould or enclosure, placed into a vacuum chamber for de-gassing, then left to cure for a day or two. Both materials can be transparent, or they can be dyed opaque. Naturally, if the potting is transparent then breaking into the device is much easier, because you can see what you’re doing and plan ahead for any drilling, cutting, or milling you might want to perform.

One interesting case I ran into was a device that contained a battery inside the potting. For reasons that should be obvious, subjecting a lithium cell to cutting, drilling, or other invasive procedures is an ill-advised move. Luckily in this case the potting was transparent, I did not need to preserve power to the device, and the battery was placed separately to the board, making it possible to cut the potted device in half and remove the battery entirely. However, it was not just a case of chopping it up with a hacksaw - had I done so, the blade would have likely contacted the battery wires and formed a short circuit. Instead, I had to drill into the resin to break just one of the wires, then cut the potted device in half with a hacksaw downstream of that break to prevent shorting.

Even with transparent resin, you do need to be careful when judging the positions and depths of targets. The refractive index of the material is quite high (roughly 1.5; for comparison water is about 1.33 and air is 1.0) which makes judging angles and depths quite tricky. A pillar drill with a depth stop is an invaluable tool here, since you can slowly increment your depth until you hit the target. You should also consider that the board surface may not be completely coplanar with the bottom of the enclosure. I spent around 30 minutes carefully plunging a hole into some potting with an endmill in very small depth increments, trying to reach the pads for a JTAG interface, only to end up leaving a crescent-shaped scar in the board surface anyway because it was on a slight incline. Luckily in that case the only thing I hit was a ground plane and I was able to access JTAG.

Many times, when an electronic device is being potted, the device is mounted into a plastic (e.g. ABS) enclosure like normal, any cables that need to be attached are attached, and then potting compound is poured in to fill the voids, and it goes through the rest of the de-gassing and curing steps. Interestingly, resin does not tend to bond to the enclosure surfaces very well if they are not suitably prepared with abrasives first, as they are too flat and shiny. It is quite uncommon for such a treatment to be applied, since it is not very easy to do in a mass production scenario. Without this surface prep, is usually possible to pull the enclosure walls away from the resin with very little effort. This leads to an interesting defeat technique when not all of the screw mounting points in an enclosure are used, e.g. if a generic enclosure has 6 pillars for mounting screws and the board only uses the outer four. Since these pillars do not adhere to the resin very well, it is often possible to pull them straight out, leaving behind a bore-hole through the resin directly to the board. In one case I found that an unused pillar perfectly aligned with the footprint of a sensitive interface on the board - what luck! Soldering wires onto those pads down an 8mm wide, 30mm deep bore hole was somewhat challenging, but I got it done. You can also often remove the pillars with screws in them just by turning them, since the epoxy holds the screws in place, although this tends not to be all that useful since it’s not very often that an interesting interface is that close to a screw hole.

Removing the potting compound from the board entirely is a much more challenging task, especially if you want the board to keep working afterwards. PCBs are made of resin-soaked fiberglass, so they can take a bit more of a beating than straight-up resin, but they’re not impervious. Luckily they also come with a shiny soldermask coating, which means the bulk resin doesn’t stick to it very well, and pieces of the resin can be pulled away from the board if you’re careful. However, the resin does have a tendency to get around and under components, so you generally can’t just cut into the resin around the board edge and bifurcate the whole thing by pulling the two halves apart without ripping all the parts off in the process.

I haven’t tried much on polyester resin, but I spent a few days evaluating chemical techniques on epoxy resin. I evaluated a range of solvents that I had laying around in my cupboard - isopropyl alcohol, limonene, acetone, methanol, MEK, and xylene. None were particularly successful and I would not recommend attempting to break down bulk epoxy resin with solvents. More out of curiosity than anything else, I also tried concentrated sulphuric acid, which didn’t do anything either. The only result from these attempts was my boss reminding me about the company’s hazardous materials handling policy and making a swift update to its wording.

The next thing I tried was thermal decomposition. Resins start out as relatively short molecular chains and polymerise into longer chains during the curing process. This, along with other intermolecular effects that are far beyond the scope of this blog post, is what lends the resins their strength. A very effective way to weaken them is to break these chains, and heat is a great way to do it. Naturally the most obvious thing to do is to take a blowtorch to the material. This works, causing the surface layer to crack into chunks that can be broken off, a bit like those cubes you see in smashed safety glass. There are obviously some downsides to this approach, though: it’s rather uncontrolled in terms of the application of heat, the electronics will not survive being blasted with burning propane, and you do end up breathing in quite a lot of burning plastic fumes.

As an alternative, I first tried heating the device in oil on a hot plate, which would allow me to control the heat (hot enough to break down the epoxy, but not so hot that I would significantly exceed the storage temperature limits of the components) and ensure that all of the epoxy was heat-soaked to the necessary temperature. I went with mineral oil due to its lower viscosity, and also because something about boiling hardware in olive oil seemed deeply wrong, but quickly wrote the approach off when I realised that aggressively hacking away at a very slippery device covered in boiling hot mineral oil with a box cutter was an instant trip to the hospital in disguise. By the time I made the decision to abandon the approach, the oil had reached around 130°C, and when I tested the resin I was surprised to find that it had already softened significantly. Remarkably, you don’t need to get epoxy all that hot before it softens and becomes easier to attack with hand tools. I grabbed an old pan, filled it with water, threw the device in, boiled it for a while, took it out, and was able to break off a fair bit of the epoxy with a box cutter before it cooled and hardened again. This is a great approach because the water naturally limits the temperature to 100°C, which all of the components will survive just fine. I repeated this process for a while, using a heat-proof BBQ glove on one hand to grab the potted device and a box cutter in the other to hack away at it. It was quite effective! As I reached closer to the board, I added some citric acid powder to the water. I live in a hard water area, so I didn’t want to end up corroding the board during the de-potting process, and citric acid is a great option here due to being safe on all metals and also food-safe (not that I was going to be eating the epoxy). I was able to remove the vast majority of the epoxy this way - more than enough to access all of the interesting attack surfaces on the board inside.

I have since tried this with a pressure cooker, too, although I was somewhat nervous about it so I went with a rather conservative “cook” time. It was at least successful in more deeply penetrating the epoxy and breaking it down. It was much slower than the iterative method of boiling it, breaking some off, and repeating, but I was able to go do other things rather than spending a couple of hours constantly supervising a hot stove. Which method you choose will depend on your risk appetite and available equipment. (I say that as if any of this is remotely normal.)

As I mentioned at the start of this post, I’m currently out of work. If you work somewhere that does security assessments or offensive security research against IoT, embedded / appliances, OT, connected vehicles, ICS/SCADA, or similar targets, and you’re hiring, please take a look at my CV. I’ve built a career out of doing the weird things nobody else knows how to tackle, and I’ve gotten rather good at developing new assessment capabilities. I’m also not above the regular day-to-day work that doesn’t involve boiling electronics in citric acid. Thanks!