Physical Access to Components
Sensitive components that are most likely to be targeted for an attack (such as the microprocessor, ROM, RAM, and programmable logic) should be made difficult to access.
Reverse-engineering the target product usually requires the attacker to determine the part numbers and device functionality of the major components on the board. Understanding what the components do may provide details for particular signal lines that may be useful for active probing during operation. Components are easily identified by their part numbers and manufacturing markings on the device packaging, and by following their traces to see how they interconnect with other components on the board. Nearly all IC manufacturers post their component data sheets on the web for public viewing, and online services such as IC Master, Datasheet Locator, and PartMiner provide part number searches and pinout and package data for hundreds of thousands of components. To increase the difficulty of reverse-engineering and device identification, it is recommended that all markings be scratched off the tops of the chips.
Using BGA packages increases the difficulty of casual probing, manipulation, and attack, due to the fact that all die connections are located underneath the device packaging. However, manufacturing costs are more expensive for BGA compared to other package types due to the fact that X-rays are often used to verify that the solder has properly bonded to each of the ball leads. A dedicated attacker with common circuit board rework equipment could easily remove the device and add a socket for easier access. It is therefore recommended to place critical devices in areas of the circuit board that may not have enough area or vertical height around the component for a socket to be properly mounted.
Another solution is to employ Chip-on-Board (COB) packaging, in which the silicon die of the integrated circuit is mounted directly to the PCB and protected by epoxy encapsulation. Even though methods exist to gain access to COB devices (discussed later in this section), and an attacker may still probe vias and traces extending from the encapsulate, direct manipulation with the device and its connections are less of a threat. Using COB devices also increases manufacturing cost and is not necessarily supported by all manufacturers, as specialized equipment is required to manipulate the wire bonds between the silicon die and the circuit board. A relatively new technology known as Chip-in-Board (CIB) embeds the silicon die within the layers of a printed circuit board. The concept is similar to COB, although a cavity is created in the circuit board to hold the die. An encapsulate is filled in over the die and cavity, creating a flat PCB surface. The added financial burden of this technology is unknown. Using CIB in conjunction with buried vias to completely hide critical traces is a possibility.
When epoxy encapsulate is incorporated into a design to protect components, ensure that it serves its intended purpose. Figure 1 shows an example of an early USB authentication device that stored critical data on the encapsulated Serial EEPROM. Aside from being able to scrape off the epoxy using a hobby knife to gain access to the surface-mount pins of the device, an attacker could simply solder wires to the exposed footprint adjacent to the device, which was intended for another Serial EEPROM, and read the memory contents using an industry-standard device programmer. This misuse of epoxy coupled with the easy accessibility of the device played a major role in the successful attack of the product, as detailed in Grand's "Attacks on and Countermeasures for USB Hardware Token Devices." 
Figure 1 Early USB authentication token showing epoxy encapsulation that still allows an attacker to access the adjacent footprint.