This is very reminiscent of Physical Random/Unclonable Functions[1]. When creating identifiers like this it's very important that they be non-reproducible. The article nearly touched on this with random patterns, but the important distinction is that the process must not be reproducible by the manufacturer even if they wanted to.<p>In [1], they propose timing artifacts in FPGAs as a means to achieve this. I imagine that some of the random material embeddings in the article may achieve this in practice, though it's important to actually quantify it.<p>[1] <a href="https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.297.5196&rep=rep1&type=pdf" rel="nofollow">https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.29...</a>
There's a common processing step in PCB manufacturing that occurs right after SMT (reflow soldering of components that have been placed on the PCB by a pick-and-place machine). It is known as AOI (automated optical inspection).<p>What happens during AOI is that a camera images every part of the PCB and then uses old school machine vision to identify problems like missing/misplaced/misoriented components, wrong parts, solder mishaps, and contamination/foreign-objects. In practice, it's not perfect, but it can detect gross problems and is valuable in high-volume or high-cost pcb's. The images are usually not stored, but processed "on the fly" by machine vision applications.<p>It's good to hear that Alitheon is taking this to the next level. As a MFG engineer, I've long felt that AOI has been under-utilized. There are multiple reasons to more fully analyze these images besides security concerns and given the low cost of storage, I think it's becoming not unreasonable to store entire imagesets of individual high-cost PCB's for the life-span of the product.<p>As for the big-picture of security, however, it really begins earlier in the supply chain before the components even arrive at the factory in reels. By the time that something gets to a factory, one can't do much more than read-out things like id's and perform functional screens. That's why manufacturers have, sometimes, long qualification processes before they even consider a new component or its vendor.
This reminds me of bunnie's talk on supply chain security:<p><a href="https://www.bunniestudios.com/blog/?p=5519" rel="nofollow">https://www.bunniestudios.com/blog/?p=5519</a>