Hardware has historically been considered secure; however, the National Institute of Standards and Technology has published a report on hardware security failure scenarios, highlighting weaknesses in hardware designs that could lead to exploitable vulnerabilities.
Despite hardware’s secure reputation, hardware chips are created with software which is known to contain bugs. According to NIST authors Peter Mell and Irena Bojanova, there may be 1 to 25 bugs per 1,000 lines of software code which have the potential to compromise security.
Hardware attacks are commonly used to defeat secure boot, break cryptographic protections, and extract product code and user data. They require physical access to a product and, as a result, may not be scalable for most malicious actors. However, some hardware attacks yield a global secret or reveal remotely exploitable software vulnerabilities, serving as a steppingstone to a larger exploitation scheme and making the effort worthwhile to a motivated attacker.
In the report, Mell and Bojanova noted that one weakness may correspond to several vulnerabilities in software. For example, a buffer overflow can appear in many different forms and applications, however, the number of reported vulnerabilities for hardware is still relatively low. This could be because hardware developers manage to solve issues before bringing to market, but it is also possible that hardware developers are reluctant to report vulnerabilities as they know these may not be patchable. If the latter is the case, there may be many more vulnerable products in the field.
At Keysight, we acknowledge this risk as we detect vulnerabilities in non-certified products. Hardware CWEs clarify the risk, and NIST supports the industry by making these risks explicit. We often find vulnerabilities based on three specific weaknesses: CWE-1332 (Improper Handling of Faults that Lead to Instruction Skips), CWE-1319 (Improper Protection against Electromagnetic Fault Injection), and CWE-1300 (Improper Protection of Physical Side Channels).We recommend that developers of products that need to be secure in the field review the hardware CWE list and seek independent security verification of their products. If you have any follow-up questions, contact us at [email protected].