Mitre reveals ten worst hardware security weaknesses in 2021
The list aims to highlight common hardware flaws to help eliminate them from product development cycles
Mitre has revealed its top-ten list of security vulnerabilities in hardware in a bid to help companies design more secure products.
The weaknesses highlighted in the list can be found in hardware design, architecture, or programming. Mitre compiled the list in conjunction with the Hardware CWE Special Interest Group (SIG).
Mitre publishes the Common Weakness Enumeration (CWE) for software bugs in conjunction with the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). This marks the first time the organization has done the same thing for hardware.
The list aims to drive awareness of common hardware weaknesses through CWE and “prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle”.
"Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underlying root cause," Mitre said.
The list, which is in no order, includes vulnerabilities found in many types of hardware. For example, CWE-1189 is a flaw on a system-on-a-chip (SoC) that does not properly isolate shared resources between trusted and untrusted agents.
“Several resources on the chip may be shared to multiplex and support different features or functions. When such resources are shared between trusted and untrusted agents, untrusted agents may be able to access the assets intended to be accessed only by the trusted agents,” Mitre noted.
Another hardware bug mentioned on the list is where a chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.
“If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface,” said Mitre.
It added that the methodology used to generate the inaugural CWE Most Important Hardware Weaknesses List is “limited somewhat in terms of scientific and statistical rigor.”
"In the absence of more relevant data from which to conduct systematic inquiry, the list was compiled using a modified Delphi method leveraging subjective opinions, albeit from informed content knowledge experts,” it added.
-
Kaseya cuts the ribbon on new MSP Success program in partner growth driveNews The initiative combines digital marketing, peer collaboration, and community engagement tools to help partners tackle customer acquisition challenges
-
OpenAI plots ChatGPT ‘superapp’ overhaul ahead of public listingNews The company looks set to spruce up ChatGPT with a particular focus on agents to drive subscriptions
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
