CWE Security Report Highlights the "Most Important Hardware Weaknesses" of 2021

The Hardware CWE Special Interest Group (SIG) has released the first Most Important Hardware Weaknesses report on the MITRE Common Weakness Enumeration (CWE) site — offering a look at the top 12 issues surrounding hardware security in 2021.

"The goals for the 2021 Hardware List are to drive awareness of common hardware weaknesses through CWE, and to prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle," the report's authors explain.

"Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause."

The 12 issues rated as most important in the report are: Improper Isolation of Shared Resources on System-on-a-Chip (SoC); On-Chip Debug and Test Interface With Improper Access Control; Improper Prevention of Lock Bit Modification; Security-Sensitive Hardware Controls with Missing Lock Bit Protection; Use of a Cryptographic Primitive with a Risky Implementation; Internal Asset Exposed to Unsafe Debug Access Level or State; Improper Restriction of Software Interfaces to Hardware Features; Improper Handling of Overlap Between Protected Memory Ranges; Sensitive Information Uncleared Before Debug/Power State Transition; Improper Access Control for Volatile Memory Containing Boot Code; Firmware Not Updateable; and Improper Protection of Physical Side Channels.

All the weaknesses raised in the report have been found frequently, are exploitable, and should be considered carefully in hardware design — but the report is clear that they're in no way ranked against each other. "The HW CWE team and the SIG believe that it is impractical to think of the list as a hierarchical, ordered set in terms of importance," the report explains. "The entries should be thought of as a set of mostly equal hardware weakness concerns based on our methodology."

The report also highlights five additional weaknesses which fell just shy of making the top-12 list, including issues with sensitive information not being removed before a resource is reused and failure to protect against voltage and clock glitching attacks — the latter being in common use in the wild for attacking embedded systems, as with Hagen Fritsch's work on unlocking firmware protections on the STMicro STM8 microcontroller family.

The full report is now available on the CWE website.