Home Blog Security Highlight Security Highlight: The Potential Impact of Hardware Security Weaknesses

Security Highlight: The Potential Impact of Hardware Security Weaknesses

Author: Marc Witteman

This security highlight discusses the recent NIST report on hardware weaknesses, relating to Riscure’s experience in the field.

In June, the US standards body NIST published a report on Hardware Security Failure Scenarios. This report discusses weaknesses in hardware designs that could lead to exploitable vulnerabilities.

First, the authors of the report define the difference between a vulnerability and a weakness. A weakness is seen as a template for a certain type of vulnerability.  They looked at vulnerabilities and weaknesses reported by Mitre, a US non-profit organization that maintains the CVE (Common Vulnerability and Exposures), and CWE (Common Weakness Enumeration) lists. While initially their focus was on software issues, since 2020 Mitre also tracks CWEs for hardware issues (they defined 108 weaknesses as of 2024).

The authors claim that it is not unusual to have 1-25 bugs per 1000 lines of code of software, and some of these bugs may have security implications. As software is used to design hardware, and hardware will store software, they expect an impact of software vulnerabilities on hardware.

The reported bug density aligns with our experience at Riscure, and we note that exploitation often requires multiple vulnerabilities. It is certainly possible to combine hardware and software vulnerabilities in an exploit. Moreover, since all software runs on hardware, a hardware vulnerability could impact even the most sensitive software. We typically see that hardware attacks are used to defeat secure boot, break cryptographic protections, and extract product code and user data.

A disadvantage of hardware attacks is that they require physical access to a product and may not be scalable as a result. However, some hardware attacks yield a global secret or reveal remotely exploitable software vulnerabilities. In this case, the hardware attack is a steppingstone to a much larger exploitation scheme, and worthwhile the effort to a motivated attacker.

In their report, NIST notes that one weakness may correspond to several vulnerabilities in software. For example, a buffer overflow can appear in many different forms and applications. However, the number of reported vulnerabilities for hardware is still relatively low. Of course, this could be because hardware developers do a better job than software developers, or managed to solve issues before bringing to market, but it is also possible that developers are reluctant to report vulnerabilities as they know these may not be patchable. If the latter is the case, there may be many more vulnerable products in the field.

At Riscure, we acknowledge this risk as we detect vulnerabilities in non-certified products. Hardware CWEs can be helpful in understanding the risk, and NIST supports the industry by making these risks explicit. We often find vulnerabilities based on three specific weaknesses: CWE-1332 (Improper Handling of Faults that Lead to Instruction Skips), CWE-1319 (Improper Protection against Electromagnetic Fault Injection), and CWE-1300 (Improper Protection of Physical Side Channels).

We therefore recommend that developers of products that need to be secure in the field review the hardware CWE list and seek independent security verification of their products.

Share This