CWE-1273 Software Weakness Details

CWE-1273

Name

Device Unlock Credential Sharing

Status

Incomplete

Published

2020-02-24
00h00 +00:00

Modified

2025-04-03
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Device Unlock Credential Sharing

The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.

CWE Description

"Unlocking a device" often means activating certain unadvertised debug and manufacturer-specific capabilities of a device using sensitive credentials. Unlocking a device might be necessary for the purpose of troubleshooting device problems. For example, suppose a device contains the ability to dump the content of the full system memory by disabling the memory-protection mechanisms. Since this is a highly security-sensitive capability, this capability is "locked" in the production part. Unless the device gets unlocked by supplying the proper credentials, the debug capabilities are not available. For cases where the chip designer, chip manufacturer (fabricator), and manufacturing and assembly testers are all employed by the same company, the risk of compromise of the credentials is greatly reduced. However, the risk is greater when the chip designer is employed by one company, the chip manufacturer is employed by another company (a foundry), and the assemblers and testers are employed by yet a third company. Since these different companies will need to perform various tests on the device to verify correct device function, they all need to share the unlock key. Unfortunately, the level of secrecy and policy might be quite different at each company, greatly increasing the risk of sensitive credentials being compromised.

General Informations

Modes Of Introduction

Integration
Manufacturing

Applicable Platforms

Language

Name: VHDL (Undetermined)
Name: Verilog (Undetermined)
Class: Compiled (Undetermined)

Operating Systems

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Name: Other (Undetermined)
Class: Not Technology-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability Access Control Accountability Authentication Authorization Non-Repudiation	Modify Memory, Read Memory, Modify Files or Directories, Read Files or Directories, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism Note: Once unlock credentials are compromised, an attacker can use the credentials to unlock the device and gain unauthorized access to the hidden functionalities protected by those credentials.

Potential Mitigations

Phases : Integration
Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific.
Phases : Manufacturing
Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-560	Use of Known Domain Credentials An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

NotesNotes

This entry is still under development and will continue to see updates and content improvements.

Submission

Name	Organization	Date	Date release	Version
Parbati Kumar Manna, Hareesh Khattri, Arun Kanuparthi	Intel Corporation	2020-05-29 +00:00	2020-02-24 +00:00	4.1

Modifications

Name	Organization	Date	Comment
CWE Content Team	MITRE	2020-08-20 +00:00	updated Demonstrative_Examples, Description, Related_Attack_Patterns
CWE Content Team	MITRE	2021-10-28 +00:00	updated Demonstrative_Examples, Description
CWE Content Team	MITRE	2022-10-13 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2025-04-03 +00:00	updated Demonstrative_Examples

CWE-1273 Detail