TID-106: Data Bus Interception
Threat Description
A threat actor could intercept data across a data bus used to connect a process to either volatile memory or non-volatile storage (e.g. ROM, NVRAM, disk). Depending on the scope of the interception, it may be possible to read and/or perform an adversary-in-the-middle (AITM) attack to write information going over the bus, especially if it lacks adequate encryption and authentication. For example, if a device has discrete RAM external from the processor, it may be possible to tap the address and data lines to observe and capture memory contents as they are loaded and stored for processing. Similar attacks can also be performed in software. Captured data may leak sensitive information (e.g., keys, cleartext firmware code) that can aid in reverse engineering or executing other stages of an attack. Interception and modification may enable an adversary to alter a device’s behavior, achieve persistence, evade detection, or other objectives.
NOTE: This is different from TID-114 in that this threat refers to data moving between the processor and storage devices, whereas TID-114 refers to the data moving between the main board or processing chip to a peripheral device.
Threat Maturity and Evidence
Proof of Concept
An Off-Chip Attack on Hardware Enclaves via the Memory Bus
“This paper shows how an attacker can break the confidentiality of a hardware enclave with MEMBUSTER, an off-chip attack based on snooping the memory bus. An attacker with physical access can observe an unencrypted address bus and extract fine-grained memory access patterns of the victim”
CWE
CWE-311: Missing Encryption of Sensitive Data (Class)
“The product does not encrypt sensitive or critical information before storage or transmission.”
CWE-319: Cleartext Transmission of Sensitive Information (Base)
“The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.”