TID-114: Peripheral Data Bus Interception
Threat Description
Messages and data passing between discrete sub-components and peripherals may be intercepted and/or modified from through the peripheral bus (e.g., SPI, I2C, ISA, PCI, USB). Captured data may leak sensitive information (e.g., keys, cleartext firmware code) that can aid in reverse engineering and extracting data needed for other stages of an attack. Additionally, threat actors may be able to alter sensitive information in transit to cause malicious effects through data manipulation or interaction in transit over the bus.
NOTE: This is different from TID-106 in that this threat refers to the data moving between the main board or processing chip to a peripheral device, whereas TID-106 refers to data moving between the processor and storage devices.
Threat Maturity and Evidence
Proof of Concept
Toward a hardware man-in-the-middle attack on PCIe bus
“In this paper, we present a new attack vector on PCIe based on a hardware Man-in-the-Middle. This system allows real-time data analysis, data-replay, and a copy technique inspired by the shadow-copy principle. Through this one, it is possible to locate, duplicate, and replay sensitive data.”
Critical Architectural Vulnerabilities in Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features
“An attacker with physical access to the device can either attach to the I2C communication bus or extract the physical ATECC chip from the PLC’s PCB to falsely authenticate and use it as an oracle to generate firmware decryption material. “
CWE
CWE-311: Missing Encryption of Sensitive Data
“The product does not encrypt sensitive or critical information before storage or transmission.”
CWE-319: Cleartext Transmission of Sensitive Information
“The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.”