TID-116: Latent Privileged Access Port

Threat Description

If a device has a latent user access port, it may be possible for attackers to leverage physical access to obtain privileges that were not accounted for when considering software or remote access controls.

Threat Maturity and Evidence

Proof of Concept
How to Hack Hardware using UART - Black Hills
Researchers from Black Hills demonstrate how to gain root access to a device through shell access granted and transmitted over UART.

IoT Devices - The Not-So-Hidden Risk of UART Interface
Satish S demonstrates how to gain root access to a device over a UART interface.

CWE

CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface
“The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.”

CWE-1191: On-Chip Debug and Test Interface With Improper Access Control
“The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.”

CVE

CVE-2022-29402
“TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication.”