TID-224: Excessive Access via Software Diagnostic Features
Threat Description
If a device has debugging capabilities (e.g., diagnostic tools, debug logs, etc.) that are not authenticated or can be accessed in unintended ways, it may be possible for a threat actor to attach to these debuggers. Debuggers frequently have privileged access, which would give the threat actors increased access over the device.
Threat Maturity and Evidence
Observed Adversary Behavior
ATT&CK T1623 Command and Scripting Interpreter
“Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic Unix Shell that can be accessed via the Android Debug Bridge (ADB)”
Proof of Concept
ATM logic attacks: scenarios, 2018
“Starting the ATM operating system in a special mode can offer a way to bypass security… After starting the ATM in debug mode and connecting to the COM ports, an attacker can seize full control of the ATM by using the WinDbg utility.”
CWE
CWE-1295: Debug Messages Revealing Unnecessary Information
“The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.”