Inclusion of Undocumented Features or Chicken Bits

Incomplete Base

Structure: Simple

Description

This vulnerability occurs when a hardware device or chip includes undocumented configuration bits (often called 'chicken bits') or hidden features that can disable security controls or enable privileged functions.

Extended Description

Manufacturers sometimes embed undocumented switches, known as 'chicken bits,' to help engineers quickly disable problematic features during debugging and testing. While useful for development, these hidden controls can bypass critical security mechanisms if left accessible in production hardware. Attackers can reverse-engineer these undocumented interfaces to gain unauthorized access or elevate privileges. Since these features are not documented for end users, they often lack proper security safeguards, creating a persistent backdoor that undermines the device's intended security posture.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailabilityAccess Control

Impact: Modify MemoryRead MemoryExecute Unauthorized Code or CommandsGain Privileges or Assume IdentityBypass Protection Mechanism

Potential Mitigations 1

Phase: Architecture and DesignImplementation

The implementation of chicken bits in a released product is highly discouraged. If implemented at all, ensure that they are disabled in production devices. All interfaces to a device should be documented.

Effectiveness: High

Demonstrative Examples 1

Consider a device that comes with various security measures, such as secure boot. The secure-boot process performs firmware-integrity verification at boot time, and this code is stored in a separate SPI-flash device. However, this code contains undocumented "special access features" intended to be used only for performing failure analysis and intended to only be unlocked by the device designer.

Code Example:Bad
Other
other

Remove all chicken bits and hidden features that are exposed to attackers. Add authorization schemes that rely on cryptographic primitives to access any features that the manufacturer does not want to expose. Clearly document all interfaces.

References 5

Doors of Durin: The Veiled Gate to Siemens S7 Silicon

Ali Abbasi, Tobias Scharnowski, and Thorsten Holz

https://i.blackhat.com/eu-19/Wednesday/eu-19-Abbasi-Doors-Of-Durin-The-Veiled-Gate-To-Siemens-S7-Silicon.pdf

ID: REF-1071

Breakthrough Silicon Scanning Discovers Backdoor in Military Chip

Sergei Skorobogatov and Christopher Woods

https://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdf

ID: REF-1072

God Mode Unlocked: Hardware Backdoors in x86 CPUs

Chris Domas

https://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs.pdf

ID: REF-1073

Hardware Backdooring is Practical

Jonathan Brossard

https://media.blackhat.com/bh-us-12/Briefings/Brossard/BH_US_12_Brossard_Backdoor_Hacking_Slides.pdf

ID: REF-1074

Security, Reliability, and Backdoors

Sergei Skorabogatov

https://www.cl.cam.ac.uk/~sps32/SG_talk_SRB.pdf

ID: REF-1075

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Not Technology-Specific : UndeterminedICS/OT : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Documentation

Related Attack Patterns

Related Weaknesses

ChildOf:

Hidden Functionality (CWE-912)

Taxonomy Mapping

ISA/IEC 62443
ISA/IEC 62443
ISA/IEC 62443