logo

Improper Physical Access Control

Incomplete Class
Structure: Simple
Description

This vulnerability occurs when a device or system has areas meant to be physically secure, but the safeguards in place are too weak to stop someone with direct physical access from reaching restricted components or data.

Extended Description

Physical security flaws happen when the locks, seals, enclosures, or tamper-proofing on a device are not strong enough for its intended use. A consumer router, a medical implant, and an industrial control panel all need different levels of protection. Choosing the right physical barrier—like a robust casing or tamper-evident seals—is the first critical step in the design process. However, selecting a good mechanism isn't enough; it must be correctly implemented during manufacturing and assembly. A weak point, such as a poorly installed screw or an easily bypassed panel, can render the entire protection scheme useless. Ultimately, physical security fails when the design, implementation, and production do not work together to create a unified defense against hands-on tampering.
Common Consequences 1
Scope: ConfidentialityIntegrityAccess Control

Impact: Varies by Context
Potential Mitigations 3
Phase: Architecture and Design
Specific protection requirements depend strongly on contextual factors including the level of acceptable risk associated with compromise to the product's protection mechanism. Designers could incorporate anti-tampering measures that protect against or detect when the product has been tampered with.
Phase: Testing
The testing phase of the lifecycle should establish a method for determining whether the protection mechanism is sufficient to prevent unauthorized access.
Phase: Manufacturing
Ensure that all protection mechanisms are fully activated at the time of manufacturing and distribution.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Architecture and Design
Manufacturing
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Access Control (CWE-284)
PeerOf: On-Chip Debug and Test Interface With Improper Access Control (CWE-1191)
Notes
MaintenanceThis entry is still under development and will continue to see updates and content improvements.