DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface
This entry has been deprecated. The issue of accessing sensitive data through physical probing of a device's JTAG debugging interface is now comprehensively covered under CWE-319: Cleartext Transmission of Sensitive Information.
This deprecated weakness described a scenario where an attacker with physical access to a device could extract sensitive information like cryptographic keys, firmware, or application data by connecting to its Joint Test Action Group (JTAG) debugging ports. These hardware interfaces, often left enabled in production devices, provide low-level access to the system's memory and processors, bypassing normal software security controls. To address this risk, developers should integrate the relevant security considerations into the broader category of CWE-319, which covers the exposure of sensitive data in cleartext. Mitigation strategies include disabling or securely locking down debug interfaces before shipping products, implementing secure boot processes, and encrypting sensitive data at rest to render it useless even if extracted from memory.