logo

Improper Protections Against Hardware Overheating

Draft Base
Structure: Simple
Description

This vulnerability occurs when a hardware device lacks sufficient safeguards to prevent dangerous temperature increases during operation.

Extended Description

All electronic devices generate heat as a byproduct of their operation. Faster processors and higher power draw create more thermal energy. Without built-in protections like temperature sensors, adequate cooling, or power throttling, this heat can build up uncontrollably. Malicious software can exploit this by forcing the hardware into high-performance states, deliberately triggering overheating to cause a temporary malfunction or permanent physical damage—a technique known as a thermal denial-of-service attack. The consequences extend beyond security, impacting device safety and long-term reliability. While similar issues exist for overvoltage or overcurrent conditions, overheating is uniquely tied to normal hardware activity. It's important to note that while these protections guard against operational heat, they do not address separate failure modes like battery malfunctions, which require their own mitigation strategies.
Common Consequences 1
Scope: Availability

Impact: DoS: Resource Consumption (Other)
Detection Methods 2
Dynamic Analysis with Manual Results InterpretationHigh
Dynamic tests should be performed to stress-test temperature controls.
Architecture or Design ReviewHigh
Power management controls should be part of Architecture and Design reviews.
Potential Mitigations 2
Phase: Architecture and Design
Temperature maximum and minimum limits should be enforced using thermal sensors both in silicon and at the platform level.
Phase: Implementation
The platform should support cooling solutions such as fans that can be modulated based on device-operation needs to maintain a stable temperature.
Demonstrative Examples 1
Malicious software running on a core can execute instructions that consume maximum power or increase core frequency. Such a power-virus program could execute on the platform for an extended time to overheat the device, resulting in permanent damage.
Execution core and platform do not support thermal sensors, performance throttling, or platform-cooling countermeasures to ensure that any software executing on the system cannot cause overheating past the maximum allowable temperature.
The platform and SoC should have failsafe thermal limits that are enforced by thermal sensors that trigger critical temperature alerts when high temperature is detected. Upon detection of high temperatures, the platform should trigger cooling or shutdown automatically.
References 1
Loapi--This Trojan is hot!
Leonid Grustniy
12-2017
https://www.kaspersky.com/blog/loapi-trojan/20510/
ID: REF-1156
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : UndeterminedICS/OT : UndeterminedPower Management Hardware : UndeterminedProcessor Hardware : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Protection Mechanism Failure (CWE-693)