CAPEC-682

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Medium Severity: High
Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities

Description

An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.

Prerequisites

Awareness of the hardware being leveraged.

Access to the hardware being leveraged, either physically or remotely.

Mitigations

Design systems and products with the ability to patch firmware or ROM code after deployment to fix vulnerabilities.

Make use of OTA (Over-the-air) updates so that firmware can be patched remotely either through manual or automatic means

Skills Required

[Medium] Knowledge of various wireless protocols to enable remote access to vulnerable devices

[High] Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely