CWE-1263: Improper Physical Access Control
The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.
View on MITREExtended Description
Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how robust the design of the physical protection mechanism needs to be depends on the type of product being protected. Selecting the correct physical protection mechanism and properly enforcing it through implementation and manufacturing are critical to the overall physical security of the product.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Specific protection requirements depend strongly on contextual factors including the level of acceptable risk associated with compromise to the product's protection mechanism. Designers could incorporate anti-tampering measures that protect against or detect when the product has been tampered with.
Phase
Description
The testing phase of the lifecycle should establish a method for determining whether the protection mechanism is sufficient to prevent unauthorized access.
Phase
Description
Ensure that all protection mechanisms are fully activated at the time of manufacturing and distribution.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
No examples or observed CVEs available for this CWE.
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-1263: Improper Physical Access Control?+
CWE-1263: Improper Physical Access Control is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas. Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how robust the design of the physical protection mechanism needs to be depends on the type of product being protected. Selecting the correct physical protection mechanism and properly enforcing it through implementation and manufacturing are critical to the overall physical security of the product.
What are the security consequences of Improper Physical Access Control?+
If exploited, CWE-1263 (Improper Physical Access Control) it can compromise Confidentiality, Integrity and Access Control, leading to outcomes such as Varies by Context.
How do you prevent or mitigate Improper Physical Access Control?+
Recommended mitigations for CWE-1263 include: Specific protection requirements depend strongly on contextual factors including the level of acceptable risk associated with compromise to the product's protection mechanism. Designers could incorporate anti-tampering measures that protect against or detect when the product has been tampered with. The testing phase of the lifecycle should establish a method for determining whether the protection mechanism is sufficient to prevent unauthorized access. Ensure that all protection mechanisms are fully activated at the time of manufacturing and distribution.
Which programming languages are affected by Improper Physical Access Control?+
CWE-1263 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-1263 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.