CWE-1300: Improper Protection of Physical Side Channels

BaseStable

The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.

View on MITRE
Back to CWE Lookup

Extended Description

An adversary could monitor and measure physical phenomena to detect patterns and make inferences, even if it is not possible to extract the information in the digital domain. Physical side channels have been well-studied for decades in the context of breaking implementations of cryptographic algorithms or other attacks against security features. These side channels may be easily observed by an adversary with physical access to the device, or using a tool that is in close proximity. If the adversary can monitor hardware operation and correlate its data processing with power, EME, and acoustic measurements, the adversary might be able to recover of secret keys and data.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1300: Improper Protection of Physical Side Channels?+

CWE-1300: Improper Protection of Physical Side Channels is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions. An adversary could monitor and measure physical phenomena to detect patterns and make inferences, even if it is not possible to extract the information in the digital domain. Physical side channels have been well-studied for decades in the context of breaking implementations of cryptographic algorithms or other attacks against security features. These side channels may be easily observed by an adversary with physical access to the device, or using a tool that is in close proximity. If the adversary can monitor hardware operation and correlate its data processing with power, EME, and acoustic measurements, the adversary might be able to recover of secret keys and data.

What are the security consequences of Improper Protection of Physical Side Channels?+

If exploited, CWE-1300 (Improper Protection of Physical Side Channels) it can compromise Confidentiality, leading to outcomes such as Read Memory and Read Application Data.

How do you prevent or mitigate Improper Protection of Physical Side Channels?+

Recommended mitigations for CWE-1300 include: Apply blinding or masking techniques to implementations of cryptographic algorithms. Add shielding or tamper-resistant protections to the device to increase the difficulty of obtaining measurements of the side-channel.

How is Improper Protection of Physical Side Channels detected?+

CWE-1300 can be detected using Manual Analysis. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Improper Protection of Physical Side Channels?+

CWE-1300 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Protection of Physical Side Channels?+

MITRE documents real CVEs mapped to CWE-1300, including CVE-2022-35888, CVE-2021-3011, CVE-2019-14353, CVE-2020-27211 and CVE-2013-4576. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1300 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More