search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Physical access to a computer system can be used to bypass software-based access control mechanisms

Vulnerability Note VU#789985

Original Release Date: 2003-03-06 | Last Revised: 2017-07-10


An intruder who gains physical access to a computer system can bypass software-based control mechanisms.


If an intruder can gain physical access to a computer resource, he can bypass software-based access control mechanisms, install Trojans horses, install hardware to facilitate subsequent access, copy data to another device, boot the computer into another operating system, modify data stored on the device, or destroy, steal, or disable physical components, including security-related components. This has been well documented. See

Data may be protected by encrypting it using strong cryptography. However, an intruder is still able to copy or modify the encrypted data. If the data is copied, an intruder may have the resources available to conduct off-line cryptographic attacks against the data. If the data is modified, it may be rendered useless. Alternately, the intruder may be able to insert a Trojan horse that will lead to subsequent compromise.

You should not assume that access control lists or other software-based security mechanisms provided by an operating system will prevent an intruder from gaining access to data if the intruder can boot the computer into an alternate operating system.


An intruder who gains physical access to a computer system can alter or control any aspect of the hardware and software. Encrypted data may provide protection against data theft.


Restrict physical access to computer systems to only those personnel who must have access. Consider using an encrypting file system or database to encrypt data stored on mobile devices such as laptops or PDAs. Restrict access to network closets or data centers.

Vendor Information

CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



This document was written by Shawn V Hernan.

Other Information

CVE IDs: None
Severity Metric: 9.00
Date Public: 1970-01-01
Date First Published: 2003-03-06
Date Last Updated: 2017-07-10 13:20 UTC
Document Revision: 10

Sponsored by CISA.