search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Physical access to a computer system can be used to bypass software-based access control mechanisms

Vulnerability Note VU#789985

Original Release Date: 2003-03-06 | Last Revised: 2017-07-10

Overview

An intruder who gains physical access to a computer system can bypass software-based control mechanisms.

Description

If an intruder can gain physical access to a computer resource, he can bypass software-based access control mechanisms, install Trojans horses, install hardware to facilitate subsequent access, copy data to another device, boot the computer into another operating system, modify data stored on the device, or destroy, steal, or disable physical components, including security-related components. This has been well documented. See

http://security.uchicago.edu/docs/physicalsec.shtml
http://www.unixtools.com/security.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/5min/5min-203.asp
http://www.utoronto.ca/security/policies.html
http://www.cio.gov.bc.ca/itsp/sec72.htm

Data may be protected by encrypting it using strong cryptography. However, an intruder is still able to copy or modify the encrypted data. If the data is copied, an intruder may have the resources available to conduct off-line cryptographic attacks against the data. If the data is modified, it may be rendered useless. Alternately, the intruder may be able to insert a Trojan horse that will lead to subsequent compromise.

You should not assume that access control lists or other software-based security mechanisms provided by an operating system will prevent an intruder from gaining access to data if the intruder can boot the computer into an alternate operating system.

Impact

An intruder who gains physical access to a computer system can alter or control any aspect of the hardware and software. Encrypted data may provide protection against data theft.

Solution

Restrict physical access to computer systems to only those personnel who must have access. Consider using an encrypting file system or database to encrypt data stored on mobile devices such as laptops or PDAs. Restrict access to network closets or data centers.

Vendor Information

No information available at this time.


CVSS Metrics

Group Score Vector
Base 0.0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0.0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

This document was written by Shawn V Hernan.

Other Information

CVE IDs: None
Severity Metric: 9.00
Date Public: 1970-01-01
Date First Published: 2003-03-06
Date Last Updated: 2017-07-10 13:20 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.