hwsec.io

About

The goal of this site is to be a centralized location with hardware-specific vulnerabilities information. This knowledge base could be used for research and learning purposes in hardware security.

This web site is about hardware security, but deep down in the hardware; the physical building blocks inside chips, the intellectual property (IP) blocks, sometimes called IP cores. For example, I’m talking about vulnerabilities like Spectre and Meltdown. Vulnerabilities like these require changes in the chip design and implementation.

Excluded are for example vulnerabilities relating to software, firmware, bootloaders, BIOS flash, and similar.

Why Not MITRE/NVD Database?

Like software vulnerabilities in general, there are multiple sources of hardware security vulnerabilities. Several entities have tried to aggregate vulnerability information, presenting it in different formats and sometimes adding extra information.

Many of these rely on the well-known National Vulnerability Database (NVD), or the MITRE CVE database which contains all reported CVEs.

While many vulnerabilities are tracked in these databases as CVEs, some aren’t because the vendors did not assign them a CVE. These are, for example, tracked in the vendor’s security bulletins. Not all vulnerabilities meet the criteria for CVE assignment. Some might be deemed too low-risk or too specific to be included. According to Kenna Security Report in 2021, 22% of vulnerabilities in their dataset were not assigned CVE IDs. A similar number, is documented in Risk Based Security Report (2020), 28% of vulnerabilities disclosed in 2020 did not have a CVE ID.

Many of the security issues found in hardware originated from academic research and resulted in the publishing of papers and presentations at conferences. Security research by personal and professional entities, while less predominant (at least public), also happens and is growing (2024). One of the reasons is alternative hardware that can be used for security testing and is more accessible to the general public.

To sum up, the MITRE and NVD are a very good starting point for a list of hardware security issues, but it will not be complete. We also need to look at other sources.

Refer to the post How The CVE Classification Works to learn more about how this site gathers information.

Additional Information

I’d like this site to contain references to open projects related to hardware design, testing, and security. Thus you may find posts and static pages with additional information which can be helpful for those looking to learn more about how hardware chips are created, and the secure design of chips.

License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

You are free to:

  • Share — copy and redistribute the material in any medium or format
  • Adapt — remix, transform, and build upon the material

Under the following terms:

  • Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
  • NonCommercial — You may not use the material for commercial purposes.

When using this content, please attribute it to: hwsec.io with a link to https://hwsec.io.

Feedback

If you have any information you think would be helpful to include on this site please share it with me by using the form below.