The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.

A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present.

If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface.

Sometimes, designers choose not to expose the debug pins on the motherboard. Instead, they choose to hide these pins in the intermediate layers of the board. This is primarily done to work around the lack of debug authorization inside the chip. In such a scenario (without debug authorization), when the debug interface is exposed, chip internals are accessible to an attacker.

This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Impact	Details
Read Application Data	Scope: Confidentiality Likelihood: High
Read Memory	Scope: Confidentiality Likelihood: High
Execute Unauthorized Code or Commands	Scope: Authorization Likelihood: High
Modify Memory	Scope: Integrity Likelihood: High
Modify Application Data	Scope: Integrity Likelihood: High
Bypass Protection Mechanism	Scope: Access Control Likelihood: High

Phase(s)	Mitigation
Architecture and Design	Strategy: Separation of Privilege If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode. Effectiveness: High

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase	Note
Architecture and Design
Implementation

This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages	Class: Not Language-Specific (Undetermined Prevalence)
Operating Systems	Class: Not OS-Specific (Undetermined Prevalence)
Architectures	Class: Not Architecture-Specific (Undetermined Prevalence)
Technologies	Class: Not Technology-Specific (Undetermined Prevalence)

Example 1

A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack.

JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product.

Example 2

The following example code is a snippet from the JTAG wrapper module in the RISC-V debug module of the HACK@DAC'21 Openpiton SoC [REF-1355]. To make sure that the JTAG is accessed securely, the developers have included a primary authentication mechanism based on a password.

The developers employed a Finite State Machine (FSM) to implement this authentication. When a user intends to read from or write to the JTAG module, they must input a password.

In the subsequent state of the FSM module, the entered password undergoes Hash-based Message Authentication Code (HMAC) calculation using an internal HMAC submodule. Once the HMAC for the entered password is computed by the HMAC submodule, the FSM transitions to the next state, where it compares the computed HMAC with the expected HMAC for the password.

If the computed HMAC matches the expected HMAC, the FSM grants the user permission to perform read or write operations on the JTAG module. [REF-1352]

However, in the given vulnerable part of the code, the JTAG module has not defined a limitation for several continuous wrong password attempts. This omission poses a significant security risk, allowing attackers to carry out brute-force attacks without restrictions.

Without a limitation on wrong password attempts, an attacker can repeatedly guess different passwords until they gain unauthorized access to the JTAG module. This leads to various malicious activities, such as unauthorized read from or write to debug module interface.

To mitigate the mentioned vulnerability, developers need to implement a restriction on the number of consecutive incorrect password attempts allowed by the JTAG module, which can achieve by incorporating a mechanism that temporarily locks the module after a certain number of failed attempts.[REF-1353][REF-1354]

Example 3

The example code below is taken from the JTAG access control mechanism of the HACK@DAC'21 buggy OpenPiton SoC [REF-1364]. Access to JTAG allows users to access sensitive information in the system. Hence, access to JTAG is controlled using cryptographic authentication of the users. In this example (see the vulnerable code source), the password checker uses HMAC-SHA256 for authentication. It takes a 512-bit secret message from the user, hashes it using HMAC, and compares its output with the expected output to determine the authenticity of the user.

The vulnerable code shows an incorrect implementation of the HMAC authentication where it only uses the least significant 32 bits of the secret message for the authentication (the remaining 480 bits are hard coded as zeros). As a result, the system is susceptible to brute-force attacks on the access control mechanism of JTAG, where the attacker only needs to determine 32 bits of the secret message instead of 512 bits.

To mitigate this issue, remove the zero padding and use all 512 bits of the secret message for HMAC authentication [REF-1365].

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Method	Details
Dynamic Analysis with Manual Results Interpretation	Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification ("Security by obscurity") should not be considered as sufficient security.
Dynamic Analysis with Manual Results Interpretation	Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.
Fuzzing	Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible. Effectiveness: Moderate

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Usage	ALLOWED (this CWE ID may be used to map to real-world vulnerabilities)
Reason	Acceptable-Use
Rationale	This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments	Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Relationship

CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.

Submissions
Submission Date	Submitter	Organization
2019-10-15 (CWE 4.0, 2020-02-24)	Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi	Intel Corporation
Contributions
Contribution Date	Contributor	Organization
2021-10-18	Parbati K. Manna	Intel Corporation
	provided detection methods
2021-10-20	Narasimha Kumar V Mangipudi	Lattice Semiconductor
	reviewed content changes
2021-10-22	Hareesh Khattri	Intel Corporation
	clarified differences between CWE-1191 and CWE-1244
2021-10-27	Arun Kanuparthi	Intel Corporation
	suggested additional detail in extended description
2023-06-21	Shaza Zeitouni, Mohamadreza Rostami, Pouya Mahmoody, Ahmad-Reza Sadeghi	Technical University of Darmstadt
	suggested demonstrative example
2023-06-21	Rahul Kande, Chen Chen, Jeyavijayan Rajendran	Texas A&M University
	suggested demonstrative example
Modifications
Modification Date	Modifier	Organization
2025-09-09 (CWE 4.18, 2025-09-09)	CWE Content Team	MITRE
	updated References, Relationships
2023-10-26	CWE Content Team	MITRE
	updated Demonstrative_Examples, References
2023-06-29	CWE Content Team	MITRE
	updated Mapping_Notes
2023-04-27	CWE Content Team	MITRE
	updated References, Relationships
2022-10-13	CWE Content Team	MITRE
	updated Description, Related_Attack_Patterns
2022-04-28	CWE Content Team	MITRE
	updated Related_Attack_Patterns
2021-10-28	CWE Content Team	MITRE
	updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities
2021-03-15	CWE Content Team	MITRE
	updated Maintenance_Notes
2020-08-20	CWE Content Team	MITRE
	updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
2020-06-25	CWE Content Team	MITRE
	updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, References, Relationships
Previous Entry Names
Change Date	Previous Entry Name
2020-02-26	Exposed Chip Debug Interface With Insufficient Access Control
2020-08-20	Exposed Chip Debug and or Test Interface With Insufficient Access Control
2021-10-28	Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization