A threat actor could intercept data across a data bus used to connect a process to either volatile memory or non-volatile storage (e.g. ROM, NVRAM, disk). Depending on the scope of the interception, it may be possible to read and/or perform an adversary-in-the-middle (AITM) attack to write information going over the bus, especially if it lacks adequate encryption and authentication. For example, if a device has discrete RAM external from the processor, it may be possible to tap the address and data lines to observe and capture memory contents as they are loaded and stored for processing. Similar attacks can also be performed in software. Captured data may leak sensitive information (e.g., keys, cleartext firmware code) that can aid in reverse engineering or executing other stages of an attack. Interception and modification may enable an adversary to alter a device’s behavior, achieve persistence, evade detection, or other objectives. NOTE: This is different from TID-114 in that this threat refers to data moving between the processor and storage devices, whereas TID-114 refers to the data moving between the main board or processing chip to a peripheral device.

• CWE-311: Missing Encryption of Sensitive Data (Class)
• CWE-319: Cleartext Transmission of Sensitive Information (Base)