Hardware Security’s Stubborn Flaws: Why the Same Weaknesses Keep Haunting Chips

When MITRE's Most Important Hardware Weaknesses (MIHW) list dropped this month, security researchers could be forgiven for a sense of déjà vu. Despite four years of industry advances, five of the weaknesses flagged in 2021 remain just as relevant in 2025. Improper isolation on system-on-chip designs, insecure debug interfaces, weak side-channel protections, and memory overlap errors continue to plague silicon.

The persistence is a reminder that hardware security evolves slowly compared to software, and when flaws are etched into silicon, they propagate upward through firmware, operating systems, and applications.

“Many of these fall under the purview of silicon vendors,” said Dr. Liz James, managing security consultant at NCC Group. “Mitigations do exist – for example, more complex instruction sets such as CHERI are beginning to address some of the challenges around memory protection and access control, but adoption is slow.”

Slow Incentives, Fast Adversaries

The 2025 report, produced by MITRE and CISA in partnership with hardware experts, shows that vulnerabilities don’t just linger due to technical difficulty. Market dynamics play a central role. Vendors face pressure to ship faster, keep costs down, and maintain legacy compatibility – all of which tend to overshadow the push for secure architectures.

“The real issue is lag time and economic incentive,” James explained. “Many customers inherit the risks of their chosen components rather than being able to dictate requirements upstream. The cycle of identifying new platform capabilities, rolling them out, and achieving wide adoption is long.”

In other words, hardware buyers don’t always get to choose the level of security they want. Instead, they accept the risks baked into the silicon they source.

Old Problems, New Wrappers

The MIHW list highlights not only enduring weaknesses but also new entries like transient execution flaws (CWE-1421, CWE-1423) that expose sensitive information in microarchitectural structures. These are evolutions of the same class of problems that gave rise to Spectre and Meltdown attacks years ago.

“Architectural complexity keeps growing, yet the industry is still wrestling with fundamental problems around isolation, access control, and side-channel protection,” James noted. “Nothing here really surprises me. What does stand out is the continued framing of these weaknesses as ‘improper.’ That reflects a misalignment between real-world threats, customer threat models, and hardware capabilities.”

Transparency and the Call for Early Engagement

Hardware vendors are often reluctant to expose design details or open their chips to external review. That leaves engineers at higher layers of the stack dealing with inherited risks they can never fully eliminate.

“Hardware weaknesses propagate upward: once embedded in silicon, they constrain software, firmware, and system-level mitigations,” James said. She pointed to the Raspberry Pi Foundation’s RP2350 initiative, which openly engaged the security community on early design choices, as a rare example of how transparency can shift the balance.

For most of the industry, though, engagement still comes too late – after chips are mass-produced and embedded in products that may remain in use for a decade.

The Next Four Years

The MIHW team warns that progress depends on vendors, customers, and regulators aligning incentives for secure design. Without that, the list in 2029 may look alarmingly familiar.

“These are not exotic weaknesses – they are design and assurance fundamentals,” James said. “Their persistence shows that industry incentives, such as cost, time-to-market and legacy compatibility still outweigh the drive to re-architect around security.”

Until that equation changes, hardware will remain a systemic weak point – and the same CWEs may continue to haunt the industry for years to come.