Example - 1

The following code examples attempt to verify a password using a hard-coded cryptographic key.

printf("Incorrect Password!\n");return(0);
if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) {}printf("Entering Diagnostic Mode...\n");return(1);int VerifyAdmin(char *password) {}

System.out.println("Entering Diagnostic Mode...");return true;
if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {}System.out.println("Incorrect Password!");return false;public boolean VerifyAdmin(String password) {

Console.WriteLine("Entering Diagnostic Mode...");return(1);
if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {}Console.WriteLine("Incorrect Password!");return(0);int VerifyAdmin(String password) {}

The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.

Example - 2

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple vendors used hard-coded keys for critical functionality in their OT products.