Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1600.002: Disable Crypto Hardware

Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.

Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of Modify System Image, forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., Reduce Key Space). [1]

EnterpriseT1600.002Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Disable Crypto Hardware matters because it targets the trust boundary of network devices that protect traffic in transit. If a compromised router, switch, or firewall is forced away from dedicated encryption hardware and into weaker or more tamper-prone software encryption, protected communications may become easier to collect, manipulate, or exfiltrate. For leaders, this is less about endpoint malware and more about whether critical network infrastructure can still be trusted to enforce confidentiality and integrity.

Executive priority

Treat this as a resilience and assurance issue for network infrastructure. Priority questions are: which business-critical paths depend on network-device encryption, which devices are legacy or hard to validate, and whether security teams can prove encryption hardware and system images remain in an expected state. This technique also supports audit and incident decision-making: during a network-device compromise, teams should not assume encrypted transit is still providing its intended protection without device-level validation.

Technical view

This ATT&CK sub-technique applies to Network Devices under the defense-impairment tactic and is a sub-technique of Weaken Encryption. MITRE does not provide native detection text, but the relationship to DET0494 indicates a detection strategy exists for this behavior. SOC, network, and IR teams should validate monitoring around device configuration state, hardware crypto status, system image integrity, and administrative changes. Because the description notes possible use of Modify System Image and conjunction with Reduce Key Space, investigations should look for correlated evidence of firmware/image modification and weakened software cipher behavior rather than treating a single configuration observation as conclusive.

Likely telemetry

  • Network device configuration change logs and configuration backups
  • Administrative authentication, authorization, and command accounting records for routers, switches, and firewalls
  • Hardware crypto module status, capability, or health outputs where available
  • Firmware or system image inventory, version, hash, and integrity validation evidence
  • Encryption tunnel or session parameters, including negotiated cipher or key-strength indicators where logged

Detection direction

  • Confirm whether DET0494 or an equivalent local detection strategy is implemented for network-device encryption weakening, specifically Disable Crypto Hardware.
  • Baseline expected hardware crypto status and supported encryption behavior for critical network devices, then alert on unauthorized deviations.
  • Correlate suspected crypto hardware disablement with administrative access, configuration changes, firmware/system image changes, and cipher/key-strength changes.
  • Tune detections to account for legitimate maintenance, hardware failures, software upgrades, and platform-specific crypto fallback behavior to reduce false positives.
  • Prioritize visibility for legacy or business-critical devices, since the cited external reference concerns attacks targeting legacy devices and the technique depends on network-device control.

Mitigation priorities

  • Maintain authoritative inventories of network devices, their expected firmware/system images, and expected encryption hardware capabilities.
  • Restrict and monitor administrative access to routers, switches, and firewalls, including command-level accountability where supported.
  • Validate system image integrity and investigate unauthorized image or firmware changes, especially on devices carrying sensitive or critical traffic.
  • Require periodic assurance checks that encryption is using intended hardware-backed capabilities and approved cipher strength where the platform supports such validation.
  • During incident response, treat affected network paths as potentially untrusted until device integrity and encryption behavior are independently verified.
Analyst notes and limits

The object is narrowly scoped to disabling dedicated encryption hardware on network devices. Its value for defenders is in forcing validation of infrastructure trust: encryption strength, device image integrity, and administrative control should be assessed together. Relationship context to Weaken Encryption and DET0494 supports looking beyond generic network monitoring toward device-state and crypto-behavior assurance.

MITRE provides no official detection text for this sub-technique in the supplied fields. The available evidence is limited to the ATT&CK description, one Cisco external reference, and relationships to DET0494 and T1600. Local platform capabilities determine whether hardware crypto state, cipher negotiation, or image integrity can be reliably logged and monitored.

Official MITRE ATT&CK definition

Disable Crypto Hardware

Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.

Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of Modify System Image, forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., Reduce Key Space). [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1600 Weaken Encryption This object subtechnique of Weaken Encryption.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1600: Weaken Encryption Enterprise detects · Detection Strategy DET0494: Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
a1f48923f7d5c09d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle a1f48923f7d5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cisco Blog Legacy Device Attacks

    Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    mitre-attack T1600.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use