Return to Level1Techs.com

Hacker Finds Hidden 'God Mode' on Old x86 CPUs

linux
news
hacking

#1

edit/commentary:
Anyone else not surprised by this? I really hope that if backdoors like this are being added to recent silicon, that there is at least some form of cryptographic handshake, not just a few bits that need to be toggled. Feels grossly irresponsible to me, but after elliptic curve, can we expect anything less negligent.

#securitythruobscurity


#2

@razorskinned Please provide commentary to the article as just simply posting a news article is considered low-effort.


#3

I think my old PFsense box has one of those VIA CPU’s
YAYYYYYYYY


#4

Done.


#5

Wow! The part that stands out to me isn’t the vulnerability itself, its how it was discovered. Dude combed through patents to even just find a system that might be exploitable! That is some next level thinking right there. I am impressed.


#6

@razorskinned Here’s the video where he debutedmore x86 hacks are at BlackHat USA.

It’s fucking terrifying.


#7

No this is not that ^^ bug. I would have thought you’d have read the article :wink:

This recent bug was only revealed at this years blackhat. And is currently only specific to VIA C3 Nehemiah coprocessor chips.


#8

Lol whoops. I did read the article, but I was thinking of the wrong architecture.


#9

Check out the discussion on Hacker News though:

Christopher Domas: Hardware Backdoors in X86 CPUs
https://news.ycombinator.com/item?id=17727140

userbinator 5 hours ago

This. When I read the article I instantly recognised this from some datasheet-browsing I did many years ago. It’s not a “coprocessor”, it’s not a backdoor, it’s just access to the internal core. It’s even documented in the datasheet itself:

http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemia

(Page 82, “Alternate Instruction Execution”)

Edit: Now it’s all coming back to me. I was exploring the 0F opcode space and came upon 0F 3F, which happens to be the “enter alternate execution mode” instruction when it’s enabled. There are a lot of other interesting results if you Google “0F 3F”, although I remember them being a lot more relevant when I originally discovered this…

https://spth.virii.lu/29a7/Articles/29A-7.029.txt

It’s not just the C3 that has this feature, if you Google “ALTINST” you’ll find more info.

Turns out a bunch of people already knew :laughing:
And Christopher spent a whole lot of time and effort finding a well documented debug backdoor :rofl:

Ouch…


#10

@Dynamic_Gravity I feel compelled to now rename this from Backdoor to “lack of a door”.


#11

Free swinging hippy beads door


#12

Yeah doors have locks.

I always find it ridiculous that so often no one thinks to add some form of authentication to hardware debug features. I know it’s more complexity and debug features are from troubleshooting hardware during design… But still.


#13

This might just be a case of poor quality code and lack of security practices. Operative word there is “might”.

There’s a very real possibility this was added in intentionally, at the request of a nation-state. They tend to like obfuscating things.


#14

You’re assuming it was intended as a hardware debug feature and not a government agency feature.


#15

I love this in the comments section
“There’s back doors in just about all software/firmware, there has to be. It’s how engineers bypass all the bs and restrictions to fix/tweak/update stuff while still in alpha/beta testing. What sucks is when that backdoor becomes part of the software/firmware and requires a major overhaul to remove it. So it gets left there and buried until some enterprising jerk with too much time on his hands decides to go find it. Then it becomes a matter of damage control.”

Kinda like when you lose your keys and the locksmith takes of the left rear turn signal light cover, looks inside at a hidden number, and gets a key from the van and charges you 200 bucks.
PS. I drive a truck for a living, my entire life is low effort :slight_smile:


#16

#17

and that in a nutshell is the number one weakness of microsoft