x86 God Mode Bit – or – Hardware Backdoor

A fascinating video from the Black Hat 2018 conference. About 50 minutes. In that time, the presenter demonstrates a hardware backdoor into an x86 processor box, then proceeds to show how he found it. His skilz are way better than mine, but I could follow what he did. One key bit is that he would size a task (like searching the instruction set space) see that it would take a few lifetimes by hand, and then figure a way around that. Throw automation and hardware at it, or a better method, or some quality think time.

The “bottom line” is that he found a God Mode Bit which, if set, grants him root (or superuser or admin) privileges on the computer.

How he did it is as interesting as that he did it. It is a great demonstration of system cracking in its own right. It also demonstrates why “security by obscurity” isn’t very good. What he found was VERY obscure and would take a few lifetimes (or eternities) to find by hand. You can now download his tools from the internet for DIY…

He does provide some mitigations that vendors could do to lock down this gaping hole. I doubt they have done it. You can bet that the NSA and the Russians and the Chinese are very busy applying this to every available computer type to assess where it is best used.

While I only had a vague feeling this could be the case and a vague paranoia that it might be TLA Approved; it is still a bit gratifying to have that intuitive sense confirmed. Even if it is really really annoying…

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits. Bookmark the permalink.

15 Responses to x86 God Mode Bit – or – Hardware Backdoor

  1. R. de Haan says:

    Great presentation. Thanks.

  2. ossqss says:

    So this is different than Spectre or Meltdown?

    https://www.us-cert.gov/ncas/alerts/TA18-004A

  3. E.M.Smith says:

    @OssQss:

    Very Very different. Spectre & Meltdown are based on whacking certain things the CPU does enough times to find an error in how memory is handled and then exploiting that. First off, very hard. Second, you machine gets pounded on for a while so you can spot it happening. Third, it is NOT “by design”.

    This is a By DESIGN, built in by the manufacturer of the CPU God Mode instruction that you can execute directly and get ALL privileges. A by design hardware backdoor that bypasses the entire security paradigm.

    No big banging on the hardware needed. No easy to spot high thrash as the machine is being pounded. Not an accident or unexpected side effect. By Design.

    What prevents exploiting it is obscurity, and he’s just removed the obscurity.

    So imagine your computer is just loaded with anti-virus and kerberos authentication and you have 20000 character long uncrackable passwords and and and… This bypasses all of that and just takes full control… By Design. It is exactly what a TLA (Three Letter Agency) would want built in by a manufacturer for “Official Spying” BTW… But I’m sure that is just a coincidence /sarc;

    SPOILER ALERT:

    So all through the video he mentions he needed to be root (super user) once to exploit this, so you would need some other crack to get your first foothold – maybe. Then, at the end, he shows one manufacturer ships with this already activated… Then “suggests” mitigations. I doubt anyone outside TLAs and Military have taken the steps to do those mitigations. This was just last August and it involves changes at a very low level in all your hardware from every x86 vendor…

  4. R. de Haan says:

    I really loved his presentation and his elegant and “forensic approach” to crack open the “obscured backdoor” of the x86 processor. Simply brilliant.

  5. R. de Haan says:

    Although I am worried about personal privacy aspects related to uninvited access to your computer my personal worry goes out to the theft of intellectual property rights as a pilar of any market. The same goes for our justice system, freedom of the press, our financial systems and any remote controlled operation, from a simple bridge to a nuclear plant. Leaky computers pose a real threat to our to our civilization and our prosperity and that should be understood by any DMU representing a company, big or small, any lawyer, any banker, any journalist, any operator and any Government for that matter. Unfortunately at some point Governments lost all trust in their citizens, visa versa and everything went down hill from that moment on. All we can do now is take our own data security into our own hands and do what we can. I know our possibilities are limited but we can’t ignore the facts. I have stopped sending business proposals by e-mail 15 years ago and if we need to discuss our business, we meet and leave our cell phones outside the room. No computer that has business information on it is connected to the grid and no memory stick that is used in one of those computers is used in a grid connected system. Difficult to do more than that for the moment but untill we really secure hardware it’s the only way to go. The back side of this all is that I have lost the fun in using computers and smartphones. i’ve made the conversion from an early adaptor of new tech in the 80’s and 90’s to a skeptic who restricts or if possible prevents the use of grid connected devices which is a shame really and very inconvenient at times. But freedom comes at a price and if the latest smartphone becomes between me and my freedom, it has to go. Privacy = Freedom

  6. Larry Ledwick says:

    Very interesting and essentially a tutorial on how the TLA’s with all the horsepower and intellectual power they have available, can brute force attack systems and find even undocumented methods of attacking them.

    It also implies that they can find back doors that even the vendors do not realize exist. The complexity of systems practically guarantees that such backdoors exist in much of our hardware.

    Right now your major barrier to attack is that :
    a) you are probably a small fish and not worth the effort
    b) you have not done something that someone capable of such tactics thinks you are interesting
    c) even if you are interesting you are probably in a long queue of other interesting subjects and it will be a while before they push you to the top of the list.

    Primary lesson is reduce the attack surface as much as possible, (ie keep good security habits, do not use high risk access points, do no leave systems on and idle when you are not using them etc.) and hope you are lucky.

  7. E.M.Smith says:

    @Larry L:

    Also partition your functions on different equipment (and personas), rotate your shields regularly, “dirty the data stream”, and use “unusual” platforms that are not on the standard crack tools lists.

    That translates to things like:

    Personas: I use about 7 or 8 computers at any one time, some with multiple accounts / identities. One is basically only “media server” and sporadic web music (and very rarely reading this blog). Another is the “on the road tablet” (that just recently replaced the “on the road Mac”). It is used “out and about” and not much else. A couple are “Desktop SBCs”. Blog stuff, browsing. One is used for the occasional financial stuff. Another plays Youtubes.

    Rotate: Mac to Android “on the road” (to become Linux in a few months most likely). I’ve done a complete OS install on an SBC 4 or 5 times this year alone. At least 3 different flavors (one soon to become a BSD). Installed from scratch, not an upgrade…

    I have at least 3 common addresses, 2 phone numbers (on different coasts…), and I’m happy to fill in various mandatory screens with bogus information. I have about 3 email address in common use and a couple more I never opein… Good luck finding “me” in that.

    I use Linux, BSD, two Android, and had been using one Mac. Not a Microsoft anything in the mix. None of them with an Intel CPU. The Android is only used “on the road” and on a “burner phone” that is not used for anything important. The tablet has a gmail email address that I never use… but it makes Google happy…

    Oh, and my data is spread over something like a dozen hard disks that are about 90% of the time OFF. I have an OS disk (with a blog maintenance home directory) that is “on” on my typical 2 desktop systems, but if it died tomorrow I’d not really care and anyone cracks into it will find saved copies of images, graphs, and stuff posted here to the public…

    One other point:

    If doing anything where privacy really matters, I do it on a system NOT connected to the internet. IFF internet is needed, I can set one up connected through an interior firewall to the house net that connects through the telco firewall. All the time with a process monitor window open showing me all activity on the box. Then, as I’m using just about the minimal hardware to get the job done, IF someone DID start some process to scan the box, the sloth of it would alert me (or at least get me to reboot the box to “fix it” ;-)

    All that in addition to the regular “good computer hygiene” and generally SysAdmin Paranoid approach…

    Oh, and I don’t “DO” “social media”…

  8. R. de Haan says:

    @Larry Ledwick said: you are probably a small fish and not worth the effort…

    That’s what the Jews in the Netherlands believed when the German’s took over the population registers. Today over 40% of the Dutch have or had to cope with identity theft and thousands of busineses, big an small had their computer hijacked only to be released after some stiff pay. A friend of mine thought he couldn’t loose his work stored on his computer because he had a nice cloud back-up from Microsoft (Office 360). Well, he couldn’t access his cloud storage either.
    And this is only the beginning. Now the first wave of frauds with contact payment (paying with your smartphone) has hit. Of course they target the masses and they do it for the same reason the Government targets the masses. That’s where their tax revenues come from.
    The bigger problem is going to be the availebility of food as we see a decline in agricultural output all over the world. Solar Minimum perfectly fits their insane agenda, see iceagefarmer adapt 2030 on youtube.

  9. Bill in Oz says:

    E M, any partticular reason for not doing social media ? One can set them up with ‘secondary’ emails etc. Just curious.

  10. Larry Ledwick says:

    “Today over 40% of the Dutch have or had to cope with identity theft and thousands of busineses, big an small had their computer hijacked only to be released after some stiff pay.”

    Not what I am talking about, criminal exploitation is a numbers game and they target any computer that their scans show is vulnerable to their particular exploit.

    What I was talking about is the big TLA level hacks where they drill deep into your systems. They simply do not have the resources to poke into everyone’s computer at that level. You have to be somehow flagged as a prime candidate for their interest. Like James Rosen and Sharyl Attkisson or someone involved in one of the political scandals or government programs.

    That said now that the god bit has been exposed, and some means to use it made public it will soon get dialed into criminal hacking as soon as they can find a way to exploit it, and develop a list of system that are vulnerable.

    I think it is a good bet that several of the top TLA’s around the world are already aware of it and capable of exploiting it. If not they soon will be.

  11. Ossqss says:

    Quote for some clarity and yet concern from last year’s article I linked. I have not had a chance to view the entire video, but it is the same subject matter.

    “The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it’s entirely possible that such hidden backdoors exist on many other chipsets.”

    Indirectly related, but mentioned prior from this year.

    https://www.techrepublic.com/article/spectre-and-meltdown-explained-a-comprehensive-guide-for-professionals/

  12. E.M.Smith says:

    @Ossqss:

    That statement is just saying “I only proved it on this one platform. One down, a few hundred to go.”

    @Bill in Oz:

    1) It is a huge time sink.

    2) It is a huge information leak.

    3) It has near zero positive returns.

    4) The potential negative returns are catastrophic.

    5) What positive returns there are, are ego massage / personal weakness.

    6) I really don’t need the ego gratification / strokes as I am a self fulfilled “finished person”.

    That’s the big lumps….

  13. Timo Soren says:

    Bright guy, wonderful analyse and better yet he used cool document sources to help him out.

  14. llanfar says:

    Does anyone know how far back this goes? Pentium? ‘386?

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.