Security researcher claims Via C3 x86 CPUs contain hidden 'God mode'

Via C3 processors had been sold on their 'military-grade' security and used in ATMs, industrial automation and point-of-sale systems

The Via C3 family of x86-compatible CPUs contained a hidden, but easily accessible ‘backdoor' that could enable full root access for a hacker.

The C3 family had been sold partly on the basis of its military-grade security (they could scarcely have been sold on the basis of its performance), but contained a co-processor that could easily be accessed using a straightforward command in software.

The Via C3 had been used in industrial automation, point-of-sale systems, ATM and healthcare hardware, as well as some desktop and laptop PCs in the early 2000s. The small size, lower cost and lower power consumption of the Via C3 appealed more to embedded applications requiring x86 functionality.

The security research, Christopher Domas, described it as a "God mode", but critics have suggested that it was a fully documented feature of the CPUs.

Domas has published his work, which he's labelled 'Rosenbridge', on Github.

https://twitter.com/xoreaxeaxeax/status/1027642170860163072?ref\\_src=twsrc%5Etfw

"The Rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU," explains Domas on Github.

He continues: "It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.

"While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

"The Rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well."

However, Domas adds that the scope of the vulnerability is "limited" and that "generations of CPUs after the C3 no longer contain this feature". The successor model, the Via C7, was introduced in 2005 and was used in the HP Mini 2133 netbook.

Via Technologies' x86 compatible technology came on the back of its acquisitions of Cyrix - which at one point in the early 1990s enjoyed a five per cent share of the x86 CPU market - and the x86 division of IDT.

Today, Via Technologies is planning to make a renewed push in the x86 market in partnership with Zhaoxin, a chip start-up founded by Shanghai's municipal government.

Domas presented his findings at the Black Hat USA 2018 security event last week. He admitted that the backdoor was fully featured in the documentation accompanying the chip - so not secret - but argued that its availability by default potentially made tampering with C3-powered devices easier.

Via hasn't yet issued a statement in response to the claims.