AMD chips are also vulnerable, at least in theory

Aug 9, 2015 16:15 GMT  ·  By

A feature introduced in 1997 in the architecture of x86 chips can now be abused by attackers to install a firmware rootkit, make hardware modifications, or even take actions that lead to system destruction.

The feature, System Management Mode (SMM), was introduced 18 years ago and works in the deepest levels of the x86 architecture, allowing any hacker that abuses it to gain access to a wide variety of further attack points.

Computer security expert Christopher Domas, working for the Battelle Memorial Institute, has uncovered this vulnerability, and tested it on Intel x86 processors, but AMD chips should also be vulnerable, at least in theory.

Mr. Domas claims that 40 years of evolution have made x86 chip architectures a maze of forgotten security backdoors.

Because the initial "4 rings" of access (3,2,1, and 0) a processor would have on a computer were expanded with 2 new ones (-1 and -2), using "elaborate configurations of unexpected architectural features," attackers now have a way to exploit x86 chips, hardware components that work at the lowest level of a computer's architecture.

In his research, Mr. Domas was able to jump code execution from ring 0 to ring -2, allowing him to run operations with kernel level SMM privileges, which would have been normally shut down by the variety of security systems present in the x86 architecture's design.

His tests relied on installing a rootkit in the firmware, but the exploit can easily be used to perform any action an attacker is skilled enough to trigger.

Starting up in SecureBoot won't help

While having a rootkit in your UEFI (BIOS) is bad enough, meaning it can survive PC reinstalls, built-in protection mechanism like SecureBoot are rendered useless as well, because they also rely on SMM to work correctly.

This means the only way to remove the rootkit is through a complete firmware wipe, or firmware update that nullifies its effects.

Because system level privileges are needed for an attacker to be able to exploit this feature, this also reduces the chances of regular users being exploited, since an intermediary agent is needed to infect the computer at first, and a high degree of technical skills is needed from the attacker to alter the chips’ normal functionality.

According to Mr. Domas' estimates, around 100 million computers are affected, but Intel was informed of the issue, already adding built-in mitigation systems to its latest generation of chips, and preparing patches for the older ones.