Pentium Computers Vulnerable to Attack? 227
An anonymous reader writes "One of the latest security scares is coming from security experts at CanSecWest/core '06 in the form of a possible hardware-specific attack. The attack is based on the built-in procedure that Pentium based chips use when they overheat. From the article: 'When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity, said Loïc Duflot, a computer security specialist for the French government's Secretary General for National Defense information technology laboratory. Cyberattackers can take over a computer by appropriating that safeguard to make the machine interrupt operations and enter System Management Mode, Duflot said. Attackers then enter the System Management RAM and replace the default emergency-response software with custom software that, when run, will give them full administrative privileges.'"
Physical access (Score:4, Insightful)
Move along, folks.
RAM access? (Score:3, Insightful)
How is it that an unprivileged user can write to such a sensitive location in the first place?
Not being a retard still work, though? Right? (Score:4, Insightful)
AMD... (Score:1, Insightful)
Re:FUD? (Score:5, Insightful)
When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity,
Ok, fine.
Every computer that runs on x86 chip architecture may be vulnerable to this attack
Wait. How did we get here?
Let's go through this, again. Intel Pentium 4s are hot. No surprise there. They enter special modes when overheating that may introduce a security vulnerability. Fine. How does this cross over to AMD and Via chips again? AMD and Via processors don't have special modes like that. If system heat becomes critical they will simply shut the system down flat out. On a Pentium 4, overheating is not entirely unexpected, particularly on the high edge of the clock speeds. On an AMD or Via, overheating is a major failure condition, probably caused by a heatsink falling off.
So, how are all x86 chips vulnerable, exactly? (Incidentally, between this and this [daemonology.net], AMD is really looking to be a much safer deal, not to mention faster, cooler, more power efficient, etc.)
The devil is in the details (Score:5, Insightful)
- The article states that all x86 processors "could" be vulnerable. Does that mean the *entire* series of Pentium chips, even the older PIII and PII's? If so, are they equally as easy to compromise as the modern versions?
- There is no mention of AMD architecture. Doesn't AMD have an equivalent "overheat failsafe" halt-and-cooldown function? Wouldn't that make AMDs vulnerable to this type of exploit as well, or do they require a slightly different attack?
- Isn't the motherboard BIOS FlashROM responsible for the monitoring of and responding to dangerous CPU temperatures? Haven't they already been safeguarded against unauthorized writes, due to the Chernobyl virus?
I think I'll hold off on ordering the prototype Borg implants when they come on the market....
Re:Aren't you already screwed? (Score:3, Insightful)
1. They don't NEED to do any of it because they already own your box
2. The system designers really fucked the pooch good on the security design of these components
Come on even Windows knows that not just any Joe User should be able to reprogam the CPU interrupts...
Semi Permanent Backdoor? (Score:3, Insightful)
Or am I confused?
Re:Aren't you already screwed? (Score:2, Insightful)
Re:Good Times (Score:5, Insightful)
The watershed for me, will always be the IE images exploits, where a malicious website could run code, simply by your browser attemtping to download a carefully crafted image file.
There I was, for years, telling people; "There's no way you can get a virus by just looking at an picture on the internet". Boy was I wrong.
Bottom line, not matter what you pronounce impossible through software, invariably, somewhere out there, there exists a bug to accomplish just that.
Re:Think like an evil hax0r, then be afraid. (Score:3, Insightful)
So does anything that can load before your kernel. (Like a boot sector virus.)
Now imagine just how many people have root access to their virtual server at a hosting company and how many other users are running on the same physical hardware secure in the belief that their customer information is safe. But is it?
This isn't really different than a boot sector. If you have root on a VIRTUAL server, you shouldn't have access to this or to the boot sector on the real filesystem.
Not really an exploit (Score:3, Insightful)
By the way, whenever the CPU does a memory read or write while in SMM, it asserts the SMM# pin. This means that the hardware is fully able to consider SMM RAM to be totally separate from the main memory space - but most implementations don't. In fact, SMM has an instruction called "umov" that allows SMM hypervisors to read/write the main memory space. (umov is equivalent to mov when not in SMM.)
If it's *really* a problem, change the motherboard, not the CPU. The motherboard can physically lock out the SMM memory space from even kernel programs if it so desires.
Melissa