Info by Matt Cole

Risc Patents for Back Door to all U.S. Applications

Julie Crory Telgenhoff shared the below video and it intrigued me.  I have never heard of Brendon O’Connell.  The video is titled “Edward Snowden Goes to Israel – Why?” While Brendon does get sidetracked in the nearly two hour video, there was a kernel that caught my intention. It starts in around the 15-18 minute and discusses a micro-processor backdoor created within the Intel chips.

I located the video he referenced too on this topic of microprocessor. Note below. Yes, I also watched the full hour long presentation discussing how Christopher Domas was able to not only use this exploit, but show what can be done with it.

Interestingly, the presenter (Christopher Domas)  first provides a disclaimer, stating he used his own time to research the material. This places the information solely on him, while conveying the company he works for had nothing to do with it.

The nitty gritty begins around the 10 minute mark. With the compilation of the provided patents, it forms a possibility of having a hardware backdoor already in place with every X86 process.

What does that mean?

A back door is a term used meaning to bypass all security and gain entrance. Think of it this way. You buy a house. You are provided with the locks and security to protect you, your loved ones, and your personal items. However, unknown to you, someone has a key to allow entrance though the back door. This is without your knowledge, and that individual can enter at anytime.

Through these patents, the company has created a backdoor through the processor. This processor is the heart of the computer. It is what makes the computer  work. The processor has a micro-processor within (think an embedded door that is part of the house) the X86 processor. It is part of the hardware, and cannot be removed.

This is why he points out:

If our assumptions about the deeply embedded core are correct…

…It could be used as a sort of backdoor, able to surreptitiously circumvent all processor security checks.

Meaning, this created backdoor bypasses all your security and locks. You have a secret portal within your home allowing entrance.

I checked and found these patents and pulled the information pertaining to this article. .

US8341419B2  Assigned to: G. Glenn Henry and Terry Parks through VIA Technologies Inc.

The x86 architecture, for example, includes the RDMSR and WRMSR instructions in its instruction set to read and write model specific registers (MSRs). A tester/debugger may access the internal control registers of an x86 processor via the RDMSR and WRMSR instructions. However, if not used correctly, accessing some of the internal control registers can cause the processor to work incorrectly, work slowly, or not work at all. Additionally, accessing some of the internal control registers can enable the user to bypass security mechanisms, e.g., allowing ring 0 access at ring 3. In addition, these control registers may reveal information that the processor designers wish to keep proprietary. For these reasons, the various x86 processor manufacturers have not publicly documented any description of the address or function of some control MSRs.

Nevertheless, the existence and location of the undocumented control MSRs are easily found by programmers, who typically then publish their findings for all to use. Furthermore, a processor manufacturer may need to disclose the addresses and description of the control MSRs to its customers for their testing and debugging purposes. The disclosure to the customer may result in the secret of the control MSRs becoming widely known, and thus usable by anyone on any processor.

Note the bold above and below.

US8880851 Assigned to G. Glenn Henry, Terry Parks, and Rodney E. Hooker through VIA Technologies Inc

.. such as the launch-x86 and reset-to-x86 instructions …..

The architectural control and status registers include x86 architectural model specific registers (MSRs) and ARM-reserved coprocessor (8-15) registers.

There are other patents regarding these MSR (Model specific registers) found.US13413346 –  2012-03-06 – Accessing model specific registers (MSR) with different sets of distinct microinstructions for instructions of different instruction set architecture (ISA) and US9043580B2 – 2011-04-07 2015-05-26  – Via Technologies, Inc. Accessing model specific registers (MSR) with different sets of distinct microinstructions for instructions of different instruction set architecture (ISA)   They have been working on this at a minimum since 2011.  

So what is MSR (Model Specific Register) ?   In laymen terms, it is a feature in all Intel x86 and x86-64 processor architectures (all current and future processors).  These registers provide the ability for debugging, program execution tracing, computer performance monitoring, and toggling certain CPU features.  

Who is Via Technologies?   VIA Technologies Inc., is a Taiwanese manufacturer of integrated circuits, mainly motherboard chipsets, CPUs, and memory. It is the world’s largest independent manufacturer of motherboard chipsets. Per Bloomberg, VIA Technologies, Inc. engages in the distribution of x86 processor platforms computer chips. The company was founded in 1989 and is based in Fremont, California. VIA Technologies, Inc. operates as a subsidiary of VIA Technologies Inc.  

His Findings.   With his testing, he found the MSR 1107 is the ‘global configuration register.’  Additionally, there is a bridge between the RISC and X86 processor (RISC–>x86). Meaning, he can push instructions to the processor through this backdoor.  When that is accomplished, he can gain access to the computer itself. Now, think beyond your local laptop. Many U.S. businesses, companies, Government entities use this processor.  

My Thoughts:    I give Christopher Domas high kudos for finding and providing this demonstration through the Black Hat  YouTube channel. I also found Brendan to be interesting and will review those other videos he suggested through this particular one. Initially, I wasn’t going to dive down this rabbit hole, but considering the implications, this is really a HUGE deal.  We are talking about ever computer susceptible to a ‘purposely created backdoor’ thereby putting all of our infrastructure in danger.  

You can find more Brendon O’Connell’s work and support him at:

Brendon O’Connell YouTube Channel
Twitter Handle: @boc_oz
Google Plus
PayPal – meeting@boc.rocks
BitCoin – 1KTwwQxD8n1izt8A9pxUYePg7t4QF9BCFE  

Matt Cole has high regard for knowledge share. He has a desire to share critical thinking and information. With a Masters in Information Technology and a wide array of certifications, while not working full-time, he wishes to knowledge share through providing insight, information organization, and critical thinking skills.

#KnowledgeShare | Matt Cole | #infobyMattCole