At the Black Hat 2018 and DEF CON 26 security conferences held in Las Vegas last week, a security researcher detailed a backdoor mechanism in x86-based VIA C3 processors, a CPU family produced and sold between 2001 and 2003 by Taiwan-based VIA Technologies Inc.

The affected CPU family was designed with PC use in mind but was more widely known for being deployed with point-of-sale units, smart kiosks, ATMs, gaming rigs, healthcare devices, and industrial automation equipment.

The Rosenbridge backdoor mechanism

Christopher Domas, a well-known hardware security expert, says that VIA C3 x86-based CPUs contain what he referred to as a “hidden God mode” that lets an attacker elevate the execution level of malicious code from kernel ring 3 (user mode) to kernel ring 0 (OS kernel). See here about CPU protection rings.

Domas says that this backdoor mechanism —which he named Rosenbridge— is a RISC (Reduced Instruction Set Computer) co-processor that sits alongside the main C3 processor.

The researcher says that by using a launch-instruction (.byte 0x0f, 0x3f) he can flip a register control bit that enables this additional coprocessor, which he argues doesn’t benefit from the same security protections the main C3 chipset.

Any instructions sent to this additional coprocessor are all run under ring 0, and not under the normal ring 3 level.

Rosenbridge GIF

Domas says he identified this “hidden God mode” feature in VIA C3 Nehemiah chips, but he says all other C3 chipsets are bound to feature a similar mechanism.

The expert says he discovered the Rosenbridge backdoor system while sifting through patents. In his DEF CON slides,…