Cyberattackers can exploit Pentium self-defense

VANCOUVER, British Columbia –- Your computer could hand itself over to cyberattackers when it’s trying to cool off.

That warning galvanized the information technology security experts gathered this week at the CanSecWest/core06 conference here.

Computers with Intel Pentium processors can be hijacked through a built-in mode designed to protect the processor’s motherboard, said Loïc Duflot, a security engineer and researcher for the scientific division of France’s Central Directorate for Information Systems Security.

“Unused, legacy or routinely used functionalities can be used to circumvent operating system security functions,” Duflot said.

The vulnerability affects every computer that runs on x86 architecture, including the millions that the U.S. government and industry use, said Dragos Ruiu, the conference’s organizer. He is a Canadian computer security consultant for businesses, governments and the U.S. military.

Pentium computers usually run in Protected Mode, the 32-bit environment where the operating system and applications reside, Duflot said. But when conditions that could threaten the motherboard occur, such as the processor getting too hot, the computer interrupts Protected Mode and freezes and stores its activity.

The computer then switches to System Management Mode, a 16-bit environment that loads code stored in System Management RAM (SMRAM) to handle the particular emergency, Duflot said. Once the code runs, the System Management Mode then tells the computer to return to Protected Mode and normal operations.

Cyberattackers can take over a computer by causing it to interrupt operations and enter System Management Mode, Duflot said. They can enter the SMRAM and replace the default software with custom software that gives them full administrative privileges, he said.

To gain access, all they have to do is close the SMRAM and trigger the new software, Duflot said.

Such attacks are insidious because they happen out of sight of security measures at the operating system or application level, Duflot said. The computer has no way of interrupting the System Management Mode code and is defenseless against whatever the assailant wants to do, including keeping the operating system frozen and inaccessible.

Some chipsets map the SMRAM in the same location as video RAM, making it vulnerable to exploits used on video RAM, Duflot said. Those same chipsets allow access to SMRAM in Protected Mode if attackers have the right code to modify the computer’s settings, he said.

For the past seven years, CanSecWest has been a conference of, by and for hard-core code gurus who create the software that businesses and governments use. More than 300 cybersecurity experts and computer hackers from 40 countries gathered to swap cutting-edge information, tips and tricks.

CanSecWest attracts managers of technical groups within companies and government agencies, Ruiu said. It also attracts hackers who come to learn new techniques to exploit computer networks.

The conference presents the latest in what helpful and malicious hackers are doing, said Eric Byres, a member of the research faculty at the British Columbia Institute of Technology.

“What’s shown here will be on the Web next year and script kiddie material in three,” Byres said.