Jump to content

Not even your harddisk firmware is safe...


cooper
 Share

Recommended Posts

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Kaspersky identified some rather advanced malware, some if it going so far as to infect the firmware of a number of harddisks (!) to both prevent detection and negate erasure efforts.

Official response from the NSA, who are suspected of creating this: We admit only that the things we do aren't illegal.

Link to comment
Share on other sites

Surprised, not really. The NSA is what it is, and using any and all means doesn't surprise me.

Of course the next question is how the hell do we remove it from our firmware? If it can get on, it can be taken off.

Link to comment
Share on other sites

If it's in the firmware, then you would need some kind of firmware re-flashing procedure. The company who makes the hard disk may have something on their site for this, but even if they have it it won't be easy, and who knows, the company may be the only one who can do this. That's the thing about our planned obsolescence hardware these days, usually needs a specialist to fix it, and is usually just cheaper to buy a new one.

P.S. My dad says that he has re-flashed server hard drives before, but the hardware has to support it. Some desktop computers support it, but not that many. He also says to buy a new hard drive.

Edited by overwraith
Link to comment
Share on other sites

Before anyone comes in asking if the Pineapple firmware can be hacked in transit, yes it can but you reflash it when it arrives anyway. Can the hardware be modified, yes it can, realistically though, the NSA have much more important things to be thinking about.

Link to comment
Share on other sites

Before anyone comes in asking if the Pineapple firmware can be hacked in transit, yes it can but you reflash it when it arrives anyway. Can the hardware be modified, yes it can, realistically though, the NSA have much more important things to be thinking about.

That is actually reassuring, thanks digininja.

Link to comment
Share on other sites

If you have control over a section of memory over which a checksum is computed, you know what the final checksum needs to be and you want to change a byte or two within that section then you can try to modify additional bytes such that the final checksum still matches. How difficult this is depends greatly on the checksum algorithm, which in this case is probably closer to XOR than to AES.

Link to comment
Share on other sites

If you have control over a section of memory over which a checksum is computed, you know what the final checksum needs to be and you want to change a byte or two within that section then you can try to modify additional bytes such that the final checksum still matches. How difficult this is depends greatly on the checksum algorithm, which in this case is probably closer to XOR than to AES.

This might be a complicated process however. Not saying it's not possible, but you would essentially need a copy of the original data somewhere. If you are checksuming or hashing the whole drive you would essentially need another whole drive in order to do so, or a network socket. I was thinking more along the lines of not zeroing the drive when the OS asks the drive to zero it's self. Perhaps I need to read the article and see exactly what's going on with this malware. Saying again, I could be wrong.

Edited by overwraith
Link to comment
Share on other sites

The section sud0nick was quoting was about firmware controller code. As far as the controller was concerned, it's ROM. The guy changed this data such that it would jump to somewhere he had more control over while retaining the original checksum that's computed over this code and thus verified before the controller is willing to run it.

Link to comment
Share on other sites

Over on Ars someone mentioned that their harddisk destruction process involves them being used for target practise for high-caliber rounds, resulting in impacts that occur with such force the harddisk platters fuse together.

In other news, when was the last time you went to the dump with a screwdriver and asked if you could carefully remove the harddisks from any computer turned in for recycling? If you ask nicely and especially if you provide some sort of cover story (wanting to show kids at the local school what you can do with the chips on them worked well for me), they'll allow it more often than not. You'd be amazed of the shit you dig up. And the best part? This information will be on locals. Find the SSID and password in the registry, drive around scanning for it and sure enough, you're going to find it. What happens next... is up to you. :smile:

Link to comment
Share on other sites

Agreed on the things should be left unseen. Better yet, not created.

But if you think the old malware of the hard disks is bad. What do you think is lurking in your UEFI? I've been saying since the beginning that UEFI is so bad, will be rootkit heaven, etc.

I predict in a few years we will see malware in UEFI that does similar. I can almost guarantee it's already there.

Link to comment
Share on other sites

Agreed on the things should be left unseen. Better yet, not created.

But if you think the old malware of the hard disks is bad. What do you think is lurking in your UEFI? I've been saying since the beginning that UEFI is so bad, will be rootkit heaven, etc.

I predict in a few years we will see malware in UEFI that does similar. I can almost guarantee it's already there.

I noticed on a new Dell UEFI that it has the settings to netboot over the internet, which is kinda cool. Still waiting for someone to make a small useable os to replace UEFI.

Link to comment
Share on other sites

I noticed on a new Dell UEFI that it has the settings to netboot over the internet, which is kinda cool. Still waiting for someone to make a small useable os to replace UEFI.

Not an OS, but 3 years ago they bypassed UEFI to load whatever you wanted to get windows to run unsigned drivers, so you should be able to pretty much pre-boot UEFI to whatever you want done - http://www.theregister.co.uk/2012/09/19/win8_rootkit/

edit: Also this Chaos Computer Club article from this year - https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=25&ved=0CNcBEBYwGA&url=http%3A%2F%2Fevents.ccc.de%2Fcongress%2F2014%2FFahrplan%2Fsystem%2Fattachments%2F2566%2Foriginal%2Fvenamis_whitepaper.pdf&ei=iajmVLbCPNLlsAStpoD4CQ&usg=AFQjCNHnQwsQh_okOJz2J9yaGc0qDXHSmw

Edited by digip
Link to comment
Share on other sites

I know a guy that used to shop ebay for used cf and sd cards. Some things should be left unseen...

Had an intro to computer forensics class recently, and used Autopsy on one of my flash drives. Was surprised what I could still recover. Flash drives always give out after a certain number of writes, have wear leveling algorithms and such to prevent them from wearing out too fast, but as a rule you should never resell your flash drives. Even zeroing them out will cause the number of writes per sector to be increased, at worst would fry the flash drive.

Link to comment
Share on other sites

Had an intro to computer forensics class recently, and used Autopsy on one of my flash drives. Was surprised what I could still recover. Flash drives always give out after a certain number of writes, have wear leveling algorithms and such to prevent them from wearing out too fast, but as a rule you should never resell your flash drives. Even zeroing them out will cause the number of writes per sector to be increased, at worst would fry the flash drive.

That's why it's so hard to actually wipe flash media. I keep it till it dies, then smash it up before throwing it out. One of the thumb drives in my pocket is 512mb. It has gparted loaded on it.

Edited by barry99705
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...