Jump to content

Not even your harddisk firmware is safe...


Recommended Posts

Posted

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Kaspersky identified some rather advanced malware, some if it going so far as to infect the firmware of a number of harddisks (!) to both prevent detection and negate erasure efforts.

Official response from the NSA, who are suspected of creating this: We admit only that the things we do aren't illegal.

Posted

Surprised, not really. The NSA is what it is, and using any and all means doesn't surprise me.

Of course the next question is how the hell do we remove it from our firmware? If it can get on, it can be taken off.

Posted (edited)

If it's in the firmware, then you would need some kind of firmware re-flashing procedure. The company who makes the hard disk may have something on their site for this, but even if they have it it won't be easy, and who knows, the company may be the only one who can do this. That's the thing about our planned obsolescence hardware these days, usually needs a specialist to fix it, and is usually just cheaper to buy a new one.

P.S. My dad says that he has re-flashed server hard drives before, but the hardware has to support it. Some desktop computers support it, but not that many. He also says to buy a new hard drive.

Edited by overwraith
Posted

I think this kinda shows that the concept of completely desintegrating a harddisk isn't so idiotic as it may once have seemed.

Posted

I think this kinda shows that the concept of completely desintegrating a harddisk isn't so idiotic as it may once have seemed.

Right, how do you know you actually wiped the drive? The firmware told you so.

Posted

Before anyone comes in asking if the Pineapple firmware can be hacked in transit, yes it can but you reflash it when it arrives anyway. Can the hardware be modified, yes it can, realistically though, the NSA have much more important things to be thinking about.

Posted

Before anyone comes in asking if the Pineapple firmware can be hacked in transit, yes it can but you reflash it when it arrives anyway. Can the hardware be modified, yes it can, realistically though, the NSA have much more important things to be thinking about.

That is actually reassuring, thanks digininja.

Posted

If you have control over a section of memory over which a checksum is computed, you know what the final checksum needs to be and you want to change a byte or two within that section then you can try to modify additional bytes such that the final checksum still matches. How difficult this is depends greatly on the checksum algorithm, which in this case is probably closer to XOR than to AES.

Posted (edited)

If you have control over a section of memory over which a checksum is computed, you know what the final checksum needs to be and you want to change a byte or two within that section then you can try to modify additional bytes such that the final checksum still matches. How difficult this is depends greatly on the checksum algorithm, which in this case is probably closer to XOR than to AES.

This might be a complicated process however. Not saying it's not possible, but you would essentially need a copy of the original data somewhere. If you are checksuming or hashing the whole drive you would essentially need another whole drive in order to do so, or a network socket. I was thinking more along the lines of not zeroing the drive when the OS asks the drive to zero it's self. Perhaps I need to read the article and see exactly what's going on with this malware. Saying again, I could be wrong.

Edited by overwraith
Posted

The section sud0nick was quoting was about firmware controller code. As far as the controller was concerned, it's ROM. The guy changed this data such that it would jump to somewhere he had more control over while retaining the original checksum that's computed over this code and thus verified before the controller is willing to run it.

Posted

Over on Ars someone mentioned that their harddisk destruction process involves them being used for target practise for high-caliber rounds, resulting in impacts that occur with such force the harddisk platters fuse together.

In other news, when was the last time you went to the dump with a screwdriver and asked if you could carefully remove the harddisks from any computer turned in for recycling? If you ask nicely and especially if you provide some sort of cover story (wanting to show kids at the local school what you can do with the chips on them worked well for me), they'll allow it more often than not. You'd be amazed of the shit you dig up. And the best part? This information will be on locals. Find the SSID and password in the registry, drive around scanning for it and sure enough, you're going to find it. What happens next... is up to you. :smile:

Posted

Agreed on the things should be left unseen. Better yet, not created.

But if you think the old malware of the hard disks is bad. What do you think is lurking in your UEFI? I've been saying since the beginning that UEFI is so bad, will be rootkit heaven, etc.

I predict in a few years we will see malware in UEFI that does similar. I can almost guarantee it's already there.

Posted

Agreed on the things should be left unseen. Better yet, not created.

But if you think the old malware of the hard disks is bad. What do you think is lurking in your UEFI? I've been saying since the beginning that UEFI is so bad, will be rootkit heaven, etc.

I predict in a few years we will see malware in UEFI that does similar. I can almost guarantee it's already there.

I noticed on a new Dell UEFI that it has the settings to netboot over the internet, which is kinda cool. Still waiting for someone to make a small useable os to replace UEFI.

Posted (edited)

I noticed on a new Dell UEFI that it has the settings to netboot over the internet, which is kinda cool. Still waiting for someone to make a small useable os to replace UEFI.

Not an OS, but 3 years ago they bypassed UEFI to load whatever you wanted to get windows to run unsigned drivers, so you should be able to pretty much pre-boot UEFI to whatever you want done - http://www.theregister.co.uk/2012/09/19/win8_rootkit/

edit: Also this Chaos Computer Club article from this year - https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=25&ved=0CNcBEBYwGA&url=http%3A%2F%2Fevents.ccc.de%2Fcongress%2F2014%2FFahrplan%2Fsystem%2Fattachments%2F2566%2Foriginal%2Fvenamis_whitepaper.pdf&ei=iajmVLbCPNLlsAStpoD4CQ&usg=AFQjCNHnQwsQh_okOJz2J9yaGc0qDXHSmw

Edited by digip
Posted

I know a guy that used to shop ebay for used cf and sd cards. Some things should be left unseen...

Had an intro to computer forensics class recently, and used Autopsy on one of my flash drives. Was surprised what I could still recover. Flash drives always give out after a certain number of writes, have wear leveling algorithms and such to prevent them from wearing out too fast, but as a rule you should never resell your flash drives. Even zeroing them out will cause the number of writes per sector to be increased, at worst would fry the flash drive.

Posted (edited)

Had an intro to computer forensics class recently, and used Autopsy on one of my flash drives. Was surprised what I could still recover. Flash drives always give out after a certain number of writes, have wear leveling algorithms and such to prevent them from wearing out too fast, but as a rule you should never resell your flash drives. Even zeroing them out will cause the number of writes per sector to be increased, at worst would fry the flash drive.

That's why it's so hard to actually wipe flash media. I keep it till it dies, then smash it up before throwing it out. One of the thumb drives in my pocket is 512mb. It has gparted loaded on it.

Edited by barry99705

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...