Spying software embedded inside all hard drive manufacturer's drives

charrob said:
Thanks.

So malware affecting your OS can be detected and fixed by anti-virus software. Malware affecting your drivers should be able to be detected and fixed by anti-virus software (and if not, easily downloaded from the vendor's website). But anti-virus software doesn't look at firmware I guess. And that's where the problem is? And if true, what would be the disadvantage of using nonprogrammable eproms for their firmware as a solution to stop malware from infecting firmware?
Click to expand...

They often need to be able to save and modify variables locally, especially diagnostic data. Also, the manufacturer needs a way to make future updates if necessary.

Antivirus programs could look at firmware, but with something like the stuffs described in the article, it would not find anything wrong if you're running it from the OS. With a special utility, you can test if the firmware checksum matches the checksum provided by the manufacturer, and you can flash a new one, so it's kinda all or nothing at this level. This is because it can't otherwise look directly at hardware like that, it is like if you message someone (assuming no encryption) and your messsaging app is compromised. A 3rd party could be watching both ends of the conversation. The 3rd party could suppress the other person's message and insert their own, if they do it carefully, you would never know you were talking to a 3rd party. There are 2 problems here:

1.) finding out you are not talking to the person you think you are
2.) stopping it

If your 3rd party is clever enough, it is nearly impossible for you to detect something is wrong. It gets easier if you are aware beforehand that this has been happening to others. To address #2, you reinstall with a known clean version of the messaging app.


charrob said:
I don't understand. tangent4ronpaul wrote that: The malicious firmware created a secret storage vault [on your harddrive]. cpu'd wrote that: the secret storage vault would be incorrectly labelled a bad sector by the software because it was unable to read or write to it.

So if the firmware creates what the OS thinks is a bad sector, and chkdsk checks for bad sectors, why wouldn't a successful running of chkdsk (that shows you have no bad sectors) prove your firmware is not infected by this malware?
Click to expand...


I was just using the bad sector thing as an example, there are other ways, like moving it around on unallocated space.

If the drive is reporting no bad sectors, then no, there is no secret storage vault masquerading as a bad sector. Drives older than a year are probably going to have bad sectors.

The way it was described in the article, this is a sophisticated group of programs that can act like a Swiss army knife; if one attack vector is not feasible, it can use another. An example: your AV program might be able to detect/remove part of it in the regular file system, or running in memory but when you reboot, before the OS even loads the drive firmware could copy stuff back to the file system, including infected system files that are made to appear OK to the OS and AV programs. You could reflash the firmware, but if you miss something in the OS, it could reflash again with their firmware.

It is a vicious cycle with a lot of moving parts that aren't fully understood yet. The researchers are still working out exactly what is happening, and might take a few weeks before they start releasing tools for removal.
 
Last edited:
Mach said:
What about Rootkit Removal?
Click to expand...

Wont work. Firmware virus cant be erased. The difference is EPROMS or PROMS - EPROMS are Erasable Programmable Read Only Memory, and PROMS are Programmable Read Only Memory. PROMS can be programmed once, and once programmed, can not be programmed again, even by the machines that load the programs. EPROMS can be erased and rewritten over and over. The NSA will probably do everything in their power to put the viruses in the PROMS on ALL HARDWARE in your computer, not just your Hard Drive. For example, on your computer, you'll most likely have a Networking Chip. If the NSA has the ability to control what is put onto these Networking Chips, there is no way any Anti Virus on the planet can scan for it. Your Operating System will never ever see it. The hijack occurs that the Transport Layer of the OSI Network Model. The virus will never interact with your OS, thus, it is totally invisible.

It gets worse

Viruses on your Hard Drive is a waste of time for the NSA. A better target will be your Routers. Pick up EVERY bit of data that exists your computer that is either received or transmitted. If a Router virus can be combined with a Hard Drive virus, they can bypass every measure of security you can take at the Transport Layer, and see everything you do on your computer, depending on how the virus is set up. These things arent usually observed by humans, but just categorized. Non human interaction with your data doesnt make it less dangerous, in fact, it makes it MORE dangerous. This data and meta data on you can be analyzed by algorhythms can be used to either further distract you, as most people do, or other measures of control, like a computer generated psychological analasys of "crazy" and require you to be put on pills, at your own expense, because a computer found that you watched more than one Alex Jones Show.

The goal is to enslave both your Mind and Body. You are the product that is for sale.
 
DamianTV said:
Wont work. Firmware virus cant be erased. The difference is EPROMS or PROMS - EPROMS are Erasable Programmable Read Only Memory, and PROMS are Programmable Read Only Memory. PROMS can be programmed once, and once programmed, can not be programmed again, even by the machines that load the programs. EPROMS can be erased and rewritten over and over. The NSA will probably do everything in their power to put the viruses in the PROMS on ALL HARDWARE in your computer, not just your Hard Drive. .....
Click to expand...

To be clear, this is not what we are talking about here. The only way something like this could occur in the context of the Kapersky article is through interdiction, where someone opens a package and physically replaces the chips.
 
CPUd said:
To be clear, this is not what we are talking about here. The only way something like this could occur in the context of the Kapersky article is through interdiction, where someone opens a package and physically replaces the chips.
Click to expand...

The NSA can come in and demand, intimidate and coerce chip manufacturers to putting NSA code on normal chips, then slap them with a gag order. I'll suggest that there are a lot of different ways that computer security can be comprimised, and not all of which are detectable, especially as you said in the OP, checksum of the firmware matches manufacturer checksum. NSA code is already in when the checksum is determined, and checksums are not foolproof either. I was able to modify Dead or Alive Xtreme Beach Volleyball and bypass XBox checksums to inject custom content into an expected unmodifiable package. Once the content was injected, I had to run another tool to bloat some of the content for the checksum to match the original. Came out with the exact same checksum despite having different content. Hell, the old XBox was cracked wide open by simply exploiting Fonts. XBox wouldnt run unsigned code, so it wouldnt run custom .xbe files (.xbox executables), but there was nothing built in as far as security goes to check Fonts. Sorry, that was off topic. I have heard other stories of NSA taking computer equipment off of store shelves, making modifications to the firmware, putting stuff back together, and then rewrapping said packages. Not sure of the scale of those operations or even if said spy ops are actually performed, but really, what wouldnt we put beyond our Govt today?
 
NSA has spies that get hired by the companies of interest. The Project Manager is the most powerful person in the department doing R&D. The companies never know.

They also hack shipping systems and get stuff delivered to modding areas and then re-enter the shipping routes so it looks normal. Some people that watch their tracking closely have caught this when they screwed up.

How does NSA keep this from happening to them? Was talking to one of their cryptographers a few years ago, and he said they sourced stuff by going into a warehouse and selecting stuff at total random. Like if you were buying 5 motherboards, you'd pick the first 5 on the shelf. They are more like ok, 3rd box back, and selecting randomly from that box, then a different box, etc.

-t
 
tangent4ronpaul said:
Hacking HD firmware:

How hackers could attack hard drives to create a pervasive backdoor
http://arstechnica.com/information-...k-hard-drives-to-create-a-pervasive-backdoor/

Not Only the NSA Knows How to Make Unerasable Malware
http://www.technologyreview.com/view/535226/not-only-the-nsa-knows-how-to-make-unerasable-malware/

Hard disk hacking - Intro
http://spritesmods.com/?art=hddhack&page=1



-t
Click to expand...


A very excellent video and demonstration as to how these kinds of HD hacks can be developed and executed. If you have an hour to spare this video will answer most of the questions surrounding how it can be done and why you would have no way of knowing...
 
Cpu’d thanks so much for your detailed answer. What limequat says really does make sense: for people to have security for private stuff, the best thing to do is have an offline computer for private stuff, and a networked computer for everything else. I remember originally reading from, I think it was the New York Times, about the stuxnet virus and how the hardest thing for them was to get the worm to the computers that were physically attached to the Iranian centrifuges (Iran had kept them all offline all the time). And the Times said at the time they were able to figure out how to put worms on offline computers. And I kept thinking how in the world could they do that? But having this in the firmware and hard drive makes sense.

CPUd said:
They often need to be able to save and modify variables locally, especially diagnostic data. Also, the manufacturer needs a way to make future updates if necessary.
Click to expand...

Thanks. The second part is what I was looking for and thought probably why. However I never knew the eproms saved and modified variables locally; things at that level are fascinating—wish I knew more.

CPUd said:
Antivirus programs could look at firmware, but with something like the stuffs described in the article, it would not find anything wrong if you're running it from the OS. With a special utility, you can test if the firmware checksum matches the checksum provided by the manufacturer, and you can flash a new one, so it's kinda all or nothing at this level. This is because it can't otherwise look directly at hardware like that.
Click to expand...

Thanks. And ‘flashing’ firmware means to install new firmware into the chip?


------------------------------------------------------------------------

CPUd said:
I was just using the bad sector thing as an example; there are other ways, like moving it around on unallocated space.
If the drive is reporting no bad sectors, then no, there is no secret storage vault masquerading as a bad sector. Drives older than a year are probably going to have bad sectors.
Click to expand...

Thanks. I was just thinking it might be a quick way of proving, particularly a new hard drive, doesn’t contain this storage vault. But you’re saying it could also be placed in unallocated space: again this would be on the hard drive until the hard drive would be full, and it’s location would only be known by the firmware?

CPUd said:
The way it was described in the article, this is a sophisticated group of programs that can act like a Swiss army knife; if one attack vector is not feasible, it can use another. An example: your AV program might be able to detect/remove part of it in the regular file system, or running in memory but when you reboot, before the OS even loads, the drive firmware could copy stuff back to the file system, including infected system files that are made to appear OK to the OS and AV programs. You could reflash the firmware, but if you miss something in the OS, it could reflash again with their firmware.
Click to expand...

I didn’t read the article but just skimmed really quickly. It looked like the OS registry was compromised. If the infected system files are made to appear okay to the OS, the person doing this would need access to the source code of the OS (or at least i/o between that file and other system files)? So they either work for Microsoft or somehow got hold of their source code?

CPUd said:
It is a vicious cycle with a lot of moving parts that aren't fully understood yet. The researchers are still working out exactly what is happening, and might take a few weeks before they start releasing tools for removal.
Click to expand...

Thanks for your description. Hard to believe our government does all this stuff. They say NSA has the best mathematicians and scientists in the world. Just hoping they’ve studied the Constitution as much as their science.
 
The NSA can come in and demand, intimidate and coerce chip manufacturers to putting NSA code on normal chips, then slap them with a gag order.
Click to expand...

They can't do this to other countries though...Russia is in the process of making NSA hackproof phones, cpu's, harddrives, and so on. So the only secure computer/smartphone in the future maybe a Russkie one.

As someone who grew up during the real cold war in the 1980's, looking to Russia for "safety" is quite bizarre to say the least, but we have gone through the looking glass, and what was, is not what is.
 
Last edited:
CPUd said:
To be clear, this is not what we are talking about here. The only way something like this could occur in the context of the Kapersky article is through interdiction, where someone opens a package and physically replaces the chips.
Click to expand...

...such as possibly on a shipping dock, where products are imported from overseas? I can't believe the U.S. Post Office or UPS could be involved in this. But how about in other countries (I think it said this malware was detected in 30 countries)? That would mean CIA assets in other countries being paid to do this?

It also looked like other software was used to either flash the hard drive firmware or infect system files: is that even possible to do? -just skimmed the article but somewhere it said something about getting new Oracle installation disks and they apparently were compromised and installed this malware.
 
DFF said:
They can't do this to other countries though...Russia is in the process of making NSA hackproof phones, cpu's, harddrives, and so on. So the only secure computer/smartphone in the future maybe a Russkie one.

As someone who grew up during the real cold war in the 1980's, looking to Russia for "safety" is quite bizarre to say the least, but we have gone through the looking glass, and what was, is not what is.
Click to expand...

source?

-t
 
charrob said:
Thanks. The second part is what I was looking for and thought probably why. However I never knew the eproms saved and modified variables locally; things at that level are fascinating—wish I knew more.
Click to expand...

Technically I think what happens with EPROMs is it stores an image of itself with the new values in volatile memory until you are ready to save them, then it writes the whole image back to the chip during the save operation. There is a small time window during this process where you can create some real problems if you disconnect the power source. On HDDs there is a way to password protect them that is independent of the system. Sometimes, it is called a "platter lock", because there is not a lot you can do with the drive without the password. Data forensics people don't really try to brute-force it- sometimes you can dump the firmware and read the password in plaintext. Otherwise, it is faster to just replace the PCB on the drive case with another one from the same model.


charrob said:
Thanks. And ‘flashing’ firmware means to install new firmware into the chip?
Click to expand...

Yes, because it is stored on flash memory, where you have to write the entire block, as opposed to individual bytes here and there. It is all or nothing, so if the write process in interrupted, it will be nothing (useful). Some older devices could be rendered permanently unusable without replacing the ROM chip, because the mechanism to write the firmware is on the firmware itself. It is what they mean when someone says the device is 'bricked', because it is an expensive paperweight or thingy to hold the door open. Devices are harder to brick nowadays, because manufacturers provide multiple methods for recovery, and the write process is faster due to better chips.


charrob said:
Thanks. I was just thinking it might be a quick way of proving, particularly a new hard drive, doesn’t contain this storage vault. But you’re saying it could also be placed in unallocated space: again this would be on the hard drive until the hard drive would be full, and it’s location would only be known by the firmware?
Click to expand...

Yes. And as long as the hacked firmware is on there, the drive will never really be full. In the context of the original article, what makes this a big deal is that even if you clean out the spyware and put a factory firmware back onto the drive, someone could possibly get to the hidden data many months later by knowing where to look.

charrob said:
I didn’t read the article but just skimmed really quickly. It looked like the OS registry was compromised. If the infected system files are made to appear okay to the OS, the person doing this would need access to the source code of the OS (or at least i/o between that file and other system files)? So they either work for Microsoft or somehow got hold of their source code?
Click to expand...

Not necessarily. There are plenty of other ways to defeat that protection; there is a pretty good flowchart in the article about different ways this is done. It is not so much about what is being done, but when.


charrob said:
Thanks for your description. Hard to believe our government does all this stuff. They say NSA has the best mathematicians and scientists in the world. Just hoping they’ve studied the Constitution as much as their science.
Click to expand...

They would like to have the best, but the best get paid a lot more working in Silicon Valley or even academia.

charrob said:
...such as possibly on a shipping dock, where products are imported from overseas? I can't believe the U.S. Post Office or UPS could be involved in this. But how about in other countries (I think it said this malware was detected in 30 countries)? That would mean CIA assets in other countries being paid to do this?
Click to expand...

Docks and airports are actually the best places to do this, because they have highly-restricted areas where a small group can set up shop, and govt screeners taking a package to a back room is not really going to be questioned. They need specialized equipment and they need to do it quickly.

charrob said:
It also looked like other software was used to either flash the hard drive firmware or infect system files: is that even possible to do? -just skimmed the article but somewhere it said something about getting new Oracle installation disks and they apparently were compromised and installed this malware.
Click to expand...

Yes, they could do it via driver files that interact with the disk controller, because they have the level of access required to do it. Manufacturers provide utilities to upgrade firmware via the OS, but these are generally proprietary. To be able to write a driver file to gain control over the process, they would need to disassemble these utilities to analyze and find a weak spot.
 
limequat said:
The report says that the NSA used this to spy on countries like Iran and China, especially government officials and diplomats.
I don't think we can say conclusively that they are using this within the US.

Take a cue from Ed Snowden: Always use an airgapped (offline) computer for sensitive stuff. It doesn't matter what spyware is on it...if it's not connected to a network, nobody can get to it.
Click to expand...

If you airgap it you can't even use a USB to transfer information as that may infect you. Stuxnet hit airgapped computers. The article also mentions how specialized firmware to cisco routers was added while in transit in the mail. Only a government could hijack a computer in route.
 
You must log in or register to reply here.

Similar threads

E
Israeli spyware used to target phones of journalists and activists
Replies
17
Views
3K
NorthCarolinaLiberty
NorthCarolinaLiberty
Brian4Liberty
Nghia Hoang Pho, former NSA employee, pleads guilty to retaining top-secret intelligence
Replies
2
Views
434
Swordsmyth
Swordsmyth
Marenco
Social Media and Social Control: How Silicon Valley Serves the US State Department
Replies
0
Views
4K
Marenco
Marenco
PAF
RPI - CrowdStrikeOut: Mueller’s Own Report Undercuts Its Core Russia-Meddling Claims
Replies
0
Views
258
PAF
PAF
timosman
Acid flashback: CIA’s mind-control experiment reverberates 40 years after hearings
Replies
7
Views
904
Working Poor
Working Poor
Back
Top