Spying software embedded inside all hard drive manufacturer's drives

Yeah, I always crush the platters when I'm done with a disk. Also, there is at least 1 EEPROM on the circuit board I pull off.

This applies to electronics in general. Especially cordless phones, cause your call history is stored in these:

jY5AVk5.jpg
 
Last edited:
tangent4ronpaul said:
The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.

-t
Click to expand...

Okay, for the slower members of the class, if the infection is impossible to detect, how do they know it was impossible to remove?
 
Russian researchers expose breakthrough U.S. spying program

http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216

Reuters said:
(Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.
Click to expand...
 
idiom said:
Okay, for the slower members of the class, if the infection is impossible to detect, how do they know it was impossible to remove?
Click to expand...

That's what I was wondering! If someone discovered it, then how could it be impossible to detect?
Guess t's recommendation to read the article is a good one, I'll take it in the morning.
 
idiom said:
Okay, for the slower members of the class, if the infection is impossible to detect, how do they know it was impossible to remove?
Click to expand...

They are assuming a running machine that has at some point run malicious code that had access to flash the drive firmware. After it is compromised, it could be caught prior to booting the OS, but you would have to know what you were looking for and where to look for it, because firmwares are proprietary and most people would have to decipher the machine code by stepping through the instructions in a disassembler. Even then, they don't really know for sure if it is doing what it is supposed to be doing unless they work with the drive manufacturers and have access to a good firmware source.


Suppose a sector on a disk has address 100, and after many failures trying to write to that address, the firmware on the drive decides it is a bad sector. What it will do is map that address to another one. So on the disk level, 100->900, the OS will still be able to write to address 100 as if it never happened.

A compromised firmware could do this to a good sector and keep its own filesystem in there. So if you boot to the OS, there could be a keylogger saving your data on the drive, the compromised firmware could copy the data from that location to the secret location, then delete the original file.

It could also respond to requests from the OS like SMART data, MBR with a seemingly normal response, so once you are booted into the OS, you won't be able to see the real ones. See: http://en.wikipedia.org/wiki/Rootkit#Bootkits
 
Last edited:
The article is thick, baby steps. I have not read the full report yet (the 43 page pdf) yet. Read the article and then the report. It's technical. It's a slow read. It's worth the time.

Just WOW!

-t
 
Well, this will just be more bad news for any American Technology. NSA has their hands so deep into everything that NO ONE will buy ANYTHING Made in America in 10 years, if not sooner. Not that we exactly produce anything anyway...
 
The report says that the NSA used this to spy on countries like Iran and China, especially government officials and diplomats.
I don't think we can say conclusively that they are using this within the US.

Take a cue from Ed Snowden: Always use an airgapped (offline) computer for sensitive stuff. It doesn't matter what spyware is on it...if it's not connected to a network, nobody can get to it.
 
CPUd said:
They are assuming a running machine that has at some point run malicious code that had access to flash the drive firmware.
Click to expand...

I'm trying to figure out if it's even possible for the cpu to flash the firmware - and if so... why? I would think that drive firmware would be flashed in production of the drive using something other than the main bus interconnect. Jtag or some other out-of-band connection. And if it is possible at all surely the code needs to be signed, right? Googling has turned up a few results for reflashing USB flash controllers but nothing about disk drives. Have any more info on this?


I'm leaning towards thinking that the infected firmware was actually installed in the factory and not by a user running malicious code.
 
Last edited:
brandon said:
I'm trying to figure out if it's even possible for the cpu to flash the firmware - and if so... why? I would think that drive firmware would be flashed in production of the drive using something other than the main bus interconnect. Jtag or some other out-of-band connection. And if it is possible at all surely the code needs to be signed, right? Googling has turned up a few results for reflashing USB flash controllers but nothing about disk drives. Have any more info on this?


I'm leaning towards thinking that the infected firmware was actually installed in the factory and not by a user running malicious code.
Click to expand...


There were several different methods discussed in the paper. The most common was some type of CDROM driver, so in those cases, the access to the disk controller happened through there.

You can flash a disk firmware through the OS. Go to the manufacturer's site and they all have utilities to do so.

It wasn't being done at the factories. They were only doing it to machines that fit a specific criteria, unlike the misleading thread title.
 
Last edited:
"How do they know a machine is infected?" Please read the article at the link provided... The Kaspersky people managed to get some expired domain names from the 300 or so targeted domains of the virus writers (yes, they made mistakes-everyone does even the goons). Once they "owned" the domains they monitored hits to the domain coming from infected computers. They then managed to inspect the computers to determine the degree of infection...

Also: The goons have a whole toolbox full of infections and the hard drive flash is only one of those tools. It's a very complex issue and I sure don't claim to understand it all but I do know this much, they can infect your machine if they want to and they perhaps have compromised all phones and operating systems in existence...

http://arstechnica.com/security/201...-nsa-hid-for-14-years-and-were-found-at-last/
 
" when people have endured many abuses for a long time, it is their duty to overthrow the government and set up a better one."


We are way past this point, this is just more evidence. Lets take all of these cases and stand together, refuse to pay and use this as our reasoning. The gov is completely gone and we cannot get it back with "the right guy in place"
 
ChristianAnarchist said:
they can infect your machine if they want to and they perhaps have compromised all phones and operating systems in existence...
Click to expand...

These are 2 separate problems. The first is good practice to assume your machine can be compromised, especially if someone is going after you specifically. It is easier to play offense than defense, and your best defense is to do what you can to reduce the number of attack vectors. I have watched people go after my systems over the years, while it is quite possible someone was able to get through without me noticing, the majority of them give up pretty quickly if they don't see something they like. This is because their time is better spent going after low-hanging fruit.

It is reasonable to assume that all machines are vulnerable to some type of attack. Although there are a lot out there running wide open, it is not reasonable to assume all machines are compromised. More like a magic percentage of all machines are compromised at any given moment.
 
ZENemy said:
" when people have endured many abuses for a long time, it is their duty to overthrow the government and set up a better one."


We are way past this point, this is just more evidence. Lets take all of these cases and stand together, refuse to pay and use this as our reasoning. The gov is completely gone and we cannot get it back with "the right guy in place"
Click to expand...
A select few have been saying this on RPFs for many moons, only to be shouted down, ignored, banned, etc. Hope you get through to people. ~hugs~
 
tangent4ronpaul said:
Other than the two of you that actually read the article, you need to.

It's not every hard drive. It's systems that are targeted, but now that the cat's out of the bag, they might start targeting all of them.

It re-writes the firmware of 6 different manufacturers hard drives.

A different branch hides in the registry, is encrypted, can't be detected or removed and takes over the operation of your OS.

It attacks macs and smartphones too.

seriously, read the article and maybe even the full presentation. Just the article is looooong...

:mad:

-t
Click to expand...

Regardless of what is claimed by the articles, I think it's naive to think it's just a few targeted systems. They didn't call it the "Total Information Awareness" program for nuthin'. This is also the sort of stuff that limited the Snowden releases to around 5% of his total haul. EVERYTHING is compromised. All of it.

http://en.wikipedia.org/wiki/Total_Information_Awareness

 
You must log in or register to reply here.

Similar threads

E
Israeli spyware used to target phones of journalists and activists
Replies
17
Views
3K
NorthCarolinaLiberty
NorthCarolinaLiberty
Brian4Liberty
Nghia Hoang Pho, former NSA employee, pleads guilty to retaining top-secret intelligence
Replies
2
Views
434
Swordsmyth
Swordsmyth
Marenco
Social Media and Social Control: How Silicon Valley Serves the US State Department
Replies
0
Views
4K
Marenco
Marenco
PAF
RPI - CrowdStrikeOut: Mueller’s Own Report Undercuts Its Core Russia-Meddling Claims
Replies
0
Views
260
PAF
PAF
timosman
Acid flashback: CIA’s mind-control experiment reverberates 40 years after hearings
Replies
7
Views
904
Working Poor
Working Poor
Back
Top