Image and video hosting by TinyPic














Monday, February 16, 2015

Spyware built into your hard drives

Yes, I know: The world is heading toward hell and the teevee news channels are shouting for war. Very soon, I'll have much to say about all of that. But right now, I want to talk about the war against your privacy.

The Russian anti-malware firm Kaspersky has verified what many have suspected: The NSA has found a way to hide spy programs in the firmware of your hard drives.

The bad code is not on the platter -- not even in the boot sector. It's in the guts of the electronics built into the metal box encasing the platter. Even if you completely wipe the drive, the spy code is still there. No matter what you do, the malware says "Hello, Fort Meade!" every single time you turn on your system.
Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.

Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.
Question: How did the NSA pull off this trick? My first thought was that the Agency must have worked with the manufacturers. But:
Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.
It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.
The above-linked article contains much speculation as to the various ways the NSA might have gotten hold of the source code. However, there is no speculation as to how the Agency might have replaced the manufacturer's code with modified code.

A virus? Well, yes: It is possible to write a virus that digs into the firmware, but the risk has always been considered low. Here's why (from an older article about malware):
According to Computerworld, Western Digital Vice President Gary Meister said there is a way to build a virus that can damage a particular hard drive's firmware and disable the device. However, the firmware can be flashed and restored to its original state, so the firmware-damaging virus still can't permanently disable a hard drive. The firmware-damaging virus is an impractical creation, though, as it is extremely difficult to code, has to be tailor-coded for each specific hard drive and lacks motivational intent because it would disable a computer instead of steal information.
Obviously, the NSA would rather spy than fry your drive, and it seems that they have found a way to do just that. Could they really have pulled off this trick without working with the Seagate, WD and the others? Despite the protestations of the companies, the simplest theory is that this thing was an inside job.

Update: The NYT expands upon this story here. This story suggests that the spyware burrows into the motherboard's firmware, not just the firmware used by the hard drive.

A reader named Propertius, who definitely seems to know what he is talking about, takes issue with my suggestion that this was an inside job. I'm sure he won't mind seeing his words republished here...
I disagree. For anyone with decent assembler or machine code programming skills, the simplest theory is that they picked up some drives at Best Buy, read out the contents of the PROMs, and modified the code. I spent half my career doing assembly code for supercomputers - I could do this in my sleep and I'm hardly unique. No assistance from the manufacturer required.
But how to get the firmware bug onto the system in the first place? I'd love to hear from people who are more computer-savvy than I...
Comments:
the simplest theory is that this thing was an inside job.

I disagree. For anyone with decent assembler or machine code programming skills, the simplest theory is that they picked up some drives at Best Buy, read out the contents of the PROMs, and modified the code. I spent half my career doing assembly code for supercomputers - I could do this in my sleep and I'm hardly unique. No assistance from the manufacturer required.
 
Okay, Prop. How to get the modified code onto the hard drives?

Maybe the malware is injected into a Photoshop torrent, or perhaps a popular free app like Zone Alarm. But a computer owned by an enemy state is not likely to be exposed to that kind of crap.
 
Intercept the supply chain. It doesn't require the assistance of the manufacturer (although that's always helpful).
 
>No matter what you do, the malware says "Hello, Fort Meade!" every single time you turn on your system.

No. Whatever is going on here is closer to "Stuxnet: The Next Generation."

To review: Stuxnet was originally designed to make Iranian centrifuges self-destruct. It worked because its creators knew Iran used a particular software program (Siemens SIMATIC S7) to control the centrifuges. Once a Stuxnet-infected Windows computer connected to the centrifuges ran SIMATIC, Stuxnet issued a command to SIMATIC that caused the motors to burn up. It may have done other damage too (the source code has never been released, for obvious reasons) but essentially its lone job was to throw a monkey wrench into a finely tuned machine and it only was expected to work once. If a roomful of expensive, hard-to-get centrifuges all blow up at at the same time you're not going to assume it was a coincidence.

The key point is that several conditions had to be in place for Stuxnet to work. It required the Iranians to be using SIMATIC S7--if Iran had hired a journeyman hardware engineer to handroll their own control software (not that difficult) Stuxnet could not have done any damage. Same if the Iranians were using a non-Windows operating system. And, of course, the Stuxnet worm had to infect a specific computer.

I have no doubt "Stuxdrive" also has multiple components. What we're talking about now is what has been discovered in the hard drive firmware. Like Propertius, I have experience in this field. Thirty years ago I was coding for a PC hardware maker that had a line of printers and scanners. That company was bought by a corp which later merged with another corp. The low-level code on microcontroller chips that actually run such devices is left untouched unless absolutely necessary. If you use Photoshop today to bump up the brightness or contrast on a scanner, for example, your computer might be sending a command to a chip in the scanner with a bit of code I wrote while listening to the Iran-Contra hearings.

For a spook agency to have code on a hard drive microcontroller is analogous to them having a backdoor to SIMATIC. They could have power to do bad things like erasing data or self-destructing the drives and they could make surreptitious copies of data, but that's about it; "Hello, Fort Meade" is out of the question without adding lots of I/O code to the chip, and even then it would work only on particular computer configurations.

What IS possible (even likely, to my mind) is that a conventional malicious worm could exploit any vulnerability that actually exists. Just as Stuxnet destroyed the centrifuges via SIMATIC, a worm could tell your hard disk driver to send their undocumented self-destruct command sequence to the controller chip. Zap! If such a thing is actually possible, don't worry about NSA evil-doers; fear the pimply hacker.

How the covert code found its way into the firmware I can't guess, except to repeat that "legacy" modules are left alone as long as they work. Those of us who were in the industry during the "Y2K" hysteria recall the biggest actual worry was that so many companies no longer had the source code for some of their oldest library files.

 
Actually, you don't have to intercept the supply chain. Most of the firmware in commodity drives can be reflashed - in fact the manufacturers cheerfully distribute utilities to do this. Here's an example of a not-particularly-talented-but-very-enthusiastic amateur describing how he hacked his own hard drive firmware:

http://spritesmods.com/?art=hddhack

It's really not terribly difficult.
 
Post a Comment

<< Home


This page is 

powered by Blogger. 

Isn't yours?


























Image and video hosting by TinyPic


FeedWind



FeedWind




FeedWind