Given that a lone dude was able to modify the firmware on a HDD controller CPU (http://spritesmods.com/?art=hddhack&page=3) it doesnt surprise me that full-blown malware of this sort is in the 3-letter-agency toolbox.
Didn't someone else also manage to run Linux on a HDD?!
edit: it was the same guy, it's just hidden on the last page of the series and it's just linux, no userspace
Oh, and another thing. I just remembered that videogame console hack where a manipulated USB descriptor led to a jailbreak.
Who says one can not use bugs in e.g. SMART or other (S)ATA protocol implementations in order to spread malware by disk?
And... isn't data transfer of HDDs usually handled by DMA? Is there a way for a malicious HDD to compromise a system? Everyone locked down their FireWire port, but is eSATA vulnerable?
No. SATA/PATA/IDE bus allows only main bus controller to be the bus master, just like USB/SPI/I2C. Devices connected to those buses must be pooled by the system, they cant initiate transactions on their own.
On the other hand you have PCI/PCIe/FW/Thunderbolt/SCSI, those buses allow every device to take over as a temporary bus master, and some of them (Im not familiar/sure about scsi, probably not) allow arbitrary memory access.
So you cant use SATA in a way FW can be exploited. There might be some obscure state machine bugs in some hardware host implementations, but why bother when you have low hanging fruit of access to raw binary data. Travis Goodspeed demonstrated (using usb storage, same mechanism) how analysis of read access call order and frequency patterns can be used to estimate OS and use scenario (boot, normal execution, forensic imaging of the drive). Thus infected device can pretend to be fine when analysed standalone.
eSata itself is not vulnerable. The sata lanes themselves have no DMA, it's the controller where the DMA requests are generated, so a malicious hard drive on its own would not be able to compromise a computer. I guess it's conceivable that some three-letter agency has hacked together some hard drive that can compromise a specific chipset, but at that point, it becomes a lot easier to just present a compromise in the filesystem of the hard drive, because filesystem drivers are entirely too easily confused by bad data, such as http://www.spinics.net/lists/linux-ext4/msg47160.html
> I guess it's conceivable that some three-letter agency has hacked together some hard drive that can compromise a specific chipset
I was more thinking of Linux or Windows hardware driver level compromises, as a filesystem exploit requires that the drive in question is actively mounted and a protocol driver exploit pwns your system as soon as you attach the drive.
Combine a OSX, a Linux and a Windows exploit in the ATA protocol drivers and you have a cyberweapon capable of infecting even a forensic analysis system. And in contrast to USB, I don't believe that ATA and other low-level hardware protocol implementations in kernels get very much attention from developers.
Forensic imagers are pretty much standard equipment in any police lab, but I doubt that a normal investigator will disassemble a disk and do raw forensics on the disk platters... heh, if I were a guy with something to hide, I'd hack the firmware to either wipe the disk upon imaging or compromising the investigator's machine.
Oh indeed. I did not know about this, thank you very much.
I came up with yet another, truly weird plan. Take a 2-platter disk with 500GB (so 250GB per platter), scratch off the label. Modify the firmware so that:
a) both platters are encrypted with a hardcoded, generated-at-lowlevel-reformat secret key to delay forensic efforts
b) the ATA identify and other ID values point to a 250GB drive (half the original capacity!)
c) the bootloader is two-staged, boot0 running on the HDD CPU and boot1 running on the host before the OS bootloader. If e.g. a specific key is pressed during boot, boot1 asks for a password and gives this password to boot0 (e.g. via custom ATA command). boot0 now uses this password to apply a second decryption to platter1 - so there is no TrueCrypt or anything on the "hidden" OS which impacts performance (you can reveal if you're using TrueCrypt via a sidechannel attack. Determine the HDD model and compare write speed with a reference value. If you're inside spec - no crypto. If you're slower - crypto).
If no key is pressed, then boot0 boots the bootloader from the unlocked platter2 - the "clear" OS will have no way of seeing the data on platter2 and even if the reported HDD size is compared with the specifications of the (manipulated!) HDD model name as reported to the OS, a malware has no way of knowing that this HDD in fact has a hidden area.
1/ This is pretty much how for example Seagate refurbishes drives (or used to). They disable whole bad platters in firmware, rewrite drive capacity, slap REFURB sticker and send drive back as a replacement for smaller one.
2/ you can do this _yourself_ today on off the shelf drive using HPA/DCO
3/ Dont really understand your plan, you want to prepare drive like that to hide your own data from others? average foresic investigator will immediately tell your 'clear' OS is an unused decoy (no signs of regular daily use).
ad 3) indeed, you're right. Better idea: make the firmware act like a SATA hub and pretend two different disks (of course, the "second" disk is only visible after unlocking at boot time). This way, OS is used regularly - and all evidence on the system will point to an USB stick or eSATA disk being used.
FTK will immediately identify there was another volume mounted regularly, if you are hiding stuff from the law it will be used against you as obstruction of investigation or some other bs
The firmware can just modify data - when BIOS asks HDD to read boot sector, the HDD firmware returns modified boot sector with malicious code implanted.
Similarly for other code loaded from hard drive (system files, drivers, etc).
Yes, the assertion that “the authors of the spying programs must have had access to the proprietary source code” of the drives' firmware is dubious. Surely Kaspersky know better; they no doubt regularly deal with malware for which they do not have source.
Too bad the article doesn't mention that Kaspersky actually is very closely tied with the FSB (ie KGB) - most likely he works for them. That doesn't mean the original article is untrue - just that the 'research' really comes from Russian spies.
"Kaspersky’s rise is particularly notable—and to some, downright troubling—given his KGB-sponsored training, his tenure as a Soviet intelligence officer, his alliance with Vladimir Putin’s regime, and his deep and ongoing relationship with Russia’s Federal Security Service, or FSB."
It should come as no surprise that a Russian anti virus vendor is the one reporting about all this NSA software. Kaspersky has less to loose and more to gain then their western counterparts and the Russian government would probably be happy to help even if Kaspersky didn't already have these ties.
The question is: is Kaspersky going to abuse all that trust and good will they are gathering?
the sad side effect of the moral elite proving hollow is that those you may consider enemies might become allies. Despite everything there is little proof of malice at kaspersky while the same cant be said for many companies in the west.
If the FSB is funding research that brings unwanted transparency to the NSA, allowing us to better understand and criticize the US corporations and agencies compliment with them, then I welcome it. I doubt it is the case but if your fantasy turns out to be correct they would also deserve some poli sci props.
Have proof of actual malice being committed? Intelligence gathering in of itself isn't malicious. That's literally the very reason for the NSA's existence. It's like saying the FBI is malicious because they "investigate". That's what they do, that's their job. I'd be more pissed if they weren't doing this sort of thing. I'd wonder where the hell my tax dollars are going.
The only thing that bothers me is when they spy on their own citizens, us. I have no problem with them spying or hacking Russia, China or Iran. Their job is to protect their country and their allies from foreign aggression and international criminal organizations. When you wake up in the morning, China, Russia, Iran, Etc... are all still going to try and hack U.S businesses, governmental services and try to gain access to classified information. Pretending like these acts don't happen doesn't make them go away.
American citizens have been involved in planning and executing terrorist attacks, identified as enemy combattants and even been targetted for drone strikes. If foreign terrorists operate in the US, the only way to find them is to search. That means looking at everyone's communications, citizen or not.
I'm not an American, so it would be wrong of me to assert what you or your government should or should not do in this regard. However in general I think GCHQ and the NSA have a case for some of the kinds of monitoring they are doing, I just think it's lacking in legal basis and appropriate oversight. They have shown repeatedly that we can't trust them.
Both data from foreign citizens and from your own citizens are useful, but usefulness shouldn't be the only consideration.
If you have lots of private information about someone that means you have power over that person. For starters it makes blackmail a whole lot easier. In combination with data about other people it helps you determine who you have to remove from a group to make that group collapse.
Now if somebody has this sort of power about some foreigners, that's not really a big problem for you country. But if somebody has that power about the entire population of your own country, that's a bit worse. That somebody could disable any form of democracy by silencing citizen protests before they even start while covertly controlling key politicians.
If communism has thought us anything it's that you don't want anybody to have intimate knowledge over large parts of your population, it doesn't tend to end well. Oversight is a nice idea but there was already supposed to be all kinds of oversight which apparently failed. I don't really trust oversight in things this important.
>The question is: is Kaspersky going to abuse all that trust and good will they are gathering?
There are a dozen or so American companies that most would have hoped would stand up to domestic intelligence companies, rather than take the safe route of cooperating.
Was the power abused or was it co-opted? Will a Russian company fare any better against their own government?
The instances where a company does business with a government are not that uncommon. It is kind of stepping outside the pure commercial domain into being partly a public sector entity/institution. Considering the stakes of public information security (or even that of national defense), I come to think that this kind of deal should become one of governments' concerns in every country and should become an institutionalized part of their public service like police (or a government body like the information agency) and be funded openly by governments themselves.
Because 'researchers' and 'russian spy agency' sounds very different. Former are motivated by desire to shed light on questionable behavior, the latter to inflict damage on their adversary (while engaging in worse practices themselves).
Only if the behavior they call out actually happened. If they start fabricating evidence of bad behavior that never happened then that's not a good thing.
Here is the break down ordered by approximate market share descending and the "country of origin":
* Microsoft - US
* Avast - Czech Republic
* AVG - Czech Republic
* ESET - Slovakia
* Symantec - US
* Avira - Germany
* Kaspersky - Russia
* Malwarebytes - US
* McAfee - US
* COMODO - US
* Bitdefender - Romania
* Panda - Spain
To be fair, Kaspersky does a pretty good job of reporting on even Russian originated banking trojans and the like.
"One such incident involved targeting participants at a scientific conference in Houston. Upon returning home, some of the participants received by mail a copy of the conference proceedings, together with a slideshow including various conference materials. The [compromised ?] CD-ROM used “autorun.inf” to execute an installer that began by attempting to escalate privileges using two known EQUATION group exploits."
Cool.
while not every car scale, Sony hack was blamed on NK. I remember no official action though. Seems that everybody hacking everybody is just an implicitly accepted practice these days.
There were serious repercussions to the Chinese hacking US companies, including a US Justice dept indictment, Google pulling out of China, and publicly embarrassing the Chinese Government.
>Seems that everybody hacking everybody is just an implicitly accepted practice these days.
My view is that:
1. this area is so new, no one knows what the limits should be (disagreements even within governments and agencies),
2. but that there are red lines,
3. that it is likely that the US and other actors have crossed a few of them,
4. and that the world is in the process of reacting and establishing norms of behavior.
With no proof showed to the public.And Obama put another set of sanctions on north korea as a result of this.
This episode is no different from the WMDs in Irak during Bush era. At least Bush tried to make a case. Here no case,no smoking gun,just the Obama administration saying NK did it, but what is frightening is the total absence of reaction from the american people.NK is bad, but what the Obama administration did is bad too. Even though, again, NK government is horrible, what happened here is just frightening. Because tomorrow it can be country B or D that did nothing yet gets sanctions from US because the US administration said it did something?
Without a doubt this. Why would the NSA not say thank you to a foreign agency bugging their own citizens so that they can collect the data on the way out without having to do all of the meatspace effort?
I'm not an expert but I imagine any bit of code you put into firmware will target very narrow configuration of other software on the PC, will be pretty fragile and susceptible to bit rot.
To be able to routinely steal something from the PC it will need to be tailored to specific configuration.
The Kaspersky report[1] states that GRAYFISH (which contains the HDD firmware reprogramming code) works on Windows NT 4.0, 2k, XP, Vista, Windows 7 and Windows 8, in both 32-bit and 64-bit builds. One can't help but to be impressed.
Targeting one firmware is very narrow. Targeting different firmwares from 12 different manufacturers has a pretty good chance of being successful on any give target, and that's what they are doing. They have to keep up as new hard drive models come out, but that's what they are being paid for.
The firmware malware is mainly to create hidden, unremovable, persistant space on the drive, and likely hijack the boot process. At that point it passes off to other malware.
I don't understand what do you mean by "bit rot". Bits don't rot like vegetables. They could last just fine for centuries, specially in protected, privilege parts of memory were firmware stays.
NVDIA driver is the same for all cards.
Tablets and smartphones are very homogeneous and the most widely used, Apple's totally closed source, including the hardware.
Most people use Intel processors.
Any of those vectors are very easy to target if you have the hardware and software source code.
Hard drives and SSDs have more storage capacity than is actually presented to the OS, mostly for remapping bad sectors, possibly for storing internal metadata for the disk's operation. A malicious firmware could use that unmapped storage capacity to store larger, more versatile payloads.
I think that is even possible to do at a low level, see how they embed encrypted packets within other packets to sneak out of a network undetected [1]. Even if this technology only lasted 10-15 years that is a LONG time to have the upper hand.
Sending/receiving an UDP packet is not difficult, even on low level. Knowing what filesystem lies above, implementing some crawler (aka search) is no rocket science too. Combine these two techniques, add some simple command protocol and you have access to any file on a targeted device.
It will target as wide a group as possible. It`s just a small backdoor, that lets the agency that should not be named to install a full rootkit at will.
The Patriot Act means the US three letters agencies could get whatever they want from whatever US company(or company that sells in the US).
As the article says, they could ask for the code for making an audit. Of course they can do whatever they want with it.
They can abuse this power in so many ways, from giving this source code to competitors but "closer to home", individual members of those agencies selling it for profit, or analyzing vulnerabilities and not reporting them to you.
It doesn't seem unreasonable that the NSA working in conjunction with the CIA could place moles in various high tech firms of interest and thus obtain all the source. Following this to its logical conclusion then it's not unreasonable to assume the NSA has the source to most firmware and operating systems in use today.
What the article doesn't reveal is the attack vector, how did the firmware in these drives come to be infected?
> What the article doesn't reveal is the attack vector, how did the firmware in these drives come to be infected?
If criminals can target a bank to steal $300M from clients, the NSA can target a HD company to steal the source code.
It's really not that difficult.
Remember, the best attack isn't a direct assault. It's a sneak assault.
The story is that during WWII, Ian Fleming was part of a group of spies in training, who were asked to get into a secure nuclear research facility. Everyone else got caught. Sneaking in under the wire, etc.
Ian called a professor friend to vouch for him. Then, call the facility, and asked for a tour, as a visiting "researcher". After the tour was over, he called his boss, and told them his briefcase was hidden next to a critical part of the facility.
Bugging HD firmware is a brilliant ploy. Who looks there?
There is no need to steal the source code. As mentioned in the article (or a different article?), they can just demand the manufacturer send the source code for NSA review before the government buys any drives.
While reading the article, I had to wonder how it must feel to be management at a HDD manufacturer today, and look out over the desks or think back over the contractors, and wonder which one is the spy.
The attackers used universal methods to infect targets: not only through the web, but also in the physical world. For that they used an interdiction technique – intercepting physical goods and replacing them with Trojanized versions. One such example involved targeting participants at a scientific conference in Houston: upon returning home, some of the participants received a copy of the conference materials on a CD-ROM which was then used to install the group’s DoubleFantasy implant into the target’s machine. The exact method by which these CDs were interdicted is unknown.
What the article doesn't reveal is the attack vector, how did the firmware in these drives come to be infected?
Worst case scenario; They all are infected as they come out of the factory. Best case, they are rerouted and patched during postal delivery by a targeted ops team.
I wonder if the team working on this has a "wrap party" when the vector is inevitably exposed, or if there's some kind of politics/fallout if they didn't show quite enough ROI. Sort of like modern NASA and ESA (and now ISRO) missions, you know?
Anyway, I'm not interested in getting into a debate, but it sounds like an impressive bit of work.
Or the program continues uninterrupted because even once exposed, it still works. All major hard drive makers have been infiltrated. Where's everyone in the world going to buy hard drives?
There are driverless/non firmware upgradeable RAID controllers, for example Sil3726 - SATA port multiplier with RAID functionality buildin. Connect couple of drivers and host sees only one.
Sorry, not an answer to your question, but I did think about this while reading the article, and these new findings do seem to make Richard Stallman's 'entirely free and open laptop' efforts seem not so crazy, after all.
No one thinks the rationale for the free and open laptop is crazy. Just the cost and capability.
That said, right now there is not a single hardware manufacturer in the world who is not open to government pressure.
Perhaps the only answer to all this is to make our institutions irrevocably open - that there are open publicised hardware standards and means of verifying the circuits are the design expected.
No. A modern device (PC, tablet, phone) is full of firmware/binary blobs: graphic accelerator, WiFi/Bluetooth module etc. There's a small Open Source Hardware movement (http://www.oshwa.org/definition/), but it's nowhere near it's software counterpart. I hope such revelations will help to get it moving.
Would this not be mostly thwarted by using full disk encryption and a TPM? FDE means the firmware cannot do anything with your data; just view the disk as a remote server and store like you would on AWS or so.
A TPM can then read the boot sector and ensure it hasn't been modified, so the firmware can't take advantage of the unencrypted code there.
Of course there's other things the firmware can target, but at least not being able to directly read/write data is a huge bonus. And it'll greatly reduce the surface area for exploits, since just the encrypted block device code can be messed with, not all the internals of various filesystems.
Hence the part of the TPM and other DRM-capable technologies (Secure Boot, I think). You can sign and seal the boot code, so just owning the firmware doesn't get you there. (Of course the NSA might also compromise the Windows boot keys, but then that's a detectable, major incident.)
You can't. Unless you write your own HDD firmware. Buying new HDD won't help much as well, because all major HDD manufacturers have been infiltrated/persuaded by NSA.
It's not a mainstream malware, so if you get infected it means you are on NSA list and buying new HDD won't help, because vulnerability remains unless HDD manufacturer fix their firmware.
Linux kernel privilege escalation bugs come out all the time. There is a long documented history of Linux rootkits. And I'm assuming you are accessing HN through a browser: Firefox/Chrome browser exploits with sandbox escapes get reported each year. Also you probably boot using UEFI, and there was presentation last year about UEFI bootkits which can hook into Kernels.
In addition, Ubuntu is one of the most popular Linux distros (if not the most) and doesn't use rolling releases, so it's probably an easier target compared to most distros.
You can't achieve security strictly through technology choices, such as which operating system you choose. Although there is some value in choosing less-popular technology.
I certainly wouldn't rely on being "immune", but I'd take some solace in the idea that I'd be unlikely to be swept up in internet-scale exploit-all-the-things kind of programs. (If you're actually an NSA target, I doubt any device with more transistors than a flashlight should be considered "immune".)
FTA: "the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware"
Is this really a breakthrough? Hasn't this type of attack been around for a long time? Yeah, Reuters. It is interesting that likely a state actor is using this type of attack in a coordinated way. Interesting, but is this really surprising?
In other news, Apple and Google now make a device you can connect right to you skin 24/7.
I find it strange too that people (even some with more technical background) refer to a firmware as something obscure/magical. Chip technologies are so advanced today that you can run a code, that was only possible on a PC a decade or so ago, on a tiny controller. It would plainly stupid for NSA and the like to ignore such opportunity.
Remember report on Toyota accelecator firmware, which had like 10K global variables? Someone 'with technical background' could call this kind of software organization 'obscure' and that fact that it actually (somehow)works - 'magical'))
I hate to say it but I think the average person just doesn't care, even a lot of HNers don't really think it's a big deal. I personally think it's time for a revolution or at least mass social upheaval.
Politicians pretty much treat us like we're all mentally challenged, which, compared to Ivy league educated officials, I guess most of us are. But it really makes you wonder why such smart people just don't give a fuck.
Speaking from personal experience, it is not a comfortable experience to come to the realization that "the rules" do not apply to all or in the same way. The Bill of Rights and the US Constitution are romantic ideas, but at the focal point of the specific individual, they do not necessarily apply/get followed, and en masse, we end up with a corrupt governing system.
Government is not a meritocracy. Humans game any system. And it usually makes sense to go for the most leverage/bang for your buck. If one is doing something that is unethical, legal or not, might as well go in for the whole enchilada.
To specifically address your implied question, although I do not think I am all that smart, I am just trying to keep what little I have, improve the small area I live in, cherish the important people around me, and have time to learn new stuff. Railing against the current governing system threatens all of that, and in some cases, results in premature death. I seem to have settled for the Blue Pill.
What is the verse from the third stanza of Queen's 'We Will Rock You?' Something like 'Old man trying to make you some peace some day...'
Well, what is the big deal? What is even the real news here? "NSA does intelligence gathering abroad"? "State founded malware uses known attack vectors to attack computers in countries the US doesn't like"? "NSA probably employs some programmers to write decent malware to infect selected targets"?
It's interesting insight from a technical perspective, but apart from that, is it really surprising or upsetting?
Some things about the NSA like Prism are genuinely upsetting, but I don't think this particular story is.
I agree. Also the reality is that most of us are working hard trying to accomplish our own goals.
As long as the central bankers and whoever else is in power doesn't turn up the heat too high too fast this isn't that relevant to most of us.
We're all pretty aware they can get our data so this isn't surprising. Just search NSA on LinkedIn and you can see their army of programmers on there who care about real threats and not people who read hacker news.
It is not clear how the NSA may have obtained the hard drives' source code.
Probably just a nicely worded letter:
To whom it may concern,
Under the authority of Executive Order 12333 and
pursuant to Title 18 USC Section 2709, you are hereby
compelled to provide the NSA with the source code of the
firmware of your company's line of hard-drive products.
> "There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.
Anybody have anymore info on this? I've always been under the impression that it's at least theoretically possible to copy the firmware off of something and decompile it at least.
Unless the someone invented state-of-the-art anti hacking hardware and couldn't think of any better use of it then protecting the secrecy of hdd firmware, then that is just a lie (or knowledge gained by reverse engineering the firmware is not considered "public" information). If you are interested, here is a story of someone modifing hdd firmware [1].
I guess writing a new hard drive firmware from scratch, without inside knowledge, would be close to impossible.
But why start from scratch if you can just modify the existing firmware? And that seems to be perfectly possible:
http://spritesmods.com/?art=hddhack
I'd say the most difficult and resource consuming part is to make versions which work on as many brands, models and revisions as possible, and make them all robust enough so they won't be detected because of random malfunctions.
But I don't know anything about hard disk firmwares: Perhaps they are not too diverse and once you know how to modify one drive, the others will follow easily?
Hard disk firmwares are already under attack from anyone who develops tools for data recovery.
I have personally added new functionality to binary libraries on wintel, and in embedded firmware for instance communications devices. Just jump somewhere else and jump back where you came from, there is often nothing preventing you from doing that.
There's a discussion of this over in the other thread. The general consensus there is that this capability is not that remarkable, and individual hackers have done similar things on a smaller scale.
Does it worry anyone else that China is starting to review code before allowing it to be released? I can definitely see the US doing some thing like this, especially if companies continue to get hacked.
Imagine having to wait 3 months before you can launch your start up because you have to get the corresponding permits and have your code reviewed.
> Snowden's revelations have hurt the United States' relations with some allies and slowed the sales of U.S. technology products abroad.
God damn it. Again with the "kill the messenger" attitude. It's not the disclosure of the acts that harmed the relationships. It's the spying and hacking acts themselves. It's like your friend telling you your girlfriend is cheating on you, and getting mad at the friend instead of the girlfriend, for "harming your relationship".
You don't want your relationships harmed? Uhh..here's a solution for you, US government: don't fucking do it to your allies in the first place if you don't want your relationships "harmed". It's not rocket science.
I agree. How come as software engineers, we like to talk about larger emergent behavior from large groups of simple pieces, but when we talk about governments and nations (large groups of complex pieces) we use analogies to simple systems? For example, the national debt does not operate like a household debt. The cacophony of systems at work in a nation makes it exponentially more nuanced. Some rules are emergent only at the larger scale. Or, international relations. Nation to nation relations don't consist of just the heads of state, but whole organizations of people interacting. Again, a large group of complex things (people) interacting probably creates some emergent behavior not visible in small groups. It's frustrating to see these systems reduced without any thought.
Didn't someone else also manage to run Linux on a HDD?!
edit: it was the same guy, it's just hidden on the last page of the series and it's just linux, no userspace