> “You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.”
I honestly don't think it's as difficult as they make it out to be. About ten years ago we were hacking Treo 650 firmware to read and write to flash without actually knowing how to do it at a low level. We just found the appropriate "read sector" and "write sector" commands and wrote a heuristic to search for them in whatever version was running. Later Android hacking attempts did exactly the same thing with HTC's HBOOT.
HDD, CD-ROM, DVD-ROM, BluRay -- firmware for all of those types of drives have been decompiled before. With the right JTAG hardware and/or creativity it just isn't that difficult for someone who knows that they are doing.
Now, if you can execute code on the HDD's CPU through whatever exploit you can find, you can search through RAM for whatever methods you need to write yourself to persistent storage. That persistent exploit can then use heuristics to hook the appropriate methods to intercept reads and writes as needed.
Hacking around with something in a lab is not quite the same as weaponizing an exploit. And, while your thresholds for technical accomplishment might be higher than Kaspersky's, regardless whether we knew this was "feasible" before, it's the first documented case of completely taking over the hard drive. That I know of.
You are correct that it does require more effort to make things production-ready. From my experience doing similar things -- not weaponizing exploits, but turning them into polished tools as part of [1] and [2] which I'd consider roughly equivalent -- I would estimate that productionizing an exploit takes about 3-5 times longer than the time required to find the exploits themselves.
Note that there have been proofs-of-concept of this for some time [3], as linked elsewhere in this thread. While it is still impressive that they could link it into their exploit framework, I honestly believe that you could "weaponize" something like the previously linked exploit without a massive effort.
Also note that this is not a "complete takeover" of an HDD, but rather an exploit that allows it to interpose between the platter data and the computer.
Yes, it's not something totally unprecedented that we hadn't even imagined possible before. You are correct there.
How is it not a complete takeover? I realize news articles are not the best technical sources as they get terms & concepts wrong, but I am reading that the firmware is completely reflashed, which means the HDD CPU has been utterly "pwned", for lack of a better term.
Technically it's pwned, but you are still limited by the amount of time you have for reverse engineering, implementation and validation. For example, it seems that they obtain storage area by calling some kind of drive's own reserved space allocator, without hacking it to hide this usage from host queries. That's clearly a "limited hack" with potential for improvement.
If anyone here has done reasonably well at https://microcorruption.com/ and has experience with IDA, I'd say they were qualified to do something like this (experience with ARM and JTAG a bonus!).
Its obvious to me that Kaspersky has to follow the pro-Moscow line of, "But the Americans are so much more powerful and sophisticated than us," which gives them excuses for things like "buffer countries" and other questionable geopolitical moves. Kasperky's connection to the FSB, Putin, and Russian military is well documented.
I also find the timing interesting here. Suddenly Kaspersky has what could be nation state cyberwar tools, while coincidentally in a propaganda war with the West?
I've repeatedly said its interesting he keeps finding and reverse engineering all these US state nation exploits and malware, but can never seem to help with some of these major Russian hacking exploits doing major damage to the US and its Allies.
Russian hackers’ ‘Trojan Horse’ malware inside U.S. critical infrastructure since 2011
> Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do.
That is not a solution for this. You have to assume that a state-level attacker will be able to either coerce the vendor or its employees into signing malicious firmware or just compromise their network and steal the signing key.
The right way to secure firmware updates is with a hardware write-enable switch/jumper that has to be physically set to make any changes to the firmware.
It was a serious design flaw to move away from physical write-enable protection. Physical interlocks for rare-but-important events such as upgrading firmware should exist in almost all situations.
Look back at floppy disks: while many people were caught by the write-protect tab/switch while they were still learning, it was an easy concept for people to understand once taught. I knew many non-technical people that quickly adopted habits that utilized write-protection.
The physical interlock is something that can be taught a lot easier than how to use crypto without screwing up. If you require proactive checking or fancy technique, it will be forgotten and skipped. On the other hand, if you fail the update with a message "did you forget to flip the write-protect switch? [picture of switch]", a lot of people will figure it out.
There are similarities to Schneier's (et al) recommendation to make good (long, random) passwords, but write them down and keep them someplace safe. (i.e. leverage the physical security knowledge that people already have)
I still use write protection on SD cards, since I had a buggy Mac that reformatted one to be unusable by my camera. I just got into the habit of flipping the switch whenever plugging a card into a machine, and it works fine (and is slightly safer).
Yeah, as you suggest by your "slightly safer" parenthetical, the mechanical write protection on most SD cards is just a suggestion that the card reader is free to ignore (though obviously most don't).
It's actually specified in the SD spec [1], which says on p. 38 that the mechanical protect switch is "Host responsibility only" and that the "The position of the write protect switch is unknown to the internal circuitry of the card."
The popular CHDK custom firmware for Canon compact cameras subverts the write-protect tab on the SD card to be a CHDK on/off switch. So it's widely known that software may ignore this switch.
Even with hardware write-enable, they could just ship the firmware with the backdoor code by default, and sign it too. This somewhat reminds me of Computrace in the BIOS - it's advertised as a "theft recovery" solution, but could also be used as a firmware-level backdoor, and many laptops are sold with this preinstalled in the BIOS without the user's knowledge. (It's easy enough to remove for those who are into hacking BIOSes, but anyone asking how gets accused of stealing hardware...)
The ultimate solution would be to make HDD firmware open-source, just like Coreboot for BIOSes, so the truly paranoid could download, verify, compile, and flash their drives themselves. Unfortunately, I don't see this happening due to all the trade secrets (including some existing backdoors into passworded drives that you can find on data recovery forums, but obviously manufacturers don't want you to know about...) that are likely involved.
To access a BIOS passworded drive all you had to do was swap it for another for which you knew the password, boot into the BIOS and change the HDD password. It will ask you for your old password, you enter it and you go to the new password input screen. Now you take out the HDD and put the locked one in its place. You press enter twice, setting the password as blank, and voilá, you have your locked drive unlocked. Just boot the computer and no more HDD password. Have fun.
I agree with the open source point (but not that it would solve everything - see "Trusting trust"), but shipping with the backdoor by default is is problematic for the attackers, because it makes it public.
With physical access they could just program the flash chips directly or replace the entire hard drive with a compromised one. The only way to defend against physical access is to prevent physical access.
I guess I could see having that as an option, but reality is that every vendor would just ship the dries with the jumper in the "flashme" position by default. Asking a consumer to pull out a drive and move a jumper to install an update is akin to asking them to remove their own spleen.
Manufacturers don't seem to release firmware updates for hard drives very often, but even when they do, consumers may never learn that they need to apply an update to a drive they own so the actual update rate in the wild is probably very low.
As an example of a rather serious firmware update that likely went unnoticed by most drive owners, some Samsung F4 EcoGreen hard drives (the ones Samsung actually made before the Seagate buyout) had a serious bug[1] that caused data corruption if a specific S.M.A.R.T. command was issued to the drive during normal operation:
"The above suggests that the disk sometimes discards a
pending 64 sector write command when a IDENTIFY DEVICE
command is received. This data loss occurs silently.
There is no error message in kernel log, SMART Error log,
NCQ Command Error log page, or SATA Phy Event Counters
log page."
Manufacturers can't notify people directly about these things unless buyers contact info is submitted along with info about which specific drive model they own. I don't know if this patch was pushed out via Windows Update but I'd bet it wasn't. I only heard about it because Smartmontools warned me.
Samsung fixed it in a firmware update but neglected to bump the version number of the firmware, so it's impossible to tell which drives have been fixed. As a result, it's quite easy to assume your drive is fine, so Smartmontools will print this in any system with any HD204UI or HD155UI detected:
==> WARNING: Using smartmontools or hdparm with this
drive may result in data loss due to a firmware bug.
****** THIS DRIVE MAY OR MAY NOT BE AFFECTED! ******
Buggy and fixed firmware report same version number!
See the following web pages for details:
http://knowledge.seagate.com/articles/en_US/FAQ/223571en
http://www.smartmontools.org/wiki/SamsungF4EGBadBlocks
First generation SSDs, across the board, were getting firmware at least quarterly.
Even ignoring that, let's move on to... enterprise storage. I don't foresee someone with a 1200 disk storage array being enthused at the prospect of popping out drives one at a time to be able to update firmware (something that is currently an online operation).
Probably from installing the utility program that often comes with the SSD. I bought a Samsung 840 EVO recently and it came with "Samsung Magician" which dutifully tells me about the Feb 2015 update available.
Now tedu being a BSD guy ;) probably is finding out some other way but I'm going to guess the vast majority of SSD customers have a Windows or Mac computer and just go with the utility provided by the hardware vendor, Samsung or some other company.
It seems unlikely that any PC manufacturer (Apple, Dell, HP etc) would force their users to open up their machines and flick the WP switch on the hard drive controller to install a firmware update.
Motherboards used to have physical write-protection jumpers for the BIOS flash, and that was something no malware could ever bypass. This was also in the days when BIOS updates were quite rare, so opening up the case to do it seems a very reasonable action to take. I have only updated the BIOS twice on two machines, in over a decade; "don't fix it if it ain't broke" is how I tend to approach updates in general.
For HDD firmware, I think it's something that should not be updatable at all through regular software; instead it's something manufacturers should be getting right before shipping product. I've owned disks from over two decades ago, and not once have I needed to update any firmware on them.
Somehow I feel that this "update culture" has just lead to more problems due to propagating an attitude of "it can always be updated later", where shipping devices with imperfect firmware becomes almost acceptable and it can sometimes become a case of fixing one bug and introducing others.
Yup. I loathe th update culture - every wifi router I've bought in the past decade has been barely useable before updating its firmware to current. Regular WiFi crashes requiring re-setting the router should not be the default state.
> It seems unlikely that any PC manufacturer (Apple, Dell, HP etc) would force their users to open up their machines and flick the WP switch on the hard drive controller to install a firmware update.
"Locate the programmer's button on the side of the iMac, to the right of the reset button. Press and hold in the programmer's button. You may need to use a pen or a straightened paper clip."
How often have you honestly installed a firmware update on an HDD ever? I think I've done it maybe twice in my lifetime. Both times required jumping through crazy hoops creating boot floppies.
Apple would likely just ask you to bring it into the Apple store.
Unless you've got a direct electrical connection between the Esc key and that pin, you've unfortunately introduced a way for software to do the same thing as holding Esc.
WP pins are not necessarily meaningful. All of the on-chip flash for embedded micros that I've seen in the last few years have not needed an external WP pin.
Presumably stock external flash parts are okay, but it's still conceivable that evil circuitry could cause a write, or at least an addressing "mistake".
Are you talking about flash embedded in the mcu, or separate flash chips? The mcu can usually reflash itself, modulo fuses, but I can't recall having seen a standalone flash chip which lacked a write protect (or write-enable) pin. A physical toggle switch on that line seems like a solid protection against NSA style firmware hacking.
Unless you're talking about a pin supplying a required programming voltage, that WE pin is just hooked up to internal gates that suppress writes. There are relatively easy ways to back-door gates (e.g., with secret access patterns or data sequences).
Presumably some of the people writing these firmwares are reading hacker news. I'm pretty sad that extremely competent software people are building these things for the government - just following orders so to speak.
They must know that it's wrong? Or do they buy the government arguments about the balance between privacy and security; maybe are they just young, talented and excited to be doing something "legally" that most people would be put in jail for?
What to do when governments become untrustworthy actors to such an extent?
Government and industry have betrayed the Internet, and us.
By subverting the Internet at every level to make it a vast,
multi-layered and robust surveillance platform, the NSA has
undermined a fundamental social contract. The companies that
build and manage our Internet infrastructure, the companies
that create and sell us our hardware and software, or the
companies that host our data: we can no longer trust them
to be ethical Internet stewards.
This is not the Internet the world needs, or the Internet
its creators envisioned. We need to take it back.
And by we, I mean the engineering community.
Spying is often seen as a necessary requirement to diplomatic stability. I have much more of a problem with blanket surveillance than this targeted spying to be honest.
Lots of these revalations are being published by a non-US security company. The US security companies have either missed these security issues, deliberately ignored them, or have been forced to keep them secret. In my opinion, the fact that there are still some non-US IT security companies is a good thing.
There is a big difference between a 10 pound animal and lots of 100-400lb pigs on fire.
Megarians doused some pigs with combustible pitch, crude oil or resin, set them alight, and drove them towards the enemy's massed war elephants. The elephants bolted in terror from the flaming, squealing pigs, often killing great numbers of their own soldiers by trampling them to death.
From of foreign policy standpoint it's often less about the entire country vs small groups of well-connected people with foreign interests. In the end most of what the US government does is easier to understand when you reolise and account for just how corrupt it is.
EX: US immigration policy seems vary reasonable when you reolise exploting both legal and illigal immigrants makes some people lot's of money.
They didn't "de-stabilize" UK, they just re-gained their freedom (as much as they could, they're still tied with 100 different ways to their old masters).
It's not like some small nation came and took Wales from the UK -- which would be actual de-stabilizing.
I think the generous interpretation is that the US Security companies simply don't get as much collected data in the areas being targeted by the US intel agencies. I don't have any real data to back it up, but I would assume Kaspersky has a much higher install rate in Russia than, say, Symantec. I wouldn't be surprised if the same is true for much of the middle east, too.
Its especially interesting that the mere assumption that the US security companies are covering for the intel agencies is going to make it look more like they are. If Kaspersky is on 90% of the computers targeted by the NSA/CIA, they're going to be much more likely to get the data necessary for this kind of analysis, which reinforces the thought that the US companies might be covering it up.
For people who like embedded systems and RF and reverse engineering, you can't find a much better job opportunity than the secret spy agencies these days. Show me a company who has their engineers solve problems like these, there's very few, especially at the cutting edge like we're seeing come from NSA and GCHQ.
I'd love to work on problems like this, especially in a team of highly skilled coworkers. It'd be a lot of fun (and a lot of frustration, reverse engineering generally is). The part I wouldn't like is having to keep it secret from family and such.
Just because you think something is wrong means that other people "must know that it's wrong?" If anything, they have access to much more privileged information than we do. For all we know, they're fighting the First Wave of Gua infiltrators.
Maybe talented people have a different perspective than you? Maybe they recoginize the worldwide cyberwar and don't want to have their pants down when Russia and China do whatever they want? Or they realize that good intelligence has value, if not moral value, assuming good intel could stop or minimize future armed conflicts? This is like calling Turing a baby-killer because he worked for the UK intelligence. Turns out good intel is a lifesaver.
That's a fair and likely true statement. However, imho, leaning on appeals to authority for one's moral compass tends to corrupt more reliably than individualism.
Iow, follow the patriotism of your heart, not what others tell you it means.
Maybe you do yourself believe that this type of work is justified. That's a defensible position: I'll disagree with you, but you made your own decision. Just don't do it for external accolades and validation.
I say we give them their just deserts - hang 'em high and let them be a message to any other collaborators that this sort of shit is not tolerated in a civilized society.
Because talented people don't care about politics, they care about achievements. They don't necessarily care about how their achievements are used. They just want something they can put their hands on and feel content when they make it work.
The most brilliant minds are often bored by the fact they can't find anything that challenge their skills. You give any problem to talent, talent won't care about the nature of it. Talent will be put to work.
And to be honest, maybe the work they do can be legitimate or might serve good in the end. It's just that you will never know about it, for the simple fact that it's classified.
For example, catching tax evasion or financial crimes is very hard. If you really want to catch those criminals (who have the worst effect on society), you might want to step up the spying game and scan everybody. Catching or discouraging terrorists is difficult too.
The issue is not that you scan everybody, the issue is that those spying tools can be used against inncocents or for the sake or private interests. So of course people will scream bloody murder, but if the NSA has a very well made policy to avoid misuse, and if you don't hear about any big scandal, maybe there's no big harm done.
All in all, civilization works in a hierarchy, and politics will lead people to do things. Moral standards are guidelines, they're not rules. Civilization works towards its perpetuation. I doubt those spying tools are used for private interests. I know freedom is important, but you can't escape the fact that information technologies can give new powers to criminals.
The question is, do you want civilization to be the norm, or would you prefer to have people taking advantage of civilization with the use of technology ? I know the US has a history of liberty, but when it comes to domestic telecommunications, I doubt any government will let people use gadget because it feels "free". You're not free when you use any device, any of those device requires telecom infrastructures, and thus it requires civilization.
In the light of dirty finance, I think I can be be okay with those spying program, because I really want those bad guys to be caught. On the other hand, citizens are both protected and housed by government, so I don't think kids can really complain about their parents peeking in their room.
Of course my cynicism doesn't excuse my arguments, but I like to understand the real reasons behind those programs, and children rarely realizes the real reasons the behavior of their parents.
Freedom in modern western countries requires a lot of regulation and very hard police work. Freedom has a very high cost.
And talented people will have to care about politics more and more as time goes on. It's vital that we get better more moral people into politics and everyone has a duty to act in accordance with their own morality. Maybe we can fix some of the problems around the world that cause most of the harm if more people stop being quiet about the bad things that governments are doing in their name.
Sure. As long as absolutists like you are willing to accept that maybe "moral" doesn't necessarily mean to other people something you are going to personally agree with.
I guess in the end you are saying you trust the motives of governments and I'm saying I don't. It's fine to argue that but lets hope neither of us end up on the wrong side of government in a legal case for example. The UK government has been breaking client attorney privilege with these tools.
The people who are meant to be serving our best interest are clearly often serving themselves.
>> I doubt those spying tools are used for private interests
It's proven from the Snowden papers and elsewhere that America uses it's spying power for industrial espionage.
A program with limitless powers such as this will lead to limitless abuses. I'm all for governments being able to individually monitor bad people but it seems to me the old mechanisms are still the most effective and that particularly mass surveillance, but also deep and difficult to detect hacks like this make me think that everything we believe about democracy is probably false and that we actually live in a kleptocracy.
I still think that we know very little about the people using these systems for the wrong reasons. I think government should be reporting them where abuse occurs; it would make me feel a lot safer about their use. If there are never any abuses reported you can be sure that they are many.
> It's proven from the Snowden papers and elsewhere that America uses it's spying power for industrial espionage.
I don't have a problem with that. It's totally expected from government to do industrial espionnage. It has nothing to do with privacy and liberties. I think any patriot would be happy to know his country is trying to spy on another country. It's expected, spying is a common denominator. In french I'd say "c'est de bonne guerre".
But they tell us they just love the free market and that is the solution to all problems - why is it acceptable to lie to people with a straight face. I say it's totally unacceptable to lie and cheat corporations who are working maybe working to make a better deal for their citizens rather than OPEC and that you have accepted it is not really my point to argue against.
It's sort of funny that the NSA can remotely flash a running system's hard drive firmware, but Seagate makes me make a DOS bootdisk to do it. they really do have tech that the rest of us can't conceive of.
It's fairly likely that the hard drive can be flashed from within the OS without any problems. The most likely reason for Seagate's actions is a good, old fashioned, case of CYA. By making you use a boot disk, you're getting rid of a lot of other factors, like buggy drivers for other components, etc, that could cause a system to hang mid-flash and brick the hard drive.
Also probably they don't see enough demand for people being able to effortlessly reflash/reprogram their harddisks to invest the necessary R&D to make it work seamlessly. There are hundreds of tricks to make flashing more reliable and unsusceptible to data corruption, but it's cheaper to just use a DOS tool and write "DO NOT TURN OFF OR RESET YOUR COMPUTER!" on the screen.
Nah, they just don't have customers. If Seagate's flasher breaks your entire RAID array, you call Seagate support. If the NSA's flasher does, you don't call the NSA.
>but Seagate makes me make a DOS bootdisk to do it.
They don't want to worry about your "reg cleaner" and ask.com toolbar suddenly taking 100% of the CPU and screwing up the firmware write.
Heck, BIOS updates are done the same way, pretty much. The Windows installer shoves the new firmware binary into a space the BIOS can access, reboots the computer, updates during POST/BIOS, and then only when its successful, reboots again into Windows. Its not run when Windows is running. You'd have to be a little crazy to do that.
8.7 AUTHENTICATED FIRMWARE DOWNLOAD
In addition to providing a locking mechanism to prevent unwanted firmware download attempts, the drive also only accepts
download files which have been cryptographically signed by the appropriate Seagate Design Center.
Three conditions must be met before the drive will allow the download operation:
1. The download must be an SED file. A standard (base) drive (non-SED) file will be rejected.
2. The download file must be signed and authenticated.
3. As with a non-SED drive, the download file must pass the acceptance criteria for the drive. For example it must be applicable
to the correct drive model, and have compatible revision and customer status.
Yes, stole. As repeatedly evidenced - most recently with the Gemalto documents - the NSA far prefers to obtain keys surreptitiously than to go through the trouble of legally compelling corporations to provide them.
Looking at the "Lavabit" incident, there's obviously some legal framework that allows a government entity in the USA to force a company to surrender a copy of the private key used for email encryption.
If said company would change the private key, obviously the same legal framework can be used to get this new key, in turn. So it's fruitless.
Of course, if it's an "inofficial" leak, a revocation and renewal of keys makes sense.
Signed firmware is generally only featured on SAS drives. I image the NSA is much more interested in infecting the more common SATA drives which have no such protection.
I've only read part of the article so far, but scanned it for the NSA's codename and am surprised it is not mentioned (there or here).
They're describing SWAP [0].
Cool they Kasperksy now has binaries to reverse-engineer.
What's impressive is the number of OSes and filesystems that are supported. Keep in mind the documentation publicized is from 2008, so they likely support ZFS, ext4 & btrfs as well now.
The NSA's Trojanized HDD firmware is indeed “an astonishing technical accomplishment”. But I'm wondering whether their firmware reprogramming modules are especially capable, or are merely customized to add requisite APIs. Maybe Kaspersky will release them. Or not.
In particular, I'm wondering whether host machines' HDDs can be flashed from VMs. And further, which hypervisors and emulators are least vulnerable in that way.
In particular, I'm wondering whether host machines' HDDs can be flashed from VMs.
If the VM is using an emulated disk based on an image file on the host, probably no chance at all as only "read block" and "write block" types of commands will be interpreted by the virtual disk. Even other mundane commands like "spin down to save power" won't make it to the hardware due to the effect that would have on the host or other VMs on it.
If the VM is configured to passthrough directly to the hardware, then it has full control over the HDD.
Some thoughts: VMs are an interesting case. Someone with the motive and means would have exploits to get out of the VM. This is probably easier if the guest is running something to accelerate (e.g. VMWare Tools / VirtualBox Guest Additions.) Once you get out, you have to account for the host OS. Assuming you could do it, how does one determine if the VM is part of a honeypot or the target?
I think all those articles into details also help to triviliaze the issue.
"They do this specific thing, or they do that specific thing" -- at the level of implementation / deployment etc.
The "unsettling" thing should be that they spy on citizens, period. Not how they do it, if it's 200,000 or 40.000.000 targets, how long they retain the data, if they're "allowed" to see them, etc...
Modern workstations and servers implicitly trust hard disks
to act as well-behaved block devices. This paper analyzes
the catastrophic loss of security that occurs when hard disks
are not trustworthy. First, we show that it is possible to
compromise the firmware of a commercial off-the-shelf hard
drive, by resorting only to public information and reverse
engineering. Using such a compromised firmware, we present a
stealth rootkit that replaces arbitrary blocks from the disk
while they are written, providing a data replacement backdoor.
Zaddach et al. (2014) Implementation and Implications of a Stealth Hard-Drive Backdoor
It intrigues me how , NSA pulls the best of the hackers
To accomplish this task and who is behind the architecture and direction of this ? It's bad, it's terrible in privacy violation perspective and in security perspective , but also remember this is nothing less than magic to bring the resources together effectively and make it scale.
"It intrigues me how , NSA pulls the best of the hackers To accomplish this task and who is behind the architecture and direction of this ?"
They don't need to be the best of the hackers.
The fascist(collusion between private companies and State) laws that were created after 11-9 let them have access to the source code of hardware and software.
With source code, doing this is not that hard. I believe most of them do not need to be stars.
I don't know about the specific NSA, but normally secret agencies have lots of ways of finding who is good at hacking-cracking(the stars). For example who is behind the release of the crack to a software protection.
As simple as "recording the web" for unique documents upload, and analyzing which dark web page was the first to upload the document. Follow all the proxies and who is really behind is not that hard if you have resources.
Once you know who is the target you want to hire you study her with social connections in facebook-twitter-whatsapp- gmail-smartphone, very easy for the NSA.
You study her weaknesses, she probably needs money, you give her(first one's is free, so you give her lots of money for her first easy job so she believes she could be rich easily). She is lonely, you give her a partner. Needs sex? And so on.
The rest is easy, once they take the bait maintaining them hooked requires them much less energy(money, resources or coercion). They can destroy you life with the pinky finger.
Life is good if you do exactly what they ask you. If your vice is thinking for yourself or ethical scruples(and most hackers have those vices) your life could be hell.
If you help them, you are a patriot, if you don't, you are a traitor. You are with me or against me is their favorite motto.
Stars know personally other stars, and they know who is good at it at a glance. So you make one of her jobs to hire other hackers crackers.
Anything is easy if you have unlimited funding. Especially this kind of reverse-engineering job, where the NSA can use their industrial espionage assets to get a copy of the firmware source and board schematics.
Do you need hackers for hire? Do you need to keep an eye on your spouse by gaining access to their emails? As a parent do you want to know what your kids do on a daily basis on social networks ( This includes facebook, twitter , instagram, whatsapp, WeChat and others to make sure they're not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it, We can get the job done. We're a group of professional hackers with 25 Years+ experience. Contact at hacksville147@gmail.com ... Send an email and Its done. Its that easy, try us out today.
Does the firmware itself have the capability to issue outbound/inbound networking requests?
That might be the case for a hacked firmware on a ethernet card, but on a hard-drive? How would windows even interpret a outbound request that comes from the hardware in the first place?
The only way I can imagine this works is if when doing a fresh install with a hacked hard-drive, the operating system would request the drivers from the hard-drive itself, which would give it the infected DLL which could obviously do whatever it needed- But it doesn't work that way, drivers are almost always downloaded, no?
I notice only Windows is mentioned, so how does this affect Mac or Linux? Curious about how they approach entirely different systems? Or am I not understanding how hard drives work? I'm not as knowledgeable on hardware, as I am on software.
Why can't the HDD vendors publish a md5/sha1 hash of the firmware so we know what the value should be?
If the NSA ( or anyone ) are going to modify the firmware and hide malicious or preparatory exploit code in that area, the end user will have little recourse post-exploit. Though, beforehand, if the HDD vendor published, for example: the md5/sha1 of the firmware the OS vendor could then write a "control panel" or application that the number has been entered/seeded by that vendor. If the hash on boot does not match the hash in storage, alert the user the drive has been hampered with. Alert the vendor, they send you a new drive, and you throw away the old drive.
I'm not entirely sure how to do this if they happen to not modify the firmware but instead just store in the areas wasted space. I can think that you would use sized to make values you could then hash. As long as the vendor knows the values of of what they did, those can always become keys to compare to make sure they have not been modified. ( I hope at the very least. I don't want a stalemate or a loss when it comes to this type of security, it has to be a win for the consumer. )
Is there any reason this approach wouldn't work? What other alternatives are there if they are writing to the firmware area of the HDD?
What if this were the firmware of the hardware itself. There are firmware(s) within your USB bus, wifi chipset, cpu chipset, keyboard chipset, display, power management, some cables, everywhere. Those can be leveraged individually or via a RAID style merging of all these firmware areas to give you, hundreds of MB of super difficult to locate storage space.
If no one is looking, you can get away with anything you want. And in this case, even if someone is looking, it will take a very good set of eyes a few times over, as it seems one voice is never loud enough to get the word out. Be prepared to go to jail for talking about any of their methods, even in a theoretical sense.
>Why can't the HDD vendors publish a md5/sha1 hash of the firmware so we know what the value should be?
Because the only way to actually verify the hash of the firmware is to connect to the drive's controller outside of the firmware's control with something like JTAG or a direct dump of the flash. Otherwise, the PC would send a command to ask the HD firmware what it's own hash is. The compromised HD firmware can then simply respond with a published vendor hash.
Why should the hard drive manufacturer send you a free replacement just because the hard drive firmware has changed? For all they know, you modified it yourself. Or are just lying about the problem.
I guess I don't understand this comment. Someone wrote about it, so obviously they care. Moreover, firmware is normally considered safe, if it's not then that is a significant shift in paradigm for the security conscious.
I honestly don't think it's as difficult as they make it out to be. About ten years ago we were hacking Treo 650 firmware to read and write to flash without actually knowing how to do it at a low level. We just found the appropriate "read sector" and "write sector" commands and wrote a heuristic to search for them in whatever version was running. Later Android hacking attempts did exactly the same thing with HTC's HBOOT.
HDD, CD-ROM, DVD-ROM, BluRay -- firmware for all of those types of drives have been decompiled before. With the right JTAG hardware and/or creativity it just isn't that difficult for someone who knows that they are doing.
Now, if you can execute code on the HDD's CPU through whatever exploit you can find, you can search through RAM for whatever methods you need to write yourself to persistent storage. That persistent exploit can then use heuristics to hook the appropriate methods to intercept reads and writes as needed.