>hard drives found to have a backdoor programmed into the firmware
Do you feel safe?
according to the pdf, some of their tools work in linux. But as linux kernel is open source, can we patch the kernel to deny any attempt of HDD firmware flash (by blocking UPDATE MICROCODE)?
>All the malware we have collected so far is designed to work on Microsoft’s
Windows operating system.
Serious question though about these firmware attacks, badUSB included, why is it even possible to write the firmware software from the OS level? and since it is possible, shouldnt it be easy to write the "stock" firmware back onto it, fixing the problem?
>The main function to reflash the HDD firmware receives an external payload, which
>can be compressed by LZMA. The disk is targeted by a specific serial number and
>reprogrammed by a series of ATA commands. For example, in the case of Seagate
>drives, we see a chain of commands: “FLUSH CACHE” (E7)→ “DOWNLOAD
>MICROCODE” (92) → “IDENTIFY DEVICE” (EC) → WRITE “LOG EXT” (3F).
>Depending on the reflashing request, there might be some unclear data
>manipulations written to the drive using “WRITE LOG EXT” (3F).
>For WD drives, there is a sub-routine searching for ARM NOP opcodes
>in read data, and then used further in following writes.
>Overall, the plugin uses a lot of undocumented, vendor-specific ATA
>commands, for the drives mentioned above as well as all the others.
>To complicate things further, firmware checks and reprogramming rely on firmware itself,
>so it’s not possible to verify firmware integrity or reliably reupload firmware on a computer.
>In other words, once infected, hard drive firmware is indetectable and almost indestructible.
>It’s easier and cheaper to ditch a suspect drive and buy a new one.
>vendor-specific ATA commands
That's the rub right there. Even in the close-knit data recovery community, this sort of information is very hard to get one's hands on.
The drive manufacturers keep it locked away for competitive reasons, and the DR community almost always keeps it locked away because it's the fruit of years of reverse engineering and the basis of many data recovery services. The ATA spec is publicly available for a price and various versions of it float around the 'net. The VSCs are not generally available at any price.
i dont know what youre getting at. open source hardware is a real thing. pic related
>DR community almost always keeps it locked away because it's the fruit of years of reverse engineering and the basis of many data recovery services.
Why? Why not share it with the world like the security folks do with their findings?
you realize this shit has been happening since they e-vented eeproms, right?
My cynical side's honest answer: DR folks don't like to share because if you could do it yourself, they couldn't charge $500-5000 for data recovery.
The industry's honest answer: It's almost the same logic as /g/ isn't your personal tech support. When my car's fucked up, I take it to a mechanic. I could probably fix my own brakes. But if I fuck that up, I die. So I leave my car there and it's fixed like magic. He has a sign over his garage that reads "Shop time: $80/hr, $90/hr if you watch, $100/hr if you tried to fix it first."
The DR folks have a valid point in that while most of us on /g/ could figure out how to hook up a serial port converter to a Seagate 7200.1 drive to fix the BSY problem ( http://www.msfn.org/board/topic/133604-seagate-720010-hdds-how-to-fix-bsy-state-too/ ), 99% of their customers would fuck up the soldering, short +12V to GND, and otherwise permanently fuck up their drives in the process.
True honest answer: The DR community is slowly coming around to a pretty sensible middle ground. If you're willing to put some time into it and figure shit out, people in the community are willing to help. I'm not going to get into the catfight between hddguru.com and the nascent community working in the open at malthus.mooo.com - I'm just going to say that both sites (and whatever you can crunch through Google Translate because most of the R&D is being done in Eastern Europe) are invaluable resources for those of us who have backups, don't give a damn about getting the data back from the drives we've retired for bad sectors or wiped drives we pulled out of the trash bin at work, we just wanna know how our hard drives actually work under the hood.
Yeah I'm mostly just curious myself. Throwing out some random info like reverse-engineered hard drive communication protocols somewhere on the internet is only going to benefit folks like me, who are already acquainted with tech in general and enjoy reading for curiosity's sake.
Me too, Anon. Felt like a god the first time I got MHDD to talk to a drive, even if it was just getting it to run the ID command and scan to see how fast various bits of the drive would read.
Part of the problem is that the open community doesn't have firmware module dumps of a wide range of hardware.
Another part of the problem is that even the open part of the community presumes a lot of knowldege. Drives are referred to by their manufacturer and vendor-internal codenames. Sorta like how a norm might call his CPU an "Intel" and might know now many cores he has, we might call it an "i7-[number]" and know exactly what chip we're buying, but these guys skip the numbers and just talk about "Bloomfield, Sandy Bridge, or Haswell, and which stepping?" because it's less important the model number on the outside of the drive ("WD green/blue/black") and more important what's written on the firmware/controller ("Mars/Jupiter/Pluto/Dragon/Atlantis...") level
Report shows that hardware is just as vulnerable as any piece of software out there. Also literally MITM attacks. Inserting fake demo CDs that are given out at conference to infect certain computers...just wow
According to the report, even verification of the firmware making sure it's valid is done through the firmware itself. So basically once the drive is infected, you might as well chuck it and start again
>making me reply to obvious b8 4/10
The platform also seems to have an OS X component. Just because Linux wasn't mentioned doesn't mean there isn't a component that works with the platforms they mentioned in the report or part of a completely different program.
So how can one prevent this short of having their hard drive attached to a forensic write blocker (assuming those block the flashing of the firmware)? You can't just use a live CD as they could just overwrite the firmware in your CD/DVD drive instead. SD cards and flash drives are also out of the question as they also have controllers that could be flashed.
>So how can one prevent this short of having their hard drive attached to a forensic write blocker (assuming those block the flashing of the firmware)?
Don't forget the possibility of them just flashing the firmware on your write blocker, a quick look shows companies advertising how you can update the firmware on their write blockers.
I feel like we are fucked either way. If anyone writes shitty shit for any of those platforms, then the NSA will be able to find vulnerabilities and utilize them. We are so fucked
Whoever is going to produce a new CPU design without any economical backing? And having open process specifications to boot?
At that point you might as well design an asynchronous CPU.
That's true, but there is a larger selection of DVD-RWs in circulation and, they can be re-flashed in ways that are not possible (yet) with hard disks.
It looks like that hard-drive manufacturers had to hand over their source code to the U.S. Government for "security audits". Hence why exploits such as these could be written for them.
Chinky no-brand DVD-RW hasn't handed anything over, and can be flashed easily.
Fuck off trolls and shills we need to have a serious conversation.
If the NSA has the ATA commands and can modify the firmware it doesn't matter what OS you're running right? All the people saying linux is the answer explain yourself. I'm not a comp sci major or anything but to me it seems like we're essentially screwed.
I imagine SSDs are no better off. Who knows what kind of modifications could be made to controllers and firmware on those.
>Do you feel safe?
In what way? Right now I don't feel specifically attacked, because I highly doubt that I'm of any interest for national intelligence agencies.
I'm pretty sure that they would immediately start spying on me if that ever changed though.
>If the NSA has the ATA commands and can modify the firmware it doesn't matter what OS you're running right?
You need an OS and a programme to run those ATA commands, they don't apear out of fucking no where.
It would be hard to hide that in an open source software and even then you'll need the root privileges to do that.
ITT: people making wild assumptions.
Thanks to OP for sharing, and anon a couple posts down about the FAQ. Very interesting and informative read.
To those who are spewing 'muh FOSS', there are, have been, and always will be zero-day exploits for software. A bug is a bug until it is patched, big or small. Assume you are not safe, and take the best precautions with apps like NoScript, as well as robust firewall configurations to prevent people from getting in, in the first place.
Not that it's fool-proof, but at least you tried. RIP
Well, how can you even suspect a HDD is infected if you have no way of knowing whether the firmware is compromised or not? The infected firmware can basically deny all attempts to re-write
>Do you feel safe?
No, but then again they don't care about me but still someone might find some exploit and abuse it, corporations abusing corporations (stealing data exc,) journalist's in trouble, alternative groups in various countries fighting for resistance, user related cracking it never ends.
I'm just going to change the way I use my computer (invest in VPN, Linux, encryption exc.) and boycott all USA brand name goods.
Don't care if other manufacturers that have that are in bed with the NSA at least I'm not giving money to USA.
It's not that hard to hack a HDD's firmware. This guy reverse engineered it to insert a vulnerability in his spare time with NO DOCUMENTATION using a $30 JTAG board.
If some random guy can do all this, imagine what a nation-state can do.
Security through obscurity should work with this,at least for a little while, but as more processing power becomes needed you will have to move to newer systems that will be vulnerable.
Anything where the drive firmware can be updated directly from the computer is vulnerable. Thinkpads have had CD drives where the firmware was flashable back to at least 2001.
Especially when that nation state can get a hold of the firmware directly from the manufacturer instead of having to reverse engineer it.
from what I've read this firmware backdoor looks for a presence of a magic string. then it injects code onto a NTFS partition.
So if you have whole disk encryption and a backup copy of your MBR... you're safe. They might be able to do damage to your computer, but they wouldn't be able to siphon off your data.
Dont want to make bread for this dumb question help me out /g/. I found same desktop at work that i have at home mine has i5 this one has i7 can i swap cpu's or is the i5 cpu fan too weak for i7 giving me heat problems
What if the malware just waits running in the background and intercepts your encryption key, then gives it to the modified firmware before writing the modified firmware to the hard drive. If one was to format the hard drive they could then possibly load a small virus that could intercept your new encryption key before the drive is encrypted (if you were to change it), then send it back to modified firmware. The only way around this would be to regularly format your hard drive and change the encryption key, then make sure everything that will be written to the hard drive is encrypted before it ever touches the hard drive.
>Companies embedding vulnerabilities into the firmware.
What the fuck, guys.
You're not the only ones who can exploit these things, you know.
>Still using hard drives in 2015
b-b-but muh placebo
Serves you right you dumb niggers. We told you the benefits of SSD for half a decade now and you refused to give up your anime collections. Well look what happened now. You're part of the botnet.
This isn't companies embedding vulnerabilities in the firmware, any piece of computer hardware that can have the firmware flashed while hooked up to the computer (as opposed to requiring a special connector that is separate from the components normal connections) is vulnerable.
>The classes supported are:
>• “WDC WD”, <Western Digital Technologies Inc> additional vendor specific
>• “ST”, “Maxtor STM”, “SEAGATE ST”, <Seagate Technology>
>• “SAMSUNG”, <SAMSUNG ELECTRONICS CO., LTD.>
>• “WDC WD”, <Western Digital Technologies, Inc.> additional vendor specific
>• <HGST a Western Digital Company>, “IC”, “IBM”, “Hitachi”, “HTS”, “HTE”,
>“HDS”, “HDT”, “ExcelStor”
>• “Max”, “Maxtor STM”
>• <MICRON TECHNOLOGY, INC.>, “C300”, “M4”
>• <HGST a Western Digital Company>, <TOSHIBA CORPORATION>
>• “OCZ”, “OWC”, “Corsair”, “Mushkin” additional vendor specific checks used
>• <Samsung Electronics Co., Ltd., Storage System Division>, <Seagate
>Technology>, <SAMSUNG ELECTRONICS CO., LTD.> +additional checks
>• <TOSHIBA CORPORATION COMPUTER DIVISION>, “TOSHIBA M” +checks
>• <Seagate Technology>, “ST
So are there any HDD companies that aren't on the list? Or any open-firmware/open-hardware HDDs commercially available?
>Hackers exploit up to ten thousand systems with HDD firmware
>Hackers with ties to NSA exploit HDD firmware
>NSA exploiting HDD firmware
>HDDs shipping with NSA backdoor in firmware
Conspiracy theorists don't realize they're alienating the public by embellishing fact with fiction.
So what's being said is that the government has access to all the files of everyone in the world using a hard drive that's semi-recent. If that's the case, how are they still cracking down on child porn rings one by one if they in theory know exactly who has it? Why go through all the trouble of setting up a sting operation on the Silk Road guy if they already had all his data in the first place? What about all those servers out there that are still hosting illegal data? It's hard to believe they're ALL using specialty drives that are 5 years old.
I can see the NSA bugging hard drives in a case-by-case basis, put to say that every hard drive is a privacy threat just seems a bit too far-fetched.
Read the article. It's not a widespread mass infiltration of all HDDs on the market. It's an exploit aimed at high profile targets for now.
>Since 2001, the Equation group has been busy infecting thousands, or perhaps even tens of thousands of victims in more than 30 countries worldwide, covering the following sectors: Government and diplomatic institutions, Telecommunications, Aerospace, Energy, Nuclear research, Oil and Gas, Military, Nanotechnology, Islamic activists and scholars, Mass media, Transportation, Financial institutions and companies developing encryption technologies.
They don't even have concrete evidence it's on more than ten thousand machines in the world.
It's a slippery slope helping with tech support on /g/, but I'll throw you a bone.
i5 and i7 are cooled by identical systems. You can interchange an i5 fan with an i7 fan and notice no difference in temperature. I won't lecture you on thievery as it's none of my business, but there shouldn't be an issue with heating if that's your only concern.
>implying they aren't using this to put large libraries of undeletable child prons on the computers of dissidents, and choosing to bring down child pron rings down immediately after that and having a few of said dissidents thrown in with the child pron ring
Do you even know what's going on? This isn't the NSA planting backdoors by paying sketchy manufacturers, this is a case of advanced hackers rewriting the firmware on hard drives.
This is how conspiratards usually operate.
>EVERYTHING IS FUCKED
actually only some things are fucked
>EVERYTHING WILL BE FUCKED
there's no reason to believe that
>THE FACT THAT I BELIEVE EVERYTHING COULD BE FUCKED IS PROOF THINGS ARE FUCKED
Anything to confirm their preconceived notions.
Once again, this has nothing to do with the NSA. Why are there so many idiots on this board that start spewing uneducated sensationalism at the first whiff of something bad? Yeah, this is bad, but there's no reason to associate it with as many buzz words as you can.
Since I work with hard drive forensics kit, I'm quite curious to see if I could prod this potential 'backdoor' and see what happens. I don't find it particularly likely to work like it does, especially not on Seagates which require extra hardware to read through Terminal. Hitachi and WD though, you could probably fuck around with those a bit since they're quite easy to prod over regular SATA.
So, I was wondering:
What is the giant hurdle that is stopping a company from starting an open source hardware company. I'm sure that many companies would switch to some backdoor free products if they are proven to be a stable and affordable alternative.
I assume that it is very difficult to develop open drivers and get in touch with production that is willing to work under that license but it sounds like a good business opportunity after all these recent happenings
...you have to be retarded or something. This does not deal with a backdoor in the hard drive firmware, this has to deal with the simple fact that it is possible to flash the hard drive firmware from the computer that it is being used with. Going to standardized open source hard drive firmware without getting rid of the ability to flash the firmware from the computer will make computers more vulnerable as the standardized open source firmware will allow an average Joe hacker to simply make some modifications to the standardized open source firmware (as opposed to having to reverse engineer the firmware of every hard drive they wanted to infect) and use a script that he downloaded off the internet to flash it to various the hard drives of various computers that he accessed.
Longsoon is NOT an open source CPU.
An open source CPU is one which the schematics of the hardware have been released. Of all mass-produced CPUs, only UltraSPARC T1 and UltraSPARC T2 fall into this category
Yes, I feel safe knowing the government is protecting me. You're not a terrorist are you?
I wonder why companies don't offer some kind of secure option to flash firmware only through a special connector or device. Even though it wouldn't really apply to the average user, I would think it would be of interest to corporations.
Flashing the firmware through the PC itself definitely opens it to attack
>So are there any HDD companies that aren't on the list?
Quantum, though I don't think they made drives bigger than 10-20gb.
Plextor isn't there on what you quoted either, but I'm not sure if they ID drives as their own since they just rebrand everything nowadays.
Before this no one ever thought it would be used in an attack because they would have to write a modified firmware for every different hard drive they wanted to infect. Being able to flash the firmware without a special connection has the advantage of allowing the company to push an update for a device instead of having to recall it if they messed up.
it is true that there is no firmware blobs. Im not sure that in itself is particularly special. It does however enable it to fall into the definition of free and open source software
However, that does not allow it to fall into the definition of open source hardware. Similar to software, it would be considered open source if the schematics and hardware documentation were available
It would be considered free if you were allowed to use these schematics and documentation to make a derivative work or create a new product using elements from the original
UltraSPARC T1 and T2 CPUs are free and open source hardware CPUs
you have an obvious lack of understanding on the subject. please do not comment further
there are open source hardware companies. Theyre just not as popular as software ones. Here is a piece of open source hardware which can be bought and that I own:
It is a chip flasher, and could be used to manually flash firmware chips. It interfaces with a program called flashrom, which is an FOSS program which runs on Linux. This could be used to do exactly what you are talking about; the drive could not be able to be flashed unless doing it manually with a chip flasher
Which is ironic considering the criminals are running hardened Linux, Unix, and obscure os boxes.
Anyone doing true criminal intent wouldn't be using NSA opened, back doored, insecure, closed windows or osx. Unless you're a sheep script kiddie.
All the NSA is really doing is attacking the most popular os to spy on its citizens and using it tell congress this is why they need their multi billion dollar salary to attack teh terroiztz!!!!!!!
Please tell me how that idea would make hard drives less hackable rather than more. You want to move from requiring someone to reverse engineer the code for every hard drive they want to be able to hack to having standardized firmware that they don't have to reverse engineer which would allow someone to write the code once and easily port it to a range of hard drives, all while doing nothing to address the original vulnerability.
Who would want to run a closed source, back doored, insecure, used by everyone including atms os to hide their top secret shit and use as their primary os?
That's like building a bomb and keeping your door wide open for everyone can see.
>One such incident involved targeting participants at a scientific conference
in Houston. Upon returning home, some of the participants received by mail a copy of
the conference proceedings, together with a slideshow including various conference
materials. The [compromised ?] CD-ROM used autorun.inf to execute an installer
that began by attempting to escalate privileges using two known EQUATION group
exploits. Next, it attempted to run the group’s DOUBLEFANTASY implant and install
it onto the victim’s machine. The exact method by which these CDs were interdicted
is unknown. We do not believe the conference organizers did this on purpose. At the
same time, the super-rare DOUBLEFANTASY malware, together with its installer with
two zero-day exploits, don’t end up on a CD by accident.
I'd argue it's more than that. But yeah, not necessarily going after the terrorists.
Citizens are the terrorist. The NSA will always need someone to attack to keep their funding.
They have to fight off the "homegrown" terrorist and plus teh terroriztzz!!!!! Are already here of course
Woah, this is considerably worse than I thought. When I first heard of this I assumed they were installing into the HDD firmware by planting their code at the factories. They've got an exploit that actually flashes whatever HDD you're using at the time in your computer (as long as it's one of the ones they're compatible with, and it's compatible with most options).
Only way this could work on Linux is a root exploit or the user doing it themselves.
Or them breaking into a repo and merging it into a common package secretly. Signing and checksums can take care of this, unless they use a exploit to get around it.
Terrorists have nothing to do with it. Look who they're going after:
>Victims generally fall into the following categories:
>Governments and diplomatic institutions
>Oil and gas
>Islamic activists and scholars
>Companies developing cryptographic technologies
That's what I'd put on my supervillian "make sure to know as much as possible/control all these things" list.
In one case they were using a known vulnerability inside a signed dll to escalate privileges. Granted, that was Windows, but the same could occur in Linux. Given the level of sophistication shown, I'd really, really question the theory that Linux is safe
Linux isn't safe, its just more safe since almost everything around Linux is oss. People are always auditing / looking at the code. Always forking it. New things coming in to replace previous stuff. Well, that's the idea.
Like the op you quoted said, a exploit can do it too.
you seem like you are not familiar with open source software at all. I suggest reading up on comparisons of security, stability, and bugs of open source software vs closed. it should answer your question
I am familiar with open source software, I'm wondering why you think that just moving to open source software without patching the security hole that made this hack possible will help anything. Especially when what keeps the average hacker from being able to exploit this is how many drives they would have to write new firmware for considering each drive uses it's own proprietary firmware. Moving all hard drives to one open source firmware without patching this security hole will result in more people being able to exploit this, not less.
You mean how openssl, one of the most important security related OSS projects, was audited? And how they found that horribly stupid bug by looking at the code?
(protip: they didn't)
The 'many eyes' theory of open source is a myth, nothing else.
Would running your storage setup in RAID0 help make it more difficult for "them" to spy on us?
I don't fully understand what they're doing, but from what I think I understand, they're using the firmware to install software onto the computer on an OS level, or they're sending info from the harddrive back to themselves.. or something like that?
So if you setup your comp with a raid 0 setup, it would be obfuscating the data since they're only receiving every other, third, fourth, fifth, or however many drives you have setup, bits, right?
I'm pretty stupid when it comes to this stuff, but I figured this is probably the best place to ask
Except the main way to fix this security hole is to remove the ability to flash the firmware from the computer without a special connector. That would be new hardware that would be required, not open source firmware.
>It's not better because the code comes out of the "womb" perfectly formed and ready to take on the world. No, it's better precisely because its transparency and availability makes bugs far easier to find and fix.
I agree that it would be better if firmware was open source. I just have a problem with people claiming that simply moving to open source firmware would fix this while completely ignoring the security hole that made this possible.
Why not a write lock ala floppy disks and some usb drives?
You want to flah the firmware? Make sure to toggle it into write mode first.
No need for a separate connector or device imo
youre suggestion does not apply to drives that are already produced, while switching to a FOSS firmware does
also, you seem to be suggesting that the mere ability to update firmware through your oerating system is a security hole, but it isnt
The problem is smart people now days using software write protect instead of hardware write protect (like in SD cards and the flash drives that offer it).
>youre suggestion does not apply to drives that are already produced, while switching to a FOSS firmware does
My suggestion would fix the problem of malware getting put on the hard drive controller, switching to FOSS firmware doesn't.
>also, you seem to be suggesting that the mere ability to update firmware through your oerating system is a security hole, but it isnt
>something that makes a system less secure and can't be disabled isn't a security hole