Tuesday, February 17th 2015
NSA Hides Spying Backdoors into Hard Drive Firmware
Russian cyber-security company Kaspersky Labs exposed a breakthrough U.S. spying program, which taps into one of the most widely proliferated PC components - hard drives. With the last 5 years seeing the number of hard drive manufacturing nations reduce from three (Korean Samsung, Japanese Hitachi and Toshiba, and American Seagate and WD) to one (American Seagate or WD), swallowing-up or partnering with Japanese and Korean businesses as US-based subsidiaries or spin-offs such as HGST, a shadow of suspicion has been cast on Seagate and WD.
According to Kaspersky, American cyber-surveillance agency, the NSA, is taking advantage of the centralization of hard-drive manufacturing to the US, by making WD and Seagate embed its spying back-doors straight into the hard-drive firmware, which lets the agency directly access raw data, agnostic of partition method (low-level format), file-system (high-level format), operating system, or even user access-level. Kaspersky says it found PCs in 30 countries with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.
Kaspersky claims that the HDD firmware backdoors are already being used to spy on foreign governments, military organizations, telecom companies, banks, nuclear researchers, the media, and Islamic activities. Kaspersky declined to name the company which designed the malware, but said that it has close ties to the development of Stuxnet, the cyber-weapon used by NSA to destabilize Iran's uranium-enrichment facilities.
Kaspersky claims that the new backdoor is perfect in design. Each time you turn your PC on, the system BIOS loads the firmware of all hardware components onto the system memory, even before the OS is booted. This is when the malware activates, gaining access to critical OS components, probably including network access and file-system. This makes HDD firmware the second most valuable real-estate for hackers, after system BIOS.
Both WD and Seagate denied sharing the source-code of their HDD firmware with any government agency, and maintained that their HDD firmware is designed to prevent tampering or reverse-engineering. Former NSA operatives stated that it's fairly easy for the agency to obtain source-code of critical software. This includes asking directly and posing as a software developer. The government can seek source-code of hard drive firmware by simply telling a manufacturer that it needs to inspect the code to make sure it's clean, before it can buy PCs running their hard-drives.
What is, however, surprising is how "tampered" HDD firmware made it to mass-production. Seagate and WD have manufacturing facilities in countries like Thailand and China, located in high-security zones to prevent intellectual property theft or sabotage. We can't imagine tampered firmware making it to production drives without the companies' collaboration.
Source:
Reuters via Yahoo
According to Kaspersky, American cyber-surveillance agency, the NSA, is taking advantage of the centralization of hard-drive manufacturing to the US, by making WD and Seagate embed its spying back-doors straight into the hard-drive firmware, which lets the agency directly access raw data, agnostic of partition method (low-level format), file-system (high-level format), operating system, or even user access-level. Kaspersky says it found PCs in 30 countries with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.
Kaspersky claims that the new backdoor is perfect in design. Each time you turn your PC on, the system BIOS loads the firmware of all hardware components onto the system memory, even before the OS is booted. This is when the malware activates, gaining access to critical OS components, probably including network access and file-system. This makes HDD firmware the second most valuable real-estate for hackers, after system BIOS.
Both WD and Seagate denied sharing the source-code of their HDD firmware with any government agency, and maintained that their HDD firmware is designed to prevent tampering or reverse-engineering. Former NSA operatives stated that it's fairly easy for the agency to obtain source-code of critical software. This includes asking directly and posing as a software developer. The government can seek source-code of hard drive firmware by simply telling a manufacturer that it needs to inspect the code to make sure it's clean, before it can buy PCs running their hard-drives.
What is, however, surprising is how "tampered" HDD firmware made it to mass-production. Seagate and WD have manufacturing facilities in countries like Thailand and China, located in high-security zones to prevent intellectual property theft or sabotage. We can't imagine tampered firmware making it to production drives without the companies' collaboration.
134 Comments on NSA Hides Spying Backdoors into Hard Drive Firmware
If they want it, yes they can get it. But who wants to spend 10 years looking for an obscure buffer overflow attack to get at your porn library? No one, that's who.
This is precisely why good security is still relevant, even if not impervious to hacking.
I know sources at The Guardian (US branch) and New York Times both received documents from Snowden. What you've heard about AES/SSL may be true:
www.zdnet.com/article/has-the-nsa-broken-ssl-tls-aes/
In short, Snowden didn't spell it out like he did on the data collection programs. He released information mostly from British sources that "vast amounts of encrypted internet data which have up till now been discarded are now exploitable" speaking of the NSA. "Vast" could only mean SSL/AES. It is not known if that includes TLS. Or maybe they were talking about TLS and not AES? We don't know.
Security? Relevant:
I have no evidence either way, but I wouldn't be surprised if there's some revelation about this one day.
Even on most UEFI systems a small section of the disk for boot it partitioned off as an acceptable boot partition, such as MBR on Windows, that contains the data required to start the actual software boot.
If you are curious get a Hex editor and look at sectors en.wikipedia.org/wiki/Boot_sector and depending on how you look at it you can then determine what is being loaded.
But back to drive BIOS, how does it get transferred out of the PC to the NSA? By IP, and the OS and every major and customer hardware manufacturer is allowing this and not letting users see it? Or by some unknown pins even though people test and tweak systems and watch hardware input and output constantly? Or by voodoo magic?
Do I think it is happening? Yep
By the method described? Nope.
Specifically built hack firmware that is being released on machines built for use in some areas where they may not get access to others? Most likely.
Iran wants to buy servers, they have no manufacturing there, but Dell will sell them, and they report to the NSA or whoever about what they are selling, machines get loaded with a motherboard BIOS that allows low level access to the drives that the OS is unaware of, and either copies bits and pieces of the drive contents to a remote server, or causes corruption issues occasionally that they have to send techs in, or drives out and they are copied then.