NSA Hides Spying Backdoors into Hard Drive Firmware

[btarunr]

Russian cyber-security company Kaspersky Labs exposed a breakthrough U.S. spying program, which taps into one of the most widely proliferated PC components - hard drives. With the last 5 years seeing the number of hard drive manufacturing nations reduce from three (Korean Samsung, Japanese Hitachi and Toshiba, and American Seagate and WD) to one (American Seagate or WD), swallowing-up or partnering with Japanese and Korean businesses as US-based subsidiaries or spin-offs such as HGST, a shadow of suspicion has been cast on Seagate and WD.

According to Kaspersky, American cyber-surveillance agency, the NSA, is taking advantage of the centralization of hard-drive manufacturing to the US, by making WD and Seagate embed its spying back-doors straight into the hard-drive firmware, which lets the agency directly access raw data, agnostic of partition method (low-level format), file-system (high-level format), operating system, or even user access-level. Kaspersky says it found PCs in 30 countries with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.



Kaspersky claims that the HDD firmware backdoors are already being used to spy on foreign governments, military organizations, telecom companies, banks, nuclear researchers, the media, and Islamic activities. Kaspersky declined to name the company which designed the malware, but said that it has close ties to the development of Stuxnet, the cyber-weapon used by NSA to destabilize Iran's uranium-enrichment facilities.

Kaspersky claims that the new backdoor is perfect in design. Each time you turn your PC on, the system BIOS loads the firmware of all hardware components onto the system memory, even before the OS is booted. This is when the malware activates, gaining access to critical OS components, probably including network access and file-system. This makes HDD firmware the second most valuable real-estate for hackers, after system BIOS.

Both WD and Seagate denied sharing the source-code of their HDD firmware with any government agency, and maintained that their HDD firmware is designed to prevent tampering or reverse-engineering. Former NSA operatives stated that it's fairly easy for the agency to obtain source-code of critical software. This includes asking directly and posing as a software developer. The government can seek source-code of hard drive firmware by simply telling a manufacturer that it needs to inspect the code to make sure it's clean, before it can buy PCs running their hard-drives.

What is, however, surprising is how "tampered" HDD firmware made it to mass-production. Seagate and WD have manufacturing facilities in countries like Thailand and China, located in high-security zones to prevent intellectual property theft or sabotage. We can't imagine tampered firmware making it to production drives without the companies' collaboration.

View at TechPowerUp Main Site

 

[revin]

Wicked eh !
So would one have to flash the drive/firmware/BIOS ??? to get rid of any crap hiding?

 

[Naito]

Wicked eh !
So would one have to flash the drive/firmware/BIOS ??? to get rid of any crap hiding?

If the allegations are true, the spyware is embedded into the firmware from the factory. That means all and any firmware capable of being written to the drives in question will have it by default. Besides, it is very difficult to reverse engineer such firmwares to remove it and just as difficult to install it back on to the drive.


This news just doesn't surprise me. Maybe this will push more people to buy SSDs from Asian companies? That's if they are any safer from espionage.

 

[btarunr]

Before you post "thank God I use SSD," don't be so sure. Most SSD manufacturers are tiny sub-billion-dollar outfits that are just easier to coerce by the government of their biggest market.

Chinese government and PLA use only SSDs in their PCs, and that too only from select China-based companies such as Renice, Runcore, etc., so they have control over the firmware.

 

[PLAfiller]

Before you post "thank God I use SSD," don't be so sure. Most SSD manufacturers are tiny sub-billion-dollar outfits that are easier to coerce by the government of their biggest market.

Chinese government and PLA use only SSDs in their PCs, and that too only from select China-based companies such as Renice, so they have control over the firmware.

While reading this, I was just thinking, meh I am using SSD's on both RIGs. Now your comment, kills the hope....of not being potentialy spied on.

 

[Naito]

Most SSD manufacturers are tiny sub-billion-dollar outfits that are easier to coerce by the government of their biggest market.

I'd assume companies like Samsung, Plextor, Sandisk, etc may be in a position to avoid such things, however one can never be sure. Makes you wonder if Sandforce controllers are hiding undesirable code in the firmware, as to my knowledge, their firmware is quite closed-source.

EDIT: It seems SandForce was acquired by LSI Corp./Avago Technologies, whose SSD controller division was in turn acquired by Seagate. Hmm...

 

[Prima.Vera]

What if the HDD/SSD is encrypted, can they still have access to the encrypted data?

 

[btarunr]

What if the HDD/SSD is encrypted, can they still have access to the encrypted data?

They have access to 1s and 0s. They can take those 1s and 0s, and run them through their multi billion dollar decryption farms.

 

[RazorBurn]

Should i be worried with my Hentai Tentacle collection?

 

[btarunr]

Should i be worried with my Hentai Tentacle collection?

Maybe not that your hentai collection will incriminate you, but that there's someone out there who knows you're a hentai collector. So the next time you take evidence of corruption to the press/court, the government can kill-the-messenger by calling you a hentai-collector.

Your government has your dirt. That's what should scare you.

 

[PLAfiller]

They have access to 1s and 0s. They can take those 1s and 0s, and run them through their multi billion dollar decryption farms.

How much computational power do you need to decrypt a maintstream HDD? And how much time it's gonna take per single unit? I thought it was impossible with current tech.

 

[Relayer]

While reading this, I was just thinking, meh I am using SSD's on both RIGs. Now your comment, kills the hope....of not being potentialy spied on.

Well, unless you are an Iranian nuclear scientist or someone else mentioned, you really don't have to worry. They are actually quite busy with important stuff not what pr0n sites we go on or how much money we have in the bank.

 

[btarunr]

Well, unless you are an Iranian nuclear scientist or someone else mentioned, you really don't have to worry. They are actually quite busy with important stuff not what pr0n sites we go on or how much money we have in the bank.

That is a very common fallacy used by governments in the face of such allegations. What should worry you is that you'll never be able to fight "the powers that be," if they screw you over, because they have your dirt, and they can use that to trivialize/discredit/vilify you at whim.

 

[Relayer]

That is a very common fallacy used by governments in the face of such allegations. What should worry you is that you'll never be able to fight "the powers that be," if they screw you over, because they have your dirt, and they can use that to trivialize/discredit/vilify you at whim.

Listen, I'm not saying I like it or it's OK to spy on the citizenship of a country. I'm sure that's not the reason that this spyware has been installed either. It's for reasons in the article. Is there possibility for abuse? Sure there is. That's where the problem lies. Making sure the abuse doesn't occur. Personally though, I like them having access to Iran's, ISIS's, No. Korea's, etc. HDD. It might save your, my, our kids or other loved ones lives.

It's strange how people can see the threat in something like this but not from the organizations that are targeted. Maybe if you lived in Israel, you'd feel differently?

 

[NC37]

Really you don't know how drives in China could become tampered?

Sigh...

Go there and wave some cash in front of one of the workers before they commit suicide and you'll get all the tampering you need.

 

[Octopuss]

Stop that mass hysteria people. This sounds like bullshit journalist sensationalistm. "Snowden is getting old and nothing new is coming out of him, let's make up even more stories people will want to read."

 

[Potatoking]

Not saying this is impossible, but until there is some hard evidence, this is just another accusation. Russia has lost lot of credibility these days...

 

[blaznee]

Just accept the fact that government agencies knows what you're doing if they want to. I'm pretty sure they don't care that you look a "teen lesbian" catagories or that you're stalking your ex on facebook after 2 beers..

 

[Frick]

Stop that mass hysteria people. This sounds like bullshit journalist sensationalistm. "Snowden is getting old and nothing new is coming out of him, let's make up even more stories people will want to read."

http://arstechnica.com/security/201...-nsa-hid-for-14-years-and-were-found-at-last/

Seriously, they have mad skills. Not sure Kaspersky said in plain speech it was the NSA as such.

Not saying this is impossible, but until there is some hard evidence, this is just another accusation. Russia has lost lot of credibility these days...

Kaspersky =! Russia. And read the Ars article, it's massively interesting. Also read up on Stuxnet and Flame to get an idea of just what they can do.

EDIT: Ok I've read the thing now, and

1) The group has ties to NSA, but no one has said it's the NSA itself, especially not Kaspersky who dubbed them Equation Group.
2) It seems they do the attacks in the wild, meaning a) the factories are not compromised and b) holy shit they can rewrite the HDD firmware in the wild.

EDIT
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf


The report itself.

 

[micropage7]

so NSA works behind us and have you seen "winter soldier"?
each one of us can be identified by any tracks of mail, telephone call, messages, fb, twitter, and other
so everyone is visible

 

[Caring1]

Not saying this is impossible, but until there is some hard evidence, this is just another accusation. Russia has lost lot of credibility these days...

While I don't have a link or remember exactly what show I was watching, I did see a program on TV where the NSA admitted installing spyware and or tracking devices in hardware for specific targets. There is nothing stopping them from doing the same to the general populace at any stage if they warrant it necessary.
The same warnings have been given previously about the mass of cheap phones being produced in China, they are watching and listening to the west.

 

[Capitan Harlock]

A lot of people here should see the nsa shit what is doing with tor and other idiocracy thinking .
Go and take a look at Tek sindacate and see what crazy sociopath they are.

 

[z1tu]

You might want to change the title there since no one is saying for sure this is the NSA. It looks like them but it hasn't been confirmed.

 

[micropage7]

You might want to change the title there since no one is saying for sure this is the NSA. It looks like them but it hasn't been confirmed.

suddenly i think every firmware has its own bugs and "they" exploit that to get any information
or they release standard that has a backdoor to manufactures so they can exploit it in the future

 

[Mr B]

if you're not doing anything wrong or illegal then what's the problem?