[qubes-users] Persistent firmware backdoors possible across major hard drive brands

Eugen Leitl eugen at leitl.org
Tue Feb 17 07:11:14 PST 2015 

----- Forwarded message from Axon <axon at openmailbox.org> -----

Date: Tue, 17 Feb 2015 14:44:30 +0000
From: Axon <axon at openmailbox.org>
To: "qubes-users at googlegroups.com" <qubes-users at googlegroups.com>
Subject: [qubes-users] Persistent firmware backdoors possible across major hard drive brands
Message-ID: <54E353CE.7040202 at openmailbox.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2015-02-16, Kaspersky Lab announced[1]:
> GReAT has been able to recover two modules which allow
> reprogramming of the hard drive firmware of more than a dozen of
> the popular HDD brands. This is perhaps the most powerful tool in
> the Equation group’s arsenal and the first known malware capable of
> infecting the hard drives.
> 
> By reprogramming the hard drive firmware (i.e. rewriting the hard 
> drive’s operating system), the group achieves two purposes:
> 
> 1. An extreme level of persistence that helps to survive disk 
> formatting and OS reinstallation. If the malware gets into the 
> firmware, it is available to “resurrect” itself forever. It may 
> prevent the deletion of a certain disk sector or substitute it with
> a malicious one during system boot. “Another dangerous thing is
> that once the hard drive gets infected with this malicious payload,
> it is impossible to scan its firmware. To put it simply: for most
> hard drives there are functions to write into the hardware firmware
> area, but there are no functions to read it back. It means that we
> are practically blind, and cannot detect hard drives that have
> been infected by this malware”  warns Costin Raiu, Director of the
> Global Research and Analysis Team at Kaspersky Lab.
> 
> 2. The ability to create an invisible, persistent area hidden
> inside the hard drive. It is used to save exfiltrated information
> which can be later retrieved by the attackers. Also, in some cases
> it may help the group to crack the encryption: “Taking into account
> the fact that their GrayFish implant is active from the very boot
> of the system, they have the ability to capture the encryption
> password and save it into this hidden area,” explains Costin Raiu.

Affected HDD brands include[2] (but are probably not limited to):
 * Western Digital
 * Maxtor
 * Seagate
 * Hitachi
 * Micron
 * OCZ
 * OWC
 * Corsair
 * Mushkin
 * Samsung
 * Toshiba

This is bad news for everyone, including Qubes users, since there's
nothing we can really do at the OS/software level to protect ourselves
from this kind of persistent HDD firmware infection (or compromised
firmware and hardware in general). Measures like AEM don't help if the
drives are already infected before we even purchase them. If we want
freedom and safety in the future, our best bet is probably to
(continue to) push for open-source firmware and hardware.


[1]http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage
[2]https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU41O4AAoJEJh4Btx1RPV85wcP/RK7mPG3HhdPpFt19yNTKE0c
ETJ+93S7iRg7VZV+f8okFzQWn+ER6+OY0bl2shzwBJKXhxqneVYctXBJJLGk2KLd
NuqIURNwDgISXhtjtNK2eeCRDeMdyAUtWceG+kxwZqXN8jXkZvBW0DrN7UEaPb8s
Zib8GfsqvOr1HSkw67P4z48pU7sdN7gF4rLTcA7el/JH98m0ltlIHmurbma4XLgp
RGnJSgsFwoViD4BgOHk4gmavgctoiBUgDuKjJ3O2nFaCFIlUT6hF/6TB7MsIqOZh
0OrsSr3OsXkKGlIxbjoDt4mlo7FC64diKq5JzRd9KS+68zmU9V7ocaq7ehfIJjq3
xyXX85Ly7MgREwwPf4uQEgLqNew77prG3pNYeAhBVmcsr2cJeBrpvT+i56hvTkcS
07anQjf2C2o0NW0UAqpzNTHuLhl4Jdts9ra/k6oiy05fj8EdU8WQYW4iaznEFu4V
IkYS5tF7EPjyBmtqwVuWPQMNjW5rKUOq4KRWY2fXXeV+lYExpqfuZoCh8SNE/eYz
WtTDVnxS5hTOq4Fy74GA4qpGYjYl0VhdM0EYpHBrn9xiI2HDYN6/L9R4TI+M5vCI
fF3BkjvvzJgYjBAZx133n+WWdPlyykeyQahKfHUgT0qXGN2TD6Lo8sWZE1+NBJbo
GlihcbnDLrcUtul23CrE
=ugr/
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe at googlegroups.com.
To post to this group, send email to qubes-users at googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/54E353CE.7040202%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

----- End forwarded message -----

More information about the cypherpunks mailing list