NSA in your Hard Drive

[piasabird]

http://news.yahoo.com/russian-resea...rough-u-spying-program-194217480--sector.html

SAN FRANCISCO (Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

This may be old. However, is your hard drive spying on you?

No one is safe from our evil government.

Or is this just all a hoax spread by Russians.

 

[nickqt]

http://news.yahoo.com/russian-resea...rough-u-spying-program-194217480--sector.html

SAN FRANCISCO (Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

This may be old. However, is your hard drive spying on you?

No one is safe from our evil government.

Or is this just all a hoax spread by Russians.

Perhaps it's a hoax by the US government and they really can't.

 

[inf1nity]

Hitachi hard drive user here.

 

[Smoblikat]

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

So USA isnt even listed there, and it looks like they are just targeting big buisnesses/government. I dont think this is particularly widespread throughout the general populations computers.

 

[silicon]

http://news.yahoo.com/russian-resea...rough-u-spying-program-194217480--sector.html

SAN FRANCISCO (Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

This may be old. However, is your hard drive spying on you?

No one is safe from our evil government.

Or is this just all a hoax spread by Russians.

the code would need to be in the firmware for the HD somehow.

 

[inachu]

In the registry or firmware to be totally hidden.
I do like the fact that the domains are not kept up so that antivirus firms buy them out and track the communication then can protect against the files and communication.

 

[Londo_Jowo]

Hmmm, wonder if it affects OCZ drives?

 

[michal1980]

Hmmm, wonder if it affects OCZ drives?

no, because those will crash before being able to gain useful information.

 

[Data-Medics]

This document from Kaspersky: http://25zbkz3k00wn2tp5092n6di7b5k....5/02/Equation_group_questions_and_answers.pdf

Explains more about it. Apparently it's a virus that can elevate it's permissions, send vendor specific ATA commands and write itself into the hard drive's service area (where the firmware is stored). Pretty cool stuff, but a major security risk for high tech companies. Especially since it's only speculated to be the NSA, but could just as easily be another country or even just a really good hacker group.

I've posted a challenge the data recovery forum to see who can figure out a detection method: http://www.data-medics.com/forum/viewtopic.php?f=5&t=163

I'm trying to see if Kaspersky will share the firmware code they found with me.

 

[alzan]

Thank goodness I still use only floppy drives

 

[Jeff7]

Kaspersky on Monday published the technical details of its research on Monday, a move that could help infected institutions detect the spying programs, some of which trace back as far as 2001.

So what kind of crazy crap are they up to these days with all their slushy funding and reduced oversight?

 

[master_shake_]

some european countires have invested in typewriters after snowden leaked all that info.

he's an american hero, just like george washington.

 

[irishScott]

Arstechnica has a great rundown on it (as well as other capabilities)
http://arstechnica.com/security/201...-nsa-hid-for-14-years-and-were-found-at-last/

Basically they reverse-engineered hard drive firmware to the point where they can re-flash some brands of hard drives with the appropriate malware. At that point they set aside a small portion of said drive to store whatever they want, so their malware can survive wipes and reformating and is all but completely undetectable.

Only way to detect it would be to intercept the malicious transmissions, manual analysis of the hard drive platters, or noticing a small difference in the hard drive's available capacity. Relatively easy to fix by simply re-flashing the firmware with factory images though.

 

[irishScott]

some european countires have invested in typewriters after snowden leaked all that info.

he's an american hero, just like george washington.

Wasn't that Russia?

I agree with Snowden being a hero, but going back to the 1960s is not the solution.

 

[VirtualLarry]

or noticing a small difference in the hard drive's available capacity. Relatively easy to fix by simply re-flashing the firmware with factory images though.

inachu and someone else pointed out in a tech-support thread (that I was unable to re-find), that some HDDs (all?) have factory service areas, some even have entire platter surfaces, that are usable, but not ordinarily user-accessable LBAs.

And re-flashing the firmware, in an embedded system, in which the rogue firmware has already taken hold, and is the "gatekeeper" of the host I/O protocol, may be impossible, unless there is a physical jumper setting on the drive to enable a factory recovery mode, that basically gives you a hardline to the firmware areas to re-write them.

 

[irishScott]

inachu and someone else pointed out in a tech-support thread (that I was unable to re-find), that some HDDs (all?) have factory service areas, some even have entire platter surfaces, that are usable, but not ordinarily user-accessable LBAs.

And re-flashing the firmware, in an embedded system, in which the rogue firmware has already taken hold, and is the "gatekeeper" of the host I/O protocol, may be impossible, unless there is a physical jumper setting on the drive to enable a factory recovery mode, that basically gives you a hardline to the firmware areas to re-write them.

Wouldn't such hardware be safe from this attack in the first place? If there's no way to re-flash the firmware after it leaves the factory, how is the NSA supposed to do it?

 

[Kadarin]

Wouldn't such hardware be safe from this attack in the first place? If there's no way to re-flash the firmware after it leaves the factory, how is the NSA supposed to do it?

NSA probably flashes it at the factory.

 

[VirtualLarry]

Wouldn't such hardware be safe from this attack in the first place? If there's no way to re-flash the firmware after it leaves the factory, how is the NSA supposed to do it?

That's not quite what I was saying. What I was trying to point out was that, flashing the firmware of a device controlled by host I/O, is up to that embedded system. If it gets flashed with rogue firmware, it's game-over, unless there a factory diag hardwire somewhere.

But what you were saying is true too - I wish more devices had PHYSICAL write-protect switches, both for the data contents, as well as the firmware. Even better if they had a micro-sized rotary key, such that you could keep it on your person, and no-one would be able to flash the firmware in your absence.

 

[master_shake_]

Wasn't that Russia?

I agree with Snowden being a hero, but going back to the 1960s is not the solution.

yes and germany.

There is an alternative: the Russian and German governments have recently invested in typewriters following the Snowden revelations, but I’m not sure that's really going to catch on. ®

http://www.theregister.co.uk/2014/09/23/microsoft_vs_the_long_arm_of_us_law/

 

[CZroe]

Hitachi hard drive user here.

They listed IBM. This uses Stuxnet zero-day exploits, which are from a time where what you are using today is not relevant. Were you using Hitachi with Windows XP? Back then they were still very much like IBM because their HDD division had only recently been purchased from IBM. Unless only IBM server drive firmwares were vulnerable, Hitachi was almost certainly vulnerable too.

 

[PottedMeat]

NSA probably flashes it at the factory.

they probably just intercept the shipments and inject whatever they want -

http://arstechnica.com/tech-policy/...de-factory-show-cisco-router-getting-implant/

 

[GreenGreen]

http://news.yahoo.com/russian-resea...rough-u-spying-program-194217480--sector.html

SAN FRANCISCO (Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

This may be old. However, is your hard drive spying on you?

No one is safe from our evil government.

Or is this just all a hoax spread by Russians.

What is clear- the exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China. That's not good, actually.

 

[hawtdawg]

Hitachi hard drive user here.

Hitachi and WD are the same company.

 

[CZroe]

Hitachi and WD are the same company.

Yeah, now they are. Back then that was more true about IBM's consumer HDD division and Hitachi. The zero-day exploits this used were the same as Stuxnet, which makes this Windows XP era.

 

[gevorg]

I bet CEOs/management of these hard drive companies go WTF with news like this. All it takes is just one or a few moles/agents on the firmware development crew to do their job for NSA, and if they refuse, there is always blackmail.