NSA, Malware and Hard Drives

I figured that had to be a thread about this, but I couldn’t find one, so please link to an active thread if there is one.

Anyway, I was wondering what was the story or your thoughts behind the idea that the NSA was putting malware into hard drives that was basically undetectable.

I must admit I don’t understand it enough to have an informed opinion and after reading websites, or more accurately comments on them, it seems like people think it’s impossible and not true to the work of Snowden.

In case you aren’t aware here’s a link to a typical story about it

From Computer World Magazine.

I’d like to hear thoughts about this, especially from technical people who can tell us if it really is likely or propaganda from Russia.


I read a blurb about this on ars technica yesterday. It’s totally plausible that it could be done, at this point how much it was done is a matter of speculation.

It’s not the work of Snowden, it’s the work of Kaspersky labs, a Russian security firm that’s got a good reputation among security circles for doing good work but also somewhat unknown incentives (Kaspersky was trained by the KGB).

Security people have flagged firmware malware as a serious security threat for a long time. Modern day computers aren’t a single computer anymore, they’re a collection of loosely communicating independant parts. Hard drive firmware, along with network card firmware, CPU microcode (especially the new secure enclaves like Intel vPro), baseband processors on phones and BIOS are commonly cited as prime attack surfaces for undetectable and unerasable malware.

Until now, we’ve not had smoking gun definitive proof that state level actors are creating firmware based malware but every security professional pretty much assumes it’s an active area of investigation.

That’s an understatement.

From the link:

From that link:

Survey Says: LIKELY

As for the implications… well, given everything that’s come out about the NSA’s shenanigans, we’ve basically discovered that we have a monkey with a machinegun running loose.

Frankly I think this is awesome. Until the scammer-hackers work out an exploit. Then it won’t be so awesome.
The article says they think the spyware was released in 2008 and that the coders known as The Equation Group have been active since the 1990s. They must have pretty decent OpSec given that we are just learning about it now. Congratulations to that mysterious organization for a job well done: I wonder who they are.

If you were a reflexive conspiracy theorist, you wouldn’t have to wonder, and this time you’d be right.

Assuming the hard drive manufacturers are not complicit, if something is modding the firmware of their drives, they can figure it out. They could also if desired write in a CRC check or checksum of some kind into the SMART systems that would show a code that could be printed on the label of the drive.

poll the smart status, compare CRC in smart status to label, match = drive firmware intact.

Yup. More exaggeration from the security world about undetectable super hacking. Maybe there are some theoretical particles that haven’t been detected yet but if it’s recorded on a hard drive it’s detectable.

On the contrary, anybody who has run run these sorts of scenarios realizes that there are any number of organizations matching the profile of The Equation Group. Examples include the Illuminati, the Adepts of Hermes, the Discordian Society, the Bermuda Triangle, Col. Mustard…

All articles I’ve read have failed to define how the malware communicates and gets write access to your hard drive’s firmware.

The point of the firmware hack is that the malware is not on the hard drive itself (where it could be detected by a scan) but hidden in the operating software that controls the hard drive.

So? It’s not magic. If the firmware can be hacked then the hack can be detected. Even if the manufacturer has hardcoded the ‘malware’ you can still tell what it’s doing, and you can use a different controller for the drive.

The claim is made that the code is not detectable nor scannable. So what prevents someone from removing the ROM and reading it? Or reading it while on the drive, but not powered up? If the drive reads it for execution, why can’t something else read it?

Something else puzzles me…I think the illustration showing the memory dump and highlighting “i:\fanny.bmp” may be a figment of an artist’s imagination. If the bad file is stored on a drive’s firmware, there’s no reason for it to be named at all, and there’s no reason for it to conform to standard directory formats. If you’re trying to hide it, all the more reason to NOT make it look “conventional.” And .bmp is a bitmap graphic file, although it is possible to ignore that and execute the data as code.

Not even sure what this means. Every piece of information on your computer is either in the CMOS, which for the purpose of this discussion, tells your computer where to look for the hard drive, or on the hard drive, which contains everything else.

So does this hack infect your computer’s CMOS?

There does appear to be two types of firmware. One on a chip, and one on the platter itself. Does this hack infect the first?


I’d suggest people with technical questions read the Kaspersky blog posts or a technical site like ArsTechnica rather than mainstream non-technical news before asking technical questions. That will explain the answer to some questions like Musicat’s. (The answer is that fanny.bmp was part of a mode of infection using USB sticks and CDs.)

One of the things about the computer world is there are lots of outfits with lots of resources that would love nothing more than to discover an exploit like this especially if the hard drive manufacturers were involved. Hard drive manufacturers would love to find that a competitor was involved because a hard drive manufacturer being complicit in such a scheme would find themselves out of business overnight if it were revealed.

The drives have proprietary code in their firmware which allows you to update it. Most of these commands are available from the O/S (the firmware update software is usually run from DOS), so it’s completely possible for the firmware to be updated from your operating system (though, I imagine it’s going to eventually cause an unexpected reboot). Since the commands are proprietary, a malicious party would have to either have the co-operation of the mfr., or would need to reverse engineer the commands. Some of the commands have been reverse engineered by persons developing open source hard drive utilities, so it’s not fantasy that they can be reverse engineered.

The successful proof of concept I read about changes the entries in /etc/passwd and /etc/shadow, which would be detectable from the operating system. If it inserted it’s own code in the kernel when it was being loaded, it would be much more difficult to detect.

I can’t think of any way of checking the firmware where the malicious updater couldn’t just update the values to be checked against, as well. Anything such as an MD5sum would have to be updated when legitimate firmware was changed, it’d probably be possible for the malicious update to change the same value.

If I were to say anything makes this impractical, it would be the large number of combinations of drive firmware and operating systems out there. You’d be aiming for a moving target, and only hitting a small proportion of them each time. I don’t know if you’d be able to hit enough victims to make the necessary work worthwhile.

most likely the latter the former may not even have a mechanism to write to it outside the plant of the hard drive manufacturer.