NSA, Malware and Hard Drives

[Canadjun]

Syne:

Not even sure what this means. Every piece of information on your computer is either in the CMOS, which for the purpose of this discussion, tells your computer where to look for the hard drive, or on the hard drive, which contains everything else.

So does this hack infect your computer’s CMOS?

No, it affects the firmware of the hard drive (another possible location for information besides the two you mentioned).

[DataX]

TriPolar:

So? It’s not magic. If the firmware can be hacked then the hack can be detected. Even if the manufacturer has hardcoded the ‘malware’ you can still tell what it’s doing, and you can use a different controller for the drive.

Kaspersky specifically states that there is an ability to write to the firmware, but not read it - and they are claiming it can’t be detected. It appears, but in can’t say for sure, from reading their white paper - that they themselves did not discover this on the HDD, but discovered the module that would allow them to do this - which according to them was very rarely packaged as part of this library of exploits. It appeared that the HDD exploit was saved for only the most important targets - or very specific situations.

They themselves have a vested interest in claiming they CAN detect it - as obviously their clients would want them to do so. They seem to be saying they can’t. I’m not sure what their reason for lying would be.

This is an extremely advanced system of exploits - obviously related to STUXNET and the work that has gone into all these recently disclosed presumably state actor malware systems is pretty impressive - as is the work that has been used to uncover them.

[TriPolar]

DataX:

Kaspersky specifically states that there is an ability to write to the firmware, but not read it - and they are claiming it can’t be detected.

If it can be written it can be over-written with the proper code every time you boot up. You can certainly detect that it is being written to. This can only have been done with the cooperation of the controller manufacturer. If they want to they’ll make the memory readable as well and then it becomes detectable. Saying it can’t be detected is not the same as saying it can be made safe.

The security business is the same whether your selling computer security or residential burglar alarms, you want to instill fear in your customers.

[Melbourne]

TriPolar:

This can only have been done with the cooperation of the controller manufacturer. If they want to they’ll make the memory readable as well and then it becomes detectable. Saying it can’t be detected is not the same as saying it can be made safe.

Sure, the controller manufacturer made a HD controller. Without that, there would be no exploit. And if the HD controller manufacturer hadn’t provided a firmare update, I wouldn’t be able to work out what the HD firmware update process was, except by grinding the cover off the controller chip and reading the ROM and fuse value with an electrical scanning microscope – a process I would have to pay another firm to do, since I don’t have the equipment myself.

The same thing could happen to the equipment sold by my company. And we could make the software readable if we wanted to, but then the cheap Chinese rip-off companies would be able to rip us off more cheaply.