Tuesday, February 17th 2015

NSA Hides Spying Backdoors into Hard Drive Firmware

Russian cyber-security company Kaspersky Labs exposed a breakthrough U.S. spying program, which taps into one of the most widely proliferated PC components - hard drives. With the last 5 years seeing the number of hard drive manufacturing nations reduce from three (Korean Samsung, Japanese Hitachi and Toshiba, and American Seagate and WD) to one (American Seagate or WD), swallowing-up or partnering with Japanese and Korean businesses as US-based subsidiaries or spin-offs such as HGST, a shadow of suspicion has been cast on Seagate and WD.

According to Kaspersky, American cyber-surveillance agency, the NSA, is taking advantage of the centralization of hard-drive manufacturing to the US, by making WD and Seagate embed its spying back-doors straight into the hard-drive firmware, which lets the agency directly access raw data, agnostic of partition method (low-level format), file-system (high-level format), operating system, or even user access-level. Kaspersky says it found PCs in 30 countries with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

Kaspersky claims that the HDD firmware backdoors are already being used to spy on foreign governments, military organizations, telecom companies, banks, nuclear researchers, the media, and Islamic activities. Kaspersky declined to name the company which designed the malware, but said that it has close ties to the development of Stuxnet, the cyber-weapon used by NSA to destabilize Iran's uranium-enrichment facilities.

Kaspersky claims that the new backdoor is perfect in design. Each time you turn your PC on, the system BIOS loads the firmware of all hardware components onto the system memory, even before the OS is booted. This is when the malware activates, gaining access to critical OS components, probably including network access and file-system. This makes HDD firmware the second most valuable real-estate for hackers, after system BIOS.

Both WD and Seagate denied sharing the source-code of their HDD firmware with any government agency, and maintained that their HDD firmware is designed to prevent tampering or reverse-engineering. Former NSA operatives stated that it's fairly easy for the agency to obtain source-code of critical software. This includes asking directly and posing as a software developer. The government can seek source-code of hard drive firmware by simply telling a manufacturer that it needs to inspect the code to make sure it's clean, before it can buy PCs running their hard-drives.

What is, however, surprising is how "tampered" HDD firmware made it to mass-production. Seagate and WD have manufacturing facilities in countries like Thailand and China, located in high-security zones to prevent intellectual property theft or sabotage. We can't imagine tampered firmware making it to production drives without the companies' collaboration.Source: Reuters via Yahoo
Add your own comment

134 Comments on NSA Hides Spying Backdoors into Hard Drive Firmware

#1
revin
Wicked eh !:(
So would one have to flash the drive/firmware/BIOS ??? to get rid of any crap hiding?
Posted on Reply
#2
Naito
revin said:
Wicked eh !:(
So would one have to flash the drive/firmware/BIOS ??? to get rid of any crap hiding?
If the allegations are true, the spyware is embedded into the firmware from the factory. That means all and any firmware capable of being written to the drives in question will have it by default. Besides, it is very difficult to reverse engineer such firmwares to remove it and just as difficult to install it back on to the drive.


This news just doesn't surprise me. Maybe this will push more people to buy SSDs from Asian companies? That's if they are any safer from espionage.
Posted on Reply
#3
btarunr
Editor & Senior Moderator
Before you post "thank God I use SSD," don't be so sure. Most SSD manufacturers are tiny sub-billion-dollar outfits that are just easier to coerce by the government of their biggest market.

Chinese government and PLA use only SSDs in their PCs, and that too only from select China-based companies such as Renice, Runcore, etc., so they have control over the firmware.
Posted on Reply
#4
lZKoce
btarunr said:
Before you post "thank God I use SSD," don't be so sure. Most SSD manufacturers are tiny sub-billion-dollar outfits that are easier to coerce by the government of their biggest market.

Chinese government and PLA use only SSDs in their PCs, and that too only from select China-based companies such as Renice, so they have control over the firmware.
While reading this, I was just thinking, meh I am using SSD's on both RIGs. :) Now your comment, kills the hope....of not being potentialy spied on. ;)
Posted on Reply
#5
Naito
btarunr said:
Most SSD manufacturers are tiny sub-billion-dollar outfits that are easier to coerce by the government of their biggest market.
I'd assume companies like Samsung, Plextor, Sandisk, etc may be in a position to avoid such things, however one can never be sure. Makes you wonder if Sandforce controllers are hiding undesirable code in the firmware, as to my knowledge, their firmware is quite closed-source.

EDIT: It seems SandForce was acquired by LSI Corp./Avago Technologies, whose SSD controller division was in turn acquired by Seagate. Hmm...
Posted on Reply
#6
Prima.Vera
What if the HDD/SSD is encrypted, can they still have access to the encrypted data?
Posted on Reply
#7
btarunr
Editor & Senior Moderator
Prima.Vera said:
What if the HDD/SSD is encrypted, can they still have access to the encrypted data?
They have access to 1s and 0s. They can take those 1s and 0s, and run them through their multi billion dollar decryption farms.
Posted on Reply
#8
RazorBurn
Should i be worried with my Hentai Tentacle collection?
Posted on Reply
#9
btarunr
Editor & Senior Moderator
RazorBurn said:
Should i be worried with my Hentai Tentacle collection?
Maybe not that your hentai collection will incriminate you, but that there's someone out there who knows you're a hentai collector. So the next time you take evidence of corruption to the press/court, the government can kill-the-messenger by calling you a hentai-collector.

Your government has your dirt. That's what should scare you.
Posted on Reply
#10
lZKoce
btarunr said:
They have access to 1s and 0s. They can take those 1s and 0s, and run them through their multi billion dollar decryption farms.
How much computational power do you need to decrypt a maintstream HDD? And how much time it's gonna take per single unit? I thought it was impossible with current tech.
Posted on Reply
#11
Relayer
lZKoce said:
While reading this, I was just thinking, meh I am using SSD's on both RIGs. :) Now your comment, kills the hope....of not being potentialy spied on. ;)
Well, unless you are an Iranian nuclear scientist or someone else mentioned, you really don't have to worry. They are actually quite busy with important stuff not what pr0n sites we go on or how much money we have in the bank.
Posted on Reply
#12
btarunr
Editor & Senior Moderator
Relayer said:
Well, unless you are an Iranian nuclear scientist or someone else mentioned, you really don't have to worry. They are actually quite busy with important stuff not what pr0n sites we go on or how much money we have in the bank.
That is a very common fallacy used by governments in the face of such allegations. What should worry you is that you'll never be able to fight "the powers that be," if they screw you over, because they have your dirt, and they can use that to trivialize/discredit/vilify you at whim.
Posted on Reply
#13
Relayer
btarunr said:
That is a very common fallacy used by governments in the face of such allegations. What should worry you is that you'll never be able to fight "the powers that be," if they screw you over, because they have your dirt, and they can use that to trivialize/discredit/vilify you at whim.
Listen, I'm not saying I like it or it's OK to spy on the citizenship of a country. I'm sure that's not the reason that this spyware has been installed either. It's for reasons in the article. Is there possibility for abuse? Sure there is. That's where the problem lies. Making sure the abuse doesn't occur. Personally though, I like them having access to Iran's, ISIS's, No. Korea's, etc. HDD. It might save your, my, our kids or other loved ones lives.

It's strange how people can see the threat in something like this but not from the organizations that are targeted. Maybe if you lived in Israel, you'd feel differently?
Posted on Reply
#14
NC37
Really you don't know how drives in China could become tampered?

Sigh...

Go there and wave some cash in front of one of the workers before they commit suicide and you'll get all the tampering you need.
Posted on Reply
#15
Octopuss
Stop that mass hysteria people. This sounds like bullshit journalist sensationalistm. "Snowden is getting old and nothing new is coming out of him, let's make up even more stories people will want to read."
Posted on Reply
#16
Potatoking
Not saying this is impossible, but until there is some hard evidence, this is just another accusation. Russia has lost lot of credibility these days...
Posted on Reply
#17
blaznee
Just accept the fact that government agencies knows what you're doing if they want to. I'm pretty sure they don't care that you look a "teen lesbian" catagories or that you're stalking your ex on facebook after 2 beers..
Posted on Reply
#18
Frick
Fishfaced Nincompoop
Octopuss said:
Stop that mass hysteria people. This sounds like bullshit journalist sensationalistm. "Snowden is getting old and nothing new is coming out of him, let's make up even more stories people will want to read."
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Seriously, they have mad skills. Not sure Kaspersky said in plain speech it was the NSA as such.

Potatoking said:
Not saying this is impossible, but until there is some hard evidence, this is just another accusation. Russia has lost lot of credibility these days...
Kaspersky =! Russia. And read the Ars article, it's massively interesting. Also read up on Stuxnet and Flame to get an idea of just what they can do.

EDIT: Ok I've read the thing now, and

1) The group has ties to NSA, but no one has said it's the NSA itself, especially not Kaspersky who dubbed them Equation Group.
2) It seems they do the attacks in the wild, meaning a) the factories are not compromised and b) holy shit they can rewrite the HDD firmware in the wild.

EDIT
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf


The report itself.
Posted on Reply
#19
micropage7
so NSA works behind us and have you seen "winter soldier"?
each one of us can be identified by any tracks of mail, telephone call, messages, fb, twitter, and other
so everyone is visible
Posted on Reply
#20
Caring1
Potatoking said:
Not saying this is impossible, but until there is some hard evidence, this is just another accusation. Russia has lost lot of credibility these days...
While I don't have a link or remember exactly what show I was watching, I did see a program on TV where the NSA admitted installing spyware and or tracking devices in hardware for specific targets. There is nothing stopping them from doing the same to the general populace at any stage if they warrant it necessary.
The same warnings have been given previously about the mass of cheap phones being produced in China, they are watching and listening to the west.
Posted on Reply
#21
Capitan Harlock
A lot of people here should see the nsa shit what is doing with tor and other idiocracy thinking .
Go and take a look at Tek sindacate and see what crazy sociopath they are.
Posted on Reply
#22
z1tu
You might want to change the title there since no one is saying for sure this is the NSA. It looks like them but it hasn't been confirmed. :)
Posted on Reply
#23
micropage7
z1tu said:
You might want to change the title there since no one is saying for sure this is the NSA. It looks like them but it hasn't been confirmed. :)
suddenly i think every firmware has its own bugs and "they" exploit that to get any information
or they release standard that has a backdoor to manufactures so they can exploit it in the future
Posted on Reply
#24
Mr B
if you're not doing anything wrong or illegal then what's the problem?
Posted on Reply
#25
Caring1
Mr B said:
if you're not doing anything wrong or illegal then what's the problem?
Chip, chip, chipping away ..... at your freedom
Posted on Reply
Add your own comment