Destroying your hard drive is the only way to stop this super-advanced malware

[mouser]

Long article on Wired about it:
http://www.wired.com...sa-firmware-hacking/

[bit]

Now that it has been discovered, I should think antivirus software could be written to at least detect it in action, followed by some kind of 'fix', possibly involving a redesigning of the HD firmware?

[tomos]

Now that it has been discovered, I should think antivirus software could be written to at least detect it in action, followed by some kind of 'fix', possibly involving a redesigning of the HD firmware?

-bit (February 25, 2015, 06:59 PM)

well, going by what's already been said...

Because the OS normally doesn't provide low level access to drive hardware to even an administrative user.

It's not just that -- if the malware tampers with the HARD DRIVE FIRMWARE, it can essentially make the hard drive return fake data, etc.  Even with the lowest level access to the hard drive, the hard drive firmware can hide any changes.  The only way to fix would be to reflash the hard drive firmware -- and it may very well be that the firmware changes make reflashing impossible via software.

-mouser (February 18, 2015, 03:10 PM)

There is no defense against this.

Its like a rootkit- that once it gets into your hard drive the only way out is to replace the drive controller with a known-good version and then very carefully salvage data without letting the virus be reactivated.

-SeraphimLabs (February 18, 2015, 03:33 PM)

[MilesAhead]

Its like a rootkit

Seems like the countermeasure would need to be burned in code.  Like the only way to update your controller code would be to physically change out a chip.  I wonder if the military has some scheme already to get around the problem?

[SeraphimLabs]

the task of delivering it to the target to infect the new hard drive without the OS noticing

-SeraphimLabs (February 18, 2015, 03:33 PM)

like... packaging it as a critical update from the drive manufacturer... which we regularly install on customer equipment...

-x16wda (February 18, 2015, 08:10 PM)

The best defense I've come up with so far is for the vendors to put a jumper on the drive that must be toggled to allow firmware writes.

Unfortunately this scenario defeats that type of defense, because the technician would move the jumper to install what is perceived to be a legitimate update and then unknowingly install the malicious version.

Having such a jumper would be a good first-line defense though to prevent automated deployment. The drive is wired such that with the jumper open the drive acts as hard drives currently do, but cannot install firmware. You would then shut the jumper to install a firmware update- but with the jumper shorted for firmware updates the drive would be prohibited from normal operation.

Once it gets into the drive its too late. You would have to access the drive's firmware without using the standard interface or letting the controller boot up, and compare the contents to a known-good version. If it starts running the infected firmware it could easily jump the gap and infect the known-good media as well, and would definitely attempt to hide itself.

[TaoPhoenix]

Its like a rootkit

Seems like the countermeasure would need to be burned in code.  Like the only way to update your controller code would be to physically change out a chip.  I wonder if the military has some scheme already to get around the problem?

-MilesAhead (February 26, 2015, 05:53 AM)

They probably do, but they like to play with a full deck of 52 cards and consumers only maybe the spades.

[mouser]

A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

[superboyac]

A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

-mouser (February 26, 2015, 12:57 PM)

hey!  I like that!

[Stoic Joker]

A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

-mouser (February 26, 2015, 12:57 PM)

hey!  I like that!

-superboyac (February 26, 2015, 05:01 PM)

I did too initially, but I don't think it will scale well for data centers that have (SAN) racks full of drives that would then need to be physically touched.

[Renegade]

A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

-mouser (February 26, 2015, 12:57 PM)

hey!  I like that!

-superboyac (February 26, 2015, 05:01 PM)

I did too initially, but I don't think it will scale well for data centers that have (SAN) racks full of drives that would then need to be physically touched.

-Stoic Joker (February 26, 2015, 06:18 PM)

Class action lawsuit against the NSA to pay for all the technicians that would need to be hired! Great make-work project! 

I know... ain't gonna happen, but it's worth a chuckle. I don't even know how many drives are affected. I don't even know what order of magnitude there would be. Billions? Hundreds or tens of millions? Good grief... A lot in any event.

[SeraphimLabs]

A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

-mouser (February 26, 2015, 12:57 PM)

hey!  I like that!

-superboyac (February 26, 2015, 05:01 PM)

I did too initially, but I don't think it will scale well for data centers that have (SAN) racks full of drives that would then need to be physically touched.

-Stoic Joker (February 26, 2015, 06:18 PM)

The way I learned IT stuff, you don't upgrade any sort of firmware unless you either have issues to be corrected or are trying to add new features.

A data center would probably not be upgrading hard drive firmware in the first place unless they had a bad batch of drives that came through bugged, and such machines would likely already have had their drives exchanged for bug-free versions to maintain uptime.

Having a jumper setting to enable/disable firmware updates would provide containment for such malware and would prevent fully automated malware from installing exploits at that level because the typical user would not ever open the case let alone move the jumper to install the update.

It would not protect against intentional sabotage or a technician unknowingly installing a bugged update.

[bit]

^I reread and very much appreciate everyone's technical comments, what little I could understand.
Yes, it is very worrisome.

[Renegade]

I've seen reports of firmware deliveries being intercepted en-route and physically modded with spyware.

-bit (February 27, 2015, 05:22 PM)

I remember reading 2 reports, though I forget the exact details and links.

In one case, a security researcher (?) ordered a drive through Amazon (?), and tracked the shipping as it was routed across the country to some place in Virginia (?) (which has an army base or intelligence service), and then back over to the person. I'm fuzzy on the details, but that was the gist.

Does anyone have links? Or remember the details?

[bit]

Historical political cartoon.
The headband of the woman says 'Press'.
Today it might say 'Internet'.
I fully appreciate comments about the technical difficulty of rooting out the implanted malware.
This addresses the political side of the same situation.
This historic political cartoon shows that this kind of corruption and shady deals in high places is nothing new, and highlights the efficacy of (then) the Press, and (now) the Internet, to expose it to the light of day.
It also ennobles those exposing ethical wrongdoing as a just and time-honored pursuit, and shows that the miscreants involved do not like being exposed, and fear exposure for good reason.
(gets off soap box)

[bit]

Are Your Computer Devices Hardwired for Betrayal?
"How Do We Fix It?
1. Firmware must be properly audited.....
2. Firmware updates must be signed......
3. We need a mechanism for verifying the integrity of installed firmware......."

[SeraphimLabs]

Are Your Computer Devices Hardwired for Betrayal?
"How Do We Fix It?
1. Firmware must be properly audited.....
2. Firmware updates must be signed......
3. We need a mechanism for verifying the integrity of installed firmware......."

-bit (March 03, 2015, 11:00 PM)

Or simply making it so that you don't update the firmware in the field. Build it right the first time, and stop shipping software with serious defects in it.

The jumper idea works though because it prevents firmware from being changed with someone doing so intentionally, any more restrictive than that and you might as well not allow firmware updates at all.