Re: [PLUG] Spyware in hard drive firmware - a reality for 10+ years
Michael == Michael Rasmussen mich...@jamhome.us writes: Michael Or so reports Kaspersky. Michael http://www.thestar.com/business/2015/02/17/us-can-permanently-spy-on-sabotage-foreign-computers-kaspersky-lab-report-says.html One thing the articles about this problem keep saying and which doesn't make complete sense is that this infection is immune to removal. There is a method to get the infection into spare sectors and into firmware, which seems to me to mean that there *is* a way to see those raw sectors and/or firmware in a such a way as to a) see what's there; and b) remodify the firmware. It might be that if you are dependent on the firmware to inspect or replace the firmware, then the infected firmware could just lie to you in order to hide itself. In which case, these devices really need to have some offline way of inspecting their flash sufficient to generate dumps and checksums to verify they are running what you think they are running. What tools currently exist on linux to inspect the hard disk firmware? I recall updating some hard disk firmware (several years ago), but perhaps using a vendor supplied freedos-based software kit. -- Russell Senior, President russ...@personaltelco.net ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
[PLUG] Spyware in hard drive firmware - a reality for 10+ years
Or so reports Kaspersky. http://www.thestar.com/business/2015/02/17/us-can-permanently-spy-on-sabotage-foreign-computers-kaspersky-lab-report-says.html -- Michael Rasmussen Be Appropriate Follow Your Curiosity ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Spyware in hard drive firmware - a reality for 10+ years
some light reading on the topic of HD firmware backdoors: http://www.s3.eurecom.fr/docs/acsac13_zaddach.pdf On Tue, Feb 17, 2015 at 9:28 AM, Russell Senior russ...@personaltelco.net wrote: Michael == Michael Rasmussen mich...@jamhome.us writes: Michael Or so reports Kaspersky. Michael http://www.thestar.com/business/2015/02/17/us-can-permanently-spy-on-sabotage-foreign-computers-kaspersky-lab-report-says.html One thing the articles about this problem keep saying and which doesn't make complete sense is that this infection is immune to removal. There is a method to get the infection into spare sectors and into firmware, which seems to me to mean that there *is* a way to see those raw sectors and/or firmware in a such a way as to a) see what's there; and b) remodify the firmware. It might be that if you are dependent on the firmware to inspect or replace the firmware, then the infected firmware could just lie to you in order to hide itself. In which case, these devices really need to have some offline way of inspecting their flash sufficient to generate dumps and checksums to verify they are running what you think they are running. What tools currently exist on linux to inspect the hard disk firmware? I recall updating some hard disk firmware (several years ago), but perhaps using a vendor supplied freedos-based software kit. -- Russell Senior, President russ...@personaltelco.net ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Spyware in hard drive firmware - a reality for 10+ years
One thing the articles about this problem keep saying and which doesn't make complete sense is that this infection is immune to removal. There is a method to get the infection into spare sectors and into firmware, which seems to me to mean that there *is* a way to see those raw sectors and/or firmware in a such a way as to a) see what's there; and b) remodify the firmware. It might be that if you are dependent on the firmware to inspect or replace the firmware, then the infected firmware could just lie to you in order to hide itself. In which case, these devices really need to have some offline way of inspecting their flash sufficient to generate dumps and checksums to verify they are running what you think they are running. Yes, that very well may be the case. Much like kernel-level root kits that return a clean version of an infected binary upon read(), but run a different version when and exec system call is run. Besides, even if a BIOS read did return the infected version, we don't have any off-the-shelf tools to test for the infection. What tools currently exist on linux to inspect the hard disk firmware? I recall updating some hard disk firmware (several years ago), but perhaps using a vendor supplied freedos-based software kit. I don't know of any, but I haven't looked. Similar to BadUSB research, you'd probably have to reverse engineer the vendor-supplied HD BIOS update software to figure out how they do it. It's probably just a matter of sending a vendor-specific magic word over to the HD. I know there's been interest in creating open source system BIOSes, but not sure about HDs. IMO, HD vendors shouldn't provide a way to update their firmwares over ATA, unless it involves some serious downtime. For instance, they could require that the flashing can only occur after being authorized directly by the Firmware during a reboot. Perhaps leverage the ATA password prompt process to ask the user to type CONFIRM or something very explicit to unlock the flashing capability for that single boot session. Same goes for USB firmwares, and any other device firmware. Either provide a physical port for re-flashing, or find a way to make it very hard to secretly flash the firmware. It seems cumbersome, but all that scary backdoor stuff people hypothesized about 15 years ago actually began to happen 10 years ago, and we're only now finding out about it. tim ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Spyware in hard drive firmware - a reality for 10+ years
On Tue, Feb 17, 2015 at 9:28 AM, Russell Senior russ...@personaltelco.net wrote: Michael == Michael Rasmussen mich...@jamhome.us writes: Michael Or so reports Kaspersky. Michael http://www.thestar.com/business/2015/02/17/us-can-permanently-spy-on-sabotage-foreign-computers-kaspersky-lab-report-says.html One thing the articles about this problem keep saying and which doesn't make complete sense is that this infection is immune to removal. There is a method to get the infection into spare sectors and into firmware, which seems to me to mean that there *is* a way to see those raw sectors and/or firmware in a such a way as to a) see what's there; and b) remodify the firmware. It might be that if you are dependent on the firmware to inspect or replace the firmware, then the infected firmware could just lie to you in order to hide itself. In which case, these devices really need to have some offline way of inspecting their flash sufficient to generate dumps and checksums to verify they are running what you think they are running. What tools currently exist on linux to inspect the hard disk firmware? I recall updating some hard disk firmware (several years ago), but perhaps using a vendor supplied freedos-based software kit. Also you would think that anything headed for that special area of the disk would have some sort of signature that could be searched for before it got sent to the mysterious firmware. Bill Barry ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug