HDD GURU FORUMS
http://forum.hddguru.com/

Hacked SSD has hidden partition in "dead sector" help?
http://forum.hddguru.com/viewtopic.php?f=10&t=38063
Page 1 of 1

Author:  Frankfree [ February 12th, 2019, 12:41 ]
Post subject:  Hacked SSD has hidden partition in "dead sector" help?

Greetings,

Recently I had the unfortunate opportunity to obtain a Conficker worm which created a backdoor for mr hacker to hop on over to my Linux drive.

I'm trying to clean this PC and a brand new SSD suddenly is reporting bad sectors which was strange. I formatted the drive and wiped the empty space, and about 1 hour after getting back online, this hacker strikes again with some kind of heartbleed attack and my kernel crashed. Upon reboot, logs indicate something like dbus session created. I don't recall specifically; BUT previously he was accessing this drive through a hacked M.2 windows drive by bridging the bus and creating a terminal session.

ANYWAY! I know this drive has some kind of hidden and protected partition in an area with sectors marked as dead. How do I go about restoring this drive?......because formatting didn't do the trick, neither did secure wipe in UEFI.

Anyone know how to fix this?

Author:  DRUG [ April 19th, 2019, 8:46 ]
Post subject:  Re: Hacked SSD has hidden partition in "dead sector" help?

What is the SSD model?

Author:  OzBackyardTech [ April 29th, 2019, 22:05 ]
Post subject:  Re: Hacked SSD has hidden partition in "dead sector" help?

I am wondering if the drive model matters.

I have been professionally "burned" by a Chinese hacking operation at one of my client sites because of their circumstances investigating a Chinese state owned manufacturer it was most likely a State security operation. Part of their infiltration process was to target SSD drives and create a complete virtual PC in the reserved storage space of the SSD's They did not bother with the few spinning disk drives, only SSD's

This all happened about 9 months ago and I spent a lot of time researching known disk hacking techniques and asked on some security technology forums. Yes people had seen this a few times, no they did not know how they accessed the SSD firmware, patched it and then had a inaccessible residence to do what they liked which in this case was surveillance and document retrieval. The only fix was to buy new SSD's, re sterilize the systems and rebuild onto the new SSD's, motherboards and HDD's ( I replaced ALL storage just to be safe ). Fortunately they had ignored the very high end video cards.

At the heart of this debacle was that the hacking compromised the firmware of all the SSD's which were Samsung, Intel and Crucial devices ranging from 480GB to 960GB. Now some may call me cynical but guess where most of our software development for embedded devices now occurs either directly or through subcontracting? China. Even if you take Intel and Crucial as American based operations they still use the firmware kits of the same SSD controllers chips that are used everywhere else. I have no idea how much source code is given to manufacturers but it hardly matters when spooks get involved and money is freely available.

I was left with the only option being to replace these devices. The client was super angry. During the whole process the Chinese were interactively attempting to stay onsite. Yes they had also hacked the firewall UTM (password sniffed) and the Linux based phone system and handsets so they was also replaced - I kid you NOT! Client almost went under financially as a result so this is quite serious.

I have mentally given up trying to pull it all apart and understand technically exactly how they did it. Even if I did get to that point, who says their techniques are fixed? Experienced state level hacking is not something I can protect against, ever.

So if your SSD has been hacked then put a screwdriver though it. Hackers are smarter than us and without proper defensive or recovery tools you cannot save the drive. Remember there is at least 10% reserved storage for flash wear replacement, 20% in the Pro and Enterprise devices, That is a lot of space for a virtual PC!

Oh and all of this experience brought to light the wonders of our new UEFI firmware in motherboard BIOS and Graphic cards... Extremely hackable despite all the "assurances" by manufactures and industry bodies. What a joke our security is nowadays when the underlying foundations we trust in are so easily compromised. :x

What I really wanted back then and still want is a utility that will format EVERY bit of flash in an SSD including cells marked as bad or are reserved. It would also be nice to be able to checksum the drives firmware and forceably replace it via JTAG etc.

Author:  HaQue [ April 30th, 2019, 10:59 ]
Post subject:  Re: Hacked SSD has hidden partition in "dead sector" help?

what was the evidence pointing to hacked firmware? not including symptoms or lack of any other explanation.

Author:  DRUG [ April 30th, 2019, 14:31 ]
Post subject:  Re: Hacked SSD has hidden partition in "dead sector" help?

HaQue wrote:
what was the evidence pointing to hacked firmware? not including symptoms or lack of any other explanation.


this.

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/