All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 19 posts ] 
Author Message
 Post subject: Kaspersky Lab says NSA hacked all manufacturers firmware...
PostPosted: February 16th, 2015, 16:43 
Offline

Joined: December 13th, 2008, 13:35
Posts: 270
Location: Los Angeles, CA USA
http://www.reuters.com/article/2015/02/ ... ce=twitter

further reading here:
http://25zbkz3k00wn2tp5092n6di7b5k.wpen ... nswers.pdf

_________________
$300 Data Recovery


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 16th, 2015, 17:01 
Offline

Joined: December 13th, 2008, 13:35
Posts: 270
Location: Los Angeles, CA USA
Section 10 of second link may be most interesting for hdd gurus.

_________________
$300 Data Recovery


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 17th, 2015, 8:22 
Online
User avatar

Joined: August 26th, 2012, 19:18
Posts: 282
Location: England
Interesting read, well posted.

Orwell was indeed an optimist :)

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 17th, 2015, 9:46 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2965
Location: Adelaide, Australia
reading this, you realise how screwed the general population is.

For the few that would even bother to listen to someone describe what is in play and the tools.. only about 1/2 would even believe it. the other half.. well what are those 3 people going to do? These "Internet veapons" are incredible


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 17th, 2015, 13:38 
Offline
User avatar

Joined: April 3rd, 2011, 0:19
Posts: 1667
Location: Providence, RI
Well, that certainly explains why the number of modules in new WD drives has shot up so quickly and we still don't know what half of them are.

They had to hide their remote access software somewhere. :D

_________________
Hard Drive & RAID Data Recovery Services
https://www.data-medics.com/raid-data-recovery/


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 17th, 2015, 16:33 
Offline

Joined: February 19th, 2011, 11:05
Posts: 240
Location: Toronto
They need to infect a computer with a virus to start getting info from it. But why do they need to hack HDD if they already got a total control over the computer? To bypass drive's hardware encryption?

_________________
Data recovery, backup, protection.
R-Tools Technology, Inc


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 17th, 2015, 16:59 
Offline
User avatar

Joined: May 5th, 2004, 20:06
Posts: 2770
Location: England
Hacking HDD firmware is pretty simple....

_________________
All went well until I plugged the drive in.


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 17th, 2015, 17:05 
Offline

Joined: December 13th, 2008, 13:35
Posts: 270
Location: Los Angeles, CA USA
Alt(R-TT) wrote:
They need to infect a computer with a virus to start getting info from it. But why do they need to hack HDD if they already got a total control over the computer? To bypass drive's hardware encryption?


So that even after a full OS reinstall or reformat of hard drive, the virus still remains. The only solution when infected would be a completely new hard drive.

_________________
$300 Data Recovery


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 17th, 2015, 17:16 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9749
Location: Australia
guru wrote:
Hacking HDD firmware is pretty simple....

Hard disk hacking:
http://spritesmods.com/?art=hddhack

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 17th, 2015, 17:32 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2965
Location: Adelaide, Australia
They di it for persistence as previously mentioned, and also to evade standard detections. This also bypasses a lot of standard AV and Anti-Malware mitigations, and if undetected can be a workhorse for them for years.

@guru .. they didn't just hack HDD's, they wrote a complet mass pwnage suite that has spanned a decade and is virtually for the most part undetectable except for researchers with the time and backing to hunt them down and autopsy them.

difference between being able to drive a car, and creating a formula1 team that wins for 10 years straight.


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 18th, 2015, 4:34 
Offline

Joined: February 8th, 2014, 8:08
Posts: 448
Location: Eastern Europe /recovering worldwide/
Custom firmware-level interactions with data isn't something totally exclusive.
Namco develops custom HDD firmware for their game machines. When you try to connect the hard drive from such machine to a computer and create sector-by-sector copy of it, firmware wipes the header of encrypted LUKS partition, so nobody will be able to run the game again.


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 18th, 2015, 10:30 
Offline
User avatar

Joined: May 5th, 2004, 20:06
Posts: 2770
Location: England
I'm just trying to point out that hacking and patching HDD firmware is not as hard as "Kapersky" says it is.

If you are high up in the chain of command within government expect your toaster/oven/fridge/dishwasher/PVR/DVR/HIFI/Barbie(or Ken)/pet dog or cat to be monitoring your every move!

_________________
All went well until I plugged the drive in.


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 18th, 2015, 11:23 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2965
Location: Adelaide, Australia
guru wrote:
I'm just trying to point out that hacking and patching HDD firmware is not as hard as "Kapersky" says it is.

If you are high up in the chain of command within government expect your toaster/oven/fridge/dishwasher/PVR/DVR/HIFI/Barbie(or Ken)/pet dog or cat to be monitoring your every move!


I am not sure I read that they said it was hard, but I agree with you it isn't rocket science. We have all probably disassembled code used debuggers and played with embedded systems. There probably is enough information in the public domain to get something working.

The bit that would be harder is to develop the whole suite, getting all the moving parts working as you want, keeping it as undetectable as possible, making sure the self destructs work properly, working with files that are not files, getting it deployed to the vast infrastructure, monitoring it and acting on what is collected etc..

so I agree with your point, it isn't THAT hard, but to focus on the HDD Hacking only is a mistake in my opinion.

I am willing to bet though, if one of us were to try to mirror the HDD hacking alone, with as far a reach as what "they" did.. well there is quite a few damn long nights


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 18th, 2015, 15:42 
Offline
User avatar

Joined: May 5th, 2004, 20:06
Posts: 2770
Location: England
I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment."

_________________
All went well until I plugged the drive in.


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 18th, 2015, 16:04 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 8159
Location: Portugal
guru wrote:
I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment."


Not hard at all.

You just buy something like a PC-3000 or salvation or you study the DR forums and you get the vendor specific commands. You can get a WDR software and it will send commands to the drive and get the firmware out of it.

Now you just code your virus in a way that it includes a driver to send those commands and "patch" the firmware the way you want it.

That "edited" or patched firmware just have to "exploit" some windows bug or somehow auto.-execute code on windows when you connect that drive to the machine.

You can even do better. I can see a way that a "hacker" would just put some code on SA/hidden LBA and then "swap" the first LBAs of the drive whit the content of the "edited" or hacked master boot record, putten there a virus pointing to another place on the drive that couldn't be accessed by LBA.

What can be done with this just depends of imagination.

Same apply to DVD/CD burners, or any other hardware.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 19th, 2015, 1:31 
Offline

Joined: April 26th, 2012, 1:52
Posts: 390
Location: Chicago, USA
While none of this is surprising, it is disheartening. Especially that it has gone on for so long without revelation to the public.

_________________
On a clear disk you can seek forever.


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 19th, 2015, 2:34 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2965
Location: Adelaide, Australia
Spildit wrote:
guru wrote:
I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions. This is very high profile engineering which requires months of development and millions in investment."


Not hard at all.

You just buy something like a PC-3000 or salvation or you study the DR forums and you get the vendor specific commands. You can get a WDR software and it will send commands to the drive and get the firmware out of it.

Now you just code your virus in a way that it includes a driver to send those commands and "patch" the firmware the way you want it.

That "edited" or patched firmware just have to "exploit" some windows bug or somehow auto.-execute code on windows when you connect that drive to the machine.

You can even do better. I can see a way that a "hacker" would just put some code on SA/hidden LBA and then "swap" the first LBAs of the drive whit the content of the "edited" or hacked master boot record, putten there a virus pointing to another place on the drive that couldn't be accessed by LBA.

What can be done with this just depends of imagination.

Same apply to DVD/CD burners, or any other hardware.


ok Spildit, now you have reproduced about 1% of effort on the malware campaign.. just need to work on the deployment, all the other drive vendors, infiltration, windows and Linux, scada etc 0-days etc etc.

as I said, concentrating on the fact the "hacked a hard drive" is very wrong in my opinion!
cheers mate ;)


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 21st, 2015, 7:30 
Offline

Joined: February 19th, 2011, 11:05
Posts: 240
Location: Toronto
guru wrote:
I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software."

For a Windows programmer. For a microcontroller programmer, hard drive reprogramming is much easier than writing Windows software.

Ok. I wonder how that hacked software gets out from the disk and starts its job when a new system has been installed. Writing its code to a loader? But that will work not even for all Windows versions.

_________________
Data recovery, backup, protection.
R-Tools Technology, Inc


Top
 Profile  
 
 Post subject: Re: Kaspersky Lab says NSA hacked all manufacturers firmware
PostPosted: February 21st, 2015, 9:08 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2965
Location: Adelaide, Australia
Alt(R-TT) wrote:
guru wrote:
I quote from Kapersky blog

"For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software."

For a Windows programmer. For a microcontroller programmer, hard drive reprogramming is much easier than writing Windows software.

I agree somewhat. These guys probably did not have to go to work or spend a great deal of time with family. They probably were able to say to another team or part of a team.. " I need this piece of information, specs, documents" etc and they would get it. When you have the resources, the difficulty is not an issue. doesn't matter how "hard" it is, it is just a matter of time. I believe the focus here is all wrong. we shouldn't be focusing on how hard it is or if hacking HDDs are really that elite.. but the whole picture. A group of people were able to go into whatever computer system they wanted, in whatever part of the world they wanted, steal whatever they want, embed themselves in there to infect again if cleaned.. without really any detection, probably little oversight.

For this to be culminating in a whitepaper, a few crappy news articles that basically quote a couple of lines from the whitepaper, and a small bickering over how hard hacking a hard disk is - well this amazes me. ask 100 people in a week what they remember about a group that can go wherever they please and one part is hacking hard drives.. I bet you get 100 crickets chirping.

If spam, cybercriminals with all sorts of money making schemes, cryptolocker, facebook/instagram/etc.. didn't already destroy any trust in the internet.. then groups like the dubbed "Equation group" have.

Tell me..what is anyone going to do about it? make more laws??.. these people don't give a shit about the law. Track them down?? and do what? probably some US Govt agency with some warped view on protecting the states from TeRRism. Have better computer security?? yea sure, like that has done anything to help in the past.

The silver lining is I enjoy reading the write-ups people like the Kaspesky team do, these are smart guys and it must be awesome to work there and have an inside view of all these shenanigans.


Alt(R-TT) wrote:
Ok. I wonder how that hacked software gets out from the disk and starts its job when a new system has been installed. Writing its code to a loader? But that will work not even for all Windows versions.

That's why the stuff is extremely targeted. I have heard a few interviews now with Kaspersky researchers and InfoSec people. If you won the jackpot and got a hard disk infection, you were special and I bet there were hands running through each step of the pwnage. This malware was not just Pwn and exfil data back to a CnC server.. this had many modules and looks like a few were manually operated.

parts of the malware were quite targeted, such as if you visited an infected site with an iPhone (only iPhone and not iPad) you were redirected to a site where extra effort was made to not pop any HTML errors.

I think the sophistication, depth, spread of this is overshadowed by the mention of Hard Drive hacking.

A good insight is the digital underground podcast number 186 http://threatpost.com/costin-raiu-on-the-equation-group-apt/111169 "Dennis Fisher talks with Costin Raiu of the Kaspersky Lab GReAT team about the researcher behind the Equation Group campaign, the group’s capabilities and why they seem to have gone dark now."


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group