Reuters: Kaspersky discovered spying software in hard drives firmware
Linux - NewsThis forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The bottom line is: unless you live in Iran, Russia, Pakistan, or Afghanistan and unless you work in government, telecommunications, diplomacy, research institution, or university it is unlikely that your machine is compromised.
Yea, I've read quite a bit about that the last few days.
In the hard drive firmware it is active before boot and able to grab fs encryption keys as they are used, and is virtually undetectable because drives provide no means of reading the firmware.
It is also not an isolated thing, but apparently the chances of you having one of these drives is pretty good if it is recent manufacture from Seagate, Western Digital, Hitachi, Samsung, Toshiba (most of mine!)... and the list goes on.
Did the manufacturers cooperate? Most will not comment, two I think deny it.
And that is just the harddrive exploit... there are many more. The budget and staff and reach have grown exponentially any hope of legal restraint is just a bad joke - as if law applied to those with power, money and all those private photos of the politicians and judges!
Sleep good, safe in the knowledge that all the bad guys now work for you!
This is outrageous. I wonder how those hard drives got infected in the first place.
If I understood correctly, the spyware loads on the RAM before the OS does, so in that case would any OS running on the infected machines be compromised?
Remember the cresendo of criticism that yahoo, google, ms etc got when it was revealed that the spooks had taps 'directly' into the servers ?
They all got wise of a sudden, denied it up and down, and started implimenting security arrangements for the barn doors that were left wide open in the past.
It is my hope that there will be a similar outcry, which will ( may ) force denials from the HD manufacturers - and if we are lucky then we too can get the tools to audit the drives ourselves. The tools MUST exist but are probably proprietary. Wonder what Stallman and Co. will do now ? Floppies ?
Actually I have a pile of old HD's from before 2009 which I may press back into service ? 100 meg zip drives anyone ?
The report from Equation Group says that this exploit re-programmed drive firmware. Can't they use firmware on 'real' ROMs: unwritable memory? And what keeps it out of any country?
One can use the Seagate utilities to 'update' the firmware on their drives. Firmware being provided by them, and only they really know what it does.
You used to be able to do it on older drives too. In the good old days the drive bios was mapped to C800 I believe.
Quote:
And what keeps it out of any country?
Nothing. It is probably on every drive, and then they can just dial into you if the feel like fishing !
Much easier, and cost effective too. No more hijacked shipments from suppliers.
One can use the Seagate utilities to 'update' the firmware on their drives.
I suggested that they offer firmware on old-fashioned unwritable ROMs ('read-only memory') as a security measure. I suppose one would have to pay for upgrades - or do without.
Quote:
Originally Posted by ceyx
Firmware being provided by them, and only they really know what it does.
But one can figure it out. A search of the web turned up a German fellow who described his exploit hacking his own drive's firmware.
Quote:
Originally Posted by ceyx
You used to be able to do it on older drives too. In the good old days the drive bios was mapped to C800 I believe.
In the 'good old days' drives didn't have firmware, controllers did (BIOSes for original PCs didn't support hard drives). Sometimes its location was settable, usually with a jumper, not necessarily C800. It was always a 'real' ROM.
Quote:
Originally Posted by ceyx
Nothing [limits its geographic scope]. It is probably on every drive, and then they can just dial into you if the feel like fishing !
Much easier, and cost effective too. No more hijacked shipments from suppliers.
Earlier posters said it was limited to specific countries.
Quote:
Originally Posted by syg00
I doubt any ROMs actually exist anymore in commercial products.
I recently flashed a custom "ROM" onto my phone
Doesn't mean they don't exist, that one can't use one. Put it on a discrete chip in a socket and let purchasers decide for themselves.
Can one could boot from a flashdrive and check one's hard disk firmware? Get a safe copy from the manufacturer's website and re-write the firmware? I assume yes to both.
I still am wondering how that much free space was left on the area in question. That chip has to have the first part of it correct for use in systems. The remaining area isn't very big. It's easy for anyone to go into that memory locations and see what is there and how big it is.
This is outrageous. I wonder how those hard drives got infected in the first place.
If I understood correctly, the spyware loads on the RAM before the OS does, so in that case would any OS running on the infected machines be compromised?
In addition to planting exploits on the websites, the attack code was also transmitted through ad networks. The wide range of exploit carriers may explain why so many of the machines Kaspersky observed reporting to its sinkholes were domain controllers, data warehouses, website hosts, and other types of servers. Equation Group, it seems, wasn't infecting only end user computers—it was also booby-trapping servers known to be accessed by targeted end users.
And if you are running linux id say the chances of at least an attempted infection is greater. Simply because linux is known for offering at least the illusion of greater security.
Lets check if I am altready infiltred by the NSA (or others).
My HDD on my laptop (extract of dmesg):
Quote:
ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
ata1.00: ATA-8: Hitachi HTS545050A7E380, GG2OA6C0, max UDMA/133
ata1.00: 976773168 sectors, multi 16: LBA48 NCQ (depth 31/32), AA
ata1.00: configured for UDMA/133
scsi 0:0:0:0: Direct-Access ATA Hitachi HTS54505 GG2O PQ: 0 ANSI: 5
How to see if it is infected?
a) ask a certified non infected firmware to Hitachi? Where?
b) compare the current firmware with the "certified non-infected firmware"? how? is there any software / hardware to do it?
Any information of how to verify a firmware is welcome.
The report from Equation Group says that this exploit re-programmed drive firmware. Can't they use firmware on 'real' ROMs: unwritable memory? And what keeps it out of any country?
It seems that one can read a hard drive's firmware only by connecting to its jtag port. Writing to it, however, one can do if the manufacturer allows rewriting it, as some do to allow updates. The person worried about his/hers could fetch a valid copy from the manufacturer and write it.
I've just disassembled one of my HDD's. You can also read the firmware directly from the SPI Flash chip on the board, no need for jtag. Then again, since a lot of HDD's come with an external SOIC8 SPI flash chips, I wonder if it is possible to physically write-protect these chips by soldering the WP pin of the chip directly to GND.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.