LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - News
User Name
Password
Linux - News This forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.

Notices


Reply
  Search this Thread
Old 02-17-2015, 06:39 PM   #1
w1k0
Senior Member
 
Registered: May 2008
Location: Poland
Distribution: Slackware, Mint
Posts: 1,276

Rep: Reputation: 229Reputation: 229Reputation: 229
Reuters: Kaspersky discovered spying software in hard drives firmware


For your consideration:

Russian researchers expose breakthrough U.S. spying program (by Reuters)

Equation Group: Questions and Aswers (by Kaspersky)

The bottom line is: unless you live in Iran, Russia, Pakistan, or Afghanistan and unless you work in government, telecommunications, diplomacy, research institution, or university it is unlikely that your machine is compromised.
 
Old 02-17-2015, 07:07 PM   #2
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_12{.0|.1}
Posts: 5,267
Blog Entries: 11

Rep: Reputation: 3246Reputation: 3246Reputation: 3246Reputation: 3246Reputation: 3246Reputation: 3246Reputation: 3246Reputation: 3246Reputation: 3246Reputation: 3246Reputation: 3246
Yea, I've read quite a bit about that the last few days.

In the hard drive firmware it is active before boot and able to grab fs encryption keys as they are used, and is virtually undetectable because drives provide no means of reading the firmware.

It is also not an isolated thing, but apparently the chances of you having one of these drives is pretty good if it is recent manufacture from Seagate, Western Digital, Hitachi, Samsung, Toshiba (most of mine!)... and the list goes on.

Did the manufacturers cooperate? Most will not comment, two I think deny it.

And that is just the harddrive exploit... there are many more. The budget and staff and reach have grown exponentially any hope of legal restraint is just a bad joke - as if law applied to those with power, money and all those private photos of the politicians and judges!

Sleep good, safe in the knowledge that all the bad guys now work for you!

Last edited by astrogeek; 02-17-2015 at 07:11 PM.
 
Old 02-17-2015, 07:07 PM   #3
Hungry ghost
Senior Member
 
Registered: Dec 2004
Posts: 1,222

Rep: Reputation: 667Reputation: 667Reputation: 667Reputation: 667Reputation: 667Reputation: 667
This is outrageous. I wonder how those hard drives got infected in the first place.

If I understood correctly, the spyware loads on the RAM before the OS does, so in that case would any OS running on the infected machines be compromised?
 
Old 02-17-2015, 11:52 PM   #4
ceyx
Member
 
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342

Rep: Reputation: 59
Remember the cresendo of criticism that yahoo, google, ms etc got when it was revealed that the spooks had taps 'directly' into the servers ?
They all got wise of a sudden, denied it up and down, and started implimenting security arrangements for the barn doors that were left wide open in the past.

It is my hope that there will be a similar outcry, which will ( may ) force denials from the HD manufacturers - and if we are lucky then we too can get the tools to audit the drives ourselves. The tools MUST exist but are probably proprietary. Wonder what Stallman and Co. will do now ? Floppies ?

Actually I have a pile of old HD's from before 2009 which I may press back into service ? 100 meg zip drives anyone ?
 
Old 02-18-2015, 01:06 AM   #5
RandomTroll
Senior Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 1,313

Rep: Reputation: 223Reputation: 223Reputation: 223
The report from Equation Group says that this exploit re-programmed drive firmware. Can't they use firmware on 'real' ROMs: unwritable memory? And what keeps it out of any country?
 
Old 02-18-2015, 01:55 AM   #6
ceyx
Member
 
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342

Rep: Reputation: 59
Quote:
re-programmed drive firmware
One can use the Seagate utilities to 'update' the firmware on their drives. Firmware being provided by them, and only they really know what it does.
You used to be able to do it on older drives too. In the good old days the drive bios was mapped to C800 I believe.

Quote:
And what keeps it out of any country?
Nothing. It is probably on every drive, and then they can just dial into you if the feel like fishing !
Much easier, and cost effective too. No more hijacked shipments from suppliers.
 
Old 02-18-2015, 01:56 AM   #7
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,291

Rep: Reputation: 2994Reputation: 2994Reputation: 2994Reputation: 2994Reputation: 2994Reputation: 2994Reputation: 2994Reputation: 2994Reputation: 2994Reputation: 2994Reputation: 2994
I doubt any ROMs actually exist anymore in commercial products.
I recently flashed a custom "ROM" onto my phone ....
 
Old 02-18-2015, 08:12 PM   #8
RandomTroll
Senior Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 1,313

Rep: Reputation: 223Reputation: 223Reputation: 223
Quote:
Originally Posted by ceyx View Post
One can use the Seagate utilities to 'update' the firmware on their drives.
I suggested that they offer firmware on old-fashioned unwritable ROMs ('read-only memory') as a security measure. I suppose one would have to pay for upgrades - or do without.

Quote:
Originally Posted by ceyx View Post
Firmware being provided by them, and only they really know what it does.
But one can figure it out. A search of the web turned up a German fellow who described his exploit hacking his own drive's firmware.

Quote:
Originally Posted by ceyx View Post
You used to be able to do it on older drives too. In the good old days the drive bios was mapped to C800 I believe.
In the 'good old days' drives didn't have firmware, controllers did (BIOSes for original PCs didn't support hard drives). Sometimes its location was settable, usually with a jumper, not necessarily C800. It was always a 'real' ROM.

Quote:
Originally Posted by ceyx View Post
Nothing [limits its geographic scope]. It is probably on every drive, and then they can just dial into you if the feel like fishing !
Much easier, and cost effective too. No more hijacked shipments from suppliers.
Earlier posters said it was limited to specific countries.

Quote:
Originally Posted by syg00 View Post
I doubt any ROMs actually exist anymore in commercial products.
I recently flashed a custom "ROM" onto my phone
Doesn't mean they don't exist, that one can't use one. Put it on a discrete chip in a socket and let purchasers decide for themselves.

Can one could boot from a flashdrive and check one's hard disk firmware? Get a safe copy from the manufacturer's website and re-write the firmware? I assume yes to both.
 
Old 02-18-2015, 11:20 PM   #9
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,353

Rep: Reputation: 2979Reputation: 2979Reputation: 2979Reputation: 2979Reputation: 2979Reputation: 2979Reputation: 2979Reputation: 2979Reputation: 2979Reputation: 2979Reputation: 2979
I still am wondering how that much free space was left on the area in question. That chip has to have the first part of it correct for use in systems. The remaining area isn't very big. It's easy for anyone to go into that memory locations and see what is there and how big it is.
 
Old 02-19-2015, 12:41 AM   #10
ceyx
Member
 
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342

Rep: Reputation: 59
This article shows how to hack a HD :

http://spritesmods.com/?art=hddhack&page=1
 
Old 02-19-2015, 03:46 AM   #11
fogpipe
Member
 
Registered: Mar 2011
Distribution: Slackware 64 -current,
Posts: 550

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by odiseo77 View Post
This is outrageous. I wonder how those hard drives got infected in the first place.

If I understood correctly, the spyware loads on the RAM before the OS does, so in that case would any OS running on the infected machines be compromised?
From the article at arstechnia http://arstechnica.com/security/2015...found-at-last/
Quote:
In addition to planting exploits on the websites, the attack code was also transmitted through ad networks. The wide range of exploit carriers may explain why so many of the machines Kaspersky observed reporting to its sinkholes were domain controllers, data warehouses, website hosts, and other types of servers. Equation Group, it seems, wasn't infecting only end user computers—it was also booby-trapping servers known to be accessed by targeted end users.
And if you are running linux id say the chances of at least an attempted infection is greater. Simply because linux is known for offering at least the illusion of greater security.

Last edited by fogpipe; 02-28-2015 at 10:14 PM.
 
Old 02-19-2015, 05:11 AM   #12
floppy_stuttgart
Member
 
Registered: Nov 2010
Location: Stuttgart, Germany
Distribution: Debian like
Posts: 802
Blog Entries: 2

Rep: Reputation: 76
Lets check if I am altready infiltred by the NSA (or others).

My HDD on my laptop (extract of dmesg):
Quote:
ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
ata1.00: ATA-8: Hitachi HTS545050A7E380, GG2OA6C0, max UDMA/133
ata1.00: 976773168 sectors, multi 16: LBA48 NCQ (depth 31/32), AA
ata1.00: configured for UDMA/133
scsi 0:0:0:0: Direct-Access ATA Hitachi HTS54505 GG2O PQ: 0 ANSI: 5
How to see if it is infected?
a) ask a certified non infected firmware to Hitachi? Where?
b) compare the current firmware with the "certified non-infected firmware"? how? is there any software / hardware to do it?

Any information of how to verify a firmware is welcome.
 
Old 02-19-2015, 05:26 AM   #13
fogpipe
Member
 
Registered: Mar 2011
Distribution: Slackware 64 -current,
Posts: 550

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by RandomTroll View Post
The report from Equation Group says that this exploit re-programmed drive firmware. Can't they use firmware on 'real' ROMs: unwritable memory? And what keeps it out of any country?
A map of infection rates by country

http://cdn.arstechnica.net/wp-conten...ap-980x613.png
 
Old 02-20-2015, 12:51 AM   #14
RandomTroll
Senior Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 1,313

Rep: Reputation: 223Reputation: 223Reputation: 223
It seems that one can read a hard drive's firmware only by connecting to its jtag port. Writing to it, however, one can do if the manufacturer allows rewriting it, as some do to allow updates. The person worried about his/hers could fetch a valid copy from the manufacturer and write it.
 
Old 02-20-2015, 07:44 AM   #15
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian
Posts: 257

Rep: Reputation: 24
I've just disassembled one of my HDD's. You can also read the firmware directly from the SPI Flash chip on the board, no need for jtag. Then again, since a lot of HDD's come with an external SOIC8 SPI flash chips, I wonder if it is possible to physically write-protect these chips by soldering the WP pin of the chip directly to GND.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Best software for diagnosing hard drives? Avaholic22 Linux - Software 4 11-04-2014 09:46 PM
firmware scsi hard drives shadowfire36 Linux - Hardware 12 10-12-2007 11:51 AM
Problem with software install and hard drives pete_knox Linux - Newbie 9 06-11-2007 04:53 PM
LXer: Reuters Partners With Novell to Offer Reuters Market Data System on SUSE Linux Enterprise Server LXer Syndicated Linux News 0 04-26-2006 09:33 AM
Upgrading hard drives on Software raid 1 boot drives. linuxboy123 Linux - General 0 12-11-2003 04:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - News

All times are GMT -5. The time now is 03:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration