NSA has hacked the firmware of all HDD manufacturers for over 20 years - Kaspersky Labs

NSA Planted Stuxnet-Type Malware Deep Within Hard Drive Firmware:

http://webcache.googleusercontent.com/search?strip=1&q=cache:http://thehackernews.com/2015/02/hard-drive-firmware-hacking.html

“The U.S. National Security Agency (NSA) may be hiding highly-sophisticated hacking payloads in the firmware of consumer hard drives over the last 15 to 20 years in a campaign, giving the agency the means to eavesdrop on thousands of targets’ computers, according to an analysis by Kaspersky Labs and subsequent reports.”

The technical details from Kaspersky Labs …

http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf

The following tool (SeDiv demo version) will allow a user to dump a WD drive’s firmware modules:

http://sediv2008.narod.ru/Easy3.9Password01234567890.rar
http://sediv2008.narod.ru/Settings.rar

SeDiv WD Read ROM & Modules:
https://www.youtube.com/watch?v=9UgFfhkkAwY

On Monday, February 16, Kaspersky Labs published a research report about an advanced cyber-espionage program, whereby a threat actor has created malware that, according to Kaspersky Labs, enables reprogramming of hard drive firmware and control of that hard drive. Western Digital had no prior knowledge of the described cyber-espionage program and is reviewing the report. We take such threats very seriously. The integrity of our products and the security of our customers’ data are of paramount importance to us.

WD’s firmware doesn’t appear difficult to hack, even without proprietary tools, datasheets or documentation. The first hit with Google turns up the following article:

http://www.google.com.au/search?q=%22hard+drive%22+OR+%22hard+disk%22+hack+firmware
http://spritesmods.com/?art=hddhack

The author was able to modify the “ROM” code on the drive’s PCB and then take control of the drive. He presented his technique at the OHM2013 convention (Observe, Hack, Make, 31st July 2013).

It would be interesting to see how the HDD manufacturers respond. One would hope that they would provide tools for dumping the drive’s firmware and verifying its integrity, either by local analysis, or by uploading to a remote site, but I’m not expecting anything.

In the meantime Russian tool suppliers are our best hope. One would expect that they couldn’t be coerced by the NSA.

fzabkar wrote:

In the meantime Russian tool suppliers are our best hope. One would expect that they couldn’t be coerced by the NSA.

One would also hope that “Russian tool suppliers” can’t be coerced by ex-KGB kleptocrats/mafioso into spreading FUD about western made products, or from turning a blind eye to malware spread by ex-KGB kleptocrats/mafioso!

My parents escaped from communism, so the last thing I would want to see is Putin’s imperialist boot stomping all over eastern Europe and the Baltic states for another 50 years. That said, all governments, especially my own (Australia), are corrupt and despotic. Any difference is only a matter of degree. If you are looking for someone to expose the nefarious activities of your own authorities, would you trust any US software provider or any US HDD manufacturer? Conversely, would you trust Kaspersky Lab to expose the criminal activities of Putin and the Russian government? I think we would all feel much more comfortable if such assurances were to come from an independent observer, even if this observer is our enemy. The phrase, “the enemy of my enemy is my friend” comes to mind.

You might want to consider this. The number one data recovery tool used by professionals in the US is PC3000, a Russian tool produced by Ace Laboratory. Many of the failures in HDDs are related to damaged firmware modules. PC3000 is intimately aware of the firmware structure, as are several other Russian and Chinese tools (I’m not aware of any US tool). In fact a Russian expat working for Seagate claims that these tools are largely based on stolen or leaked information. Imagine if the Russian government were to utilise the resources of Kaspersky and Ace for their own espionage purposes. Would any US company be up to the job of detecting this activity?

Interestingly, “Seagate’s” data recovery software is an OEM version of R-Studio, a Russian tool. Seagate have also purchased the source code of another popular Russian tool, MHDD. It seems that Russians dominate the data recovery business. They also produce the most sophisticated cyber crooks.

1 Like

On Monday, February 16, Kaspersky Lab published a research report about an advanced cyber-espionage program, in which the products of multiple storage device manufacturers, including Western Digital, were identified.

Prior to the report, we had no knowledge of the described cyber-espionage program. We take such threats very seriously and the integrity of our products is of vital importance to us.

The report indicated that the claimed hard drive exploit is very rare, even among the limited number of machines purported to be targeted by the described advanced threat actor. Kaspersky Lab has since further stated that “…it’s not feasible to use this kind of stealth technologies in criminal malware or even most targeted attacks.” 

We take measures to deter tampering and reverse engineering of our hard drive firmware.  We are continuously exploring how to better protect our customers’ data.  The security of their data is of paramount importance to us.