NSA malware targets WD drives

Der Spiegel has revealed malware designed to infect Western Digital hard drives:

“the NSA’s hackers also attack firmware on computer hard drives, essentially the software that makes the hardware work. The ANT catalog includes, for example, spyware capable of embedding itself unnoticed into hard drives manufactured by Western Digital. . .”

Der Spiegel article

One of the NSA’s methods is to use “the hard drive’s host protected area to gain periodic execution before the operating system loads.” (Jacob Appelbaum)

Appelbaum’s talk

There is no evidence yet that WD cooperated with this spying.

I would like to please know:

1.) What does WD know about this sort of attack?

2.) How can I tell if my WD hard drives are affected?

3.) How can I recover if I’ve been attacked?

4.) What is WD doing to be sure future products are more secure than the ones NSA claims to have compromised?

If the NSA has figured out how to “own” WD hard drives, the same vulnerabilities can be used by criminal hackers or other nations.

Thanks in advance for any information you have the freedom to share.

Hi, note that this is not an official news. WD has not made any comments about this, but if any are made in the future, they will be posted on the following link. 

http://www.wdc.com/en/company/pressroom/corporate/

1 Like

Ichigo: thank you for your reply.

For WD to have no comment a week after this news came out is not reassuring. It leaves the impression that WD is under a gag order not to reveal the danger to their customers, or has collaborated in infecting them.

I look forward to the truth coming out, and I encourage WD to share whatever they already know. Perhaps I am not the only customer who would like an answer.

Since WD is refusing to say how to detect a hard drive firmware infection, I would like to ask for help from other customers. How can I tell if I am infected? How can I remove an infection? Has anyone else had problems with systems having infections that persist even after the operating system is reinstalled?

Analyzing the firmware directly is difficult and time-consuming, so I doubt I’ll do that. One way to detect infection is reported to be: look for the constants used in RC6 encryption, associated with code that sends encrypted UDP traffic. If anyone has code to find the use of these constants, please share.

Until we have answers, it seems that secure systems should not be booted from WD drives.

(0 Views)

Western Digital has no knowledge of, nor has it participated in the development of technology by government entities that creates “implants” on WD hard drives, as Der Spiegel described.

1 Like

Bill_S: Thank you for your reply, and for answering my first question: WD didn’t participate in writing the malware, and doesn’t know anything about it. I’ll provide some information.

The Der Spiegel article shows NSA documents saying the NSA is able to remotely compromise drives of 4 manufacturers, including WD. For background on the NSA’s domestic surveillance programs, including hacking products of US companies, see  The Electronic Frontier Foundation  or  The Guardian .

Whether or not one believes any of the above, an independent researcher has demonstrated how to remotely “own” a WD drive. If he could do it, so can others. See SpritesMods for how he wrote persistent malware to WD firmware. The remote part of the attack is on the  software flashing page. This has been public information at least since August 2013, when it was demonstrated at a hacking conference. (Technical note: required root access, but the point is that the malware can survive partitioning, formatting, and operating system reinstallation.)

Given this is known to hackers, criminal and otherwise, I’d like to please ask two questions:

1.) How can customers verify the integrity of WD firmware?

2.) How can we recover if the firmware is infected?

Thanks again for your help with this.

LinAdmin:

1.) I am not suggesting that WD did anything like that. Please refer to the Der Spiegel article in my first post:

“There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions.”

2.) The context of this attack can be understood by reading the articles that have been written, and viewing the supporting documents. This attack did not seem to require cooperation from WD.

3.) I disagree with your financial analysis.

Security expert Bruce Schneier has published a good explanation of the NSA’s apparent WD firmware implants.

999wd876 wrote:

Security expert Bruce Schneier has published a good explanation of the NSA’s apparent WD firmware implants.

Western Digital has no knowledge of, nor has it participated in the development of technology by government entities that creates “implants” on WD hard drives. 

Bill_S: Thank you again for your reply. I accept that WD knows nothing about  secret government activities. My current questions are not about knowledge of these activities.

An independent researcher demonstrated an attack on WD firmware six months ago. The details are available to any hacker with an internet connection.  

1.) How can customers verify the integrity of WD firmware?

2.) How can we recover if the firmware is infected?

Thanks again for your help with this.

999wd876 wrote:

Bill_S: Thank you again for your reply. I accept that WD knows nothing about  secret government activities. My current questions are not about knowledge of these activities.

An independent researcher demonstrated an attack on WD firmware six months ago. The details are available to any hacker with an internet connection.  

1.) How can customers verify the integrity of WD firmware?

2.) How can we recover if the firmware is infected?

Thanks again for your help with this.

1)      Users cannot verify the integrity of firmware.  Keep in mind that any intruders would have to go through your network and/or your computer system to get to our hard drive.  So, there are multiple potential system vulnerabilities to address to protect your data before an intruder can reach the firmware of your hard drives.

2)      You can’t recover if the firmware is infected.  It’s not like reformatting your drive.  You would need to RMA the drive, or purchase a new one.