This project has moved. For the latest updates, please go here.

"Equation Group" compromises hard drive firmware

Topics: Technical Issues
Feb 16, 2015 at 7:25 PM
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
"Equation Group" ran the most advanced hacking operation ever uncovered.
by Dan Goodin - Feb 16 2015, 2:00pm EST

... One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate. The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove...
Coordinator
Feb 16, 2015 at 10:02 PM
Big thanks for posting this article, very disturbing information indeed.

My first comment about this article is that there is one element that is not mentioned and that certainly helped this hackers team target a broad range of hardware and software products: classical espionage to get hold on hardware blueprints, firmware source code and other insider information especially for companies outside the US.
Of course, these guys have the technical expertise to perform highly skilled reverse engineering but thanks to the resources of the most powerful spy agencies of the world, it's easier, cheaper and more efficient to get the source code of firmware and software components form manufacturers either through official channels or by standard espionage methods. Thanks to this, writing a new firmware for each drive type that provides extra functionality is not very hard for experienced developers.

Anyway, all developed countries have dedicated hackers groups and the US is no exception. The only difference is that they have more resources and also a broader access to a large quantity of insider information that others don't have necessarily have.
Feb 16, 2015 at 10:23 PM
VeraCrypt usage in full drive encryption mode should be an effective defense against compromised hard drive firmware because the hard drive will never see unencrypted data, correct? And also effective with respect to container-based encryption with respect to the contents of the container? One likely threat scenario would be a paging file stored on a hard drive, but paging file usage can normally be disabled and IIRC this disabling of page file usage is actually recommended in the user's manual for both TrueCrypt & Veracrypt...
Feb 16, 2015 at 11:22 PM
Edited Feb 16, 2015 at 11:23 PM
commenter8 wrote:
VeraCrypt usage in full drive encryption mode should be an effective defense against compromised hard drive firmware because the hard drive will never see unencrypted data, correct? And also effective with respect to container-based encryption with respect to the contents of the container? One likely threat scenario would be a paging file stored on a hard drive, but paging file usage can normally be disabled and IIRC this disabling of page file usage is actually recommended in the user's manual for both TrueCrypt & Veracrypt...
.
"The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting...".
I image that the Equation Group have encountered hardware/software encrypted drives and they have likely developed methods to overcome these obstacles to store the desired data in their secret storage vault. I based that statement on the article you provided which highlights the various malware discovered so far and that the full impact and propose of each malware is not fully understood.

Thank you for posting this article.
Coordinator
Feb 17, 2015 at 7:09 AM
One weak point in Windows design is that its kernel gives too much trust to the firmware of hardware devices and thus a firmware can execute malicious code with high privileges.
So, even if your machine doesn't have a malware and you connect a hard-drive with a malicious firmware, then your machine will most certainly be infected with the malware carried by this firmware and once inside the kernel this malware will be able, either to access the master key present in the RAM if he can find its exact location, or at least identify a portion of memory where it should be present. From here, this malware can save the RAM section containing the master key into the secret vault inside the drive which basically will enable to decrypt the data in the future once the drive is on the hand of the attacker (for example by cloning it and putting it back in place so that the victim notices nothing).

This behavior is compatible with a dormant malware that avoids phoning home, which is how this type of military-grade malware works. Other malware could simply send sensitive data directly through the internet after mixing itself with legitimate traffic.

Anyway, no encryption software can protect a user if his machine is compromised.