The NSA is inside hard drive firmware - now what?

It’s been almost five years since the discovery of Stuxnet disabused the world of its naivety about nation state malware but since then more attention has been paid to Edward Snowden’s NSA hacking revelations than the occasional technical insights into old-style spying software.

Share

It’s been almost five years since the discovery of Stuxnet disabused the world of its naivety about nation state malware but since then more attention has been paid to Edward Snowden’s NSA hacking revelations than the occasional technical insights into old-style spying software.

Kaspersky Lab's Equation group report, then, has been a bit of a body shaker while helpfully moving the story on a bit. We can now see that Stuxnet was, as everyone suspected, the business end of a far large platform containing eight or nine modules whose genesis goes back as far as 2001, the defining year for so many things that have been going on behind everyone’s backs.

We also learned that, shockingly this platform has been used to ‘infect’ the low-level firmware chips inside hard drives, something no current security programme could even detect let alone block. Two modules appeared to have this feature, ‘EquationDrug’ and ‘Grayfish’, with version numbers from between 2010 and 2013.

Since each drive vendor develops its drive firmware separately with individual debugging modes, a different routine was needed to attack each one; Samsung, Seagate, Maxtor, Western Digital, Toshiba and Hitachi, and Micron (a reference to SSD drives).  Kaspersky’s account asks more questions than it answers but does mention that the individual drives were targeted by serial number, a complex task that undelines that this attack was not trying to infect hard drives in general but for specific operations.

There are good reasons for being careful. Compromising the hard drive of a target is clearly an approach that can’t be over-used for fear of discovery. It’s also risky because interfering with firmware carries the possibility of breaking the drive either during the flashing process or afterwards during its operation. Theory is one thing, practice quite another.

“The Equation group’s HDD firmware reprogramming module is extremely rare,” Kaspersky wrote, underlining how infrequently it had been detected and, most probably, used.

Questions are now being asked about the culpability of drive vendors but this is probably premature. The Equation hackers would need insight into the firmware source code but getting hold of this wouldn’t have been hard for the NSA. They could reverse engineer it if they had enough time and the resources  to hire specialist engineers or perhaps even ask for it – US Government agencies have the same right as any nation state to assess computing equipment to a very low level by asking the vendors for privileged access. That wouldn't necessarily be seen as sinister by vendors.

Find your next job with computerworld UK jobs