
Russian researchers expose breakthrough U.S. spying program - prostoalex
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216
======
mschuster91
Given that a lone dude was able to modify the firmware on a HDD controller CPU
([http://spritesmods.com/?art=hddhack&page=3](http://spritesmods.com/?art=hddhack&page=3))
it doesnt surprise me that full-blown malware of this sort is in the 3-letter-
agency toolbox.

Didn't someone else also manage to run Linux on a HDD?!

 _edit: it was the same guy, it 's just hidden on the last page of the series
and it's just linux, no userspace_

~~~
mschuster91
Oh, and another thing. I just remembered that videogame console hack where a
manipulated USB descriptor led to a jailbreak.

Who says one can not use bugs in e.g. SMART or other (S)ATA protocol
implementations in order to spread malware by disk?

And... isn't data transfer of HDDs usually handled by DMA? Is there a way for
a malicious HDD to compromise a system? Everyone locked down their FireWire
port, but is eSATA vulnerable?

~~~
Sanddancer
eSata itself is not vulnerable. The sata lanes themselves have no DMA, it's
the controller where the DMA requests are generated, so a malicious hard drive
on its own would not be able to compromise a computer. I guess it's
conceivable that some three-letter agency has hacked together some hard drive
that can compromise a specific chipset, but at that point, it becomes a lot
easier to just present a compromise in the filesystem of the hard drive,
because filesystem drivers are entirely too easily confused by bad data, such
as [http://www.spinics.net/lists/linux-
ext4/msg47160.html](http://www.spinics.net/lists/linux-ext4/msg47160.html)

~~~
mschuster91
> I guess it's conceivable that some three-letter agency has hacked together
> some hard drive that can compromise a specific chipset

I was more thinking of Linux or Windows hardware driver level compromises, as
a filesystem exploit requires that the drive in question is actively mounted
and a protocol driver exploit pwns your system as soon as you attach the
drive.

Combine a OSX, a Linux and a Windows exploit in the ATA protocol drivers and
you have a cyberweapon capable of infecting even a forensic analysis system.
And in contrast to USB, I don't believe that ATA and other low-level hardware
protocol implementations in kernels get very much attention from developers.

Forensic imagers are pretty much standard equipment in any police lab, but I
doubt that a normal investigator will disassemble a disk and do raw forensics
on the disk platters... heh, if I were a guy with something to hide, I'd hack
the firmware to either wipe the disk upon imaging or compromising the
investigator's machine.

~~~
bigiain
You've seen Travis Goodspeed's work there?

[http://events.ccc.de/congress/2012/Fahrplan/events/5327.en.h...](http://events.ccc.de/congress/2012/Fahrplan/events/5327.en.html)
[https://www.youtube.com/watch?v=D8Im0_KUEf8](https://www.youtube.com/watch?v=D8Im0_KUEf8)

It's _really_ nice...

~~~
mschuster91
Oh indeed. I did not know about this, thank you very much.

I came up with yet another, truly weird plan. Take a 2-platter disk with 500GB
(so 250GB per platter), scratch off the label. Modify the firmware so that:

a) both platters are encrypted with a hardcoded, generated-at-lowlevel-
reformat secret key to delay forensic efforts

b) the ATA identify and other ID values point to a 250GB drive (half the
original capacity!)

c) the bootloader is two-staged, boot0 running on the HDD CPU and boot1
running on the host before the OS bootloader. If e.g. a specific key is
pressed during boot, boot1 asks for a password and gives this password to
boot0 (e.g. via custom ATA command). boot0 now uses this password to apply a
second decryption to platter1 - so there is no TrueCrypt or anything on the
"hidden" OS which impacts performance (you can reveal if you're using
TrueCrypt via a sidechannel attack. Determine the HDD model and compare write
speed with a reference value. If you're inside spec - no crypto. If you're
slower - crypto).

If no key is pressed, then boot0 boots the bootloader from the unlocked
platter2 - the "clear" OS will have no way of seeing the data on platter2 and
even if the reported HDD size is compared with the specifications of the
(manipulated!) HDD model name as reported to the OS, a malware has no way of
knowing that this HDD in fact has a hidden area.

~~~
rasz_pl
1/ This is pretty much how for example Seagate refurbishes drives (or used
to). They disable whole bad platters in firmware, rewrite drive capacity, slap
REFURB sticker and send drive back as a replacement for smaller one.

2/ you can do this _yourself_ today on off the shelf drive using HPA/DCO

3/ Dont really understand your plan, you want to prepare drive like that to
hide your own data from others? average foresic investigator will immediately
tell your 'clear' OS is an unused decoy (no signs of regular daily use).

~~~
mschuster91
ad 3) indeed, you're right. Better idea: make the firmware act like a SATA hub
and pretend two different disks (of course, the "second" disk is only visible
after unlocking at boot time). This way, OS is used regularly - and all
evidence on the system will point to an USB stick or eSATA disk being used.

~~~
rasz_pl
FTK will immediately identify there was another volume mounted regularly, if
you are hiding stuff from the law it will be used against you as obstruction
of investigation or some other bs

~~~
mschuster91
That depends on the jurisdiction; I agree with you in UK/US, but in Germany an
accused can not be forced to provide evidence for his/her guilt.

------
omonra
Too bad the article doesn't mention that Kaspersky actually is very closely
tied with the FSB (ie KGB) - most likely he works for them. That doesn't mean
the original article is untrue - just that the 'research' really comes from
Russian spies.

Profile here:
[http://www.wired.com/2012/07/ff_kaspersky/all/](http://www.wired.com/2012/07/ff_kaspersky/all/)

"Kaspersky’s rise is particularly notable—and to some, downright
troubling—given his KGB-sponsored training, his tenure as a Soviet
intelligence officer, his alliance with Vladimir Putin’s regime, and his deep
and ongoing relationship with Russia’s Federal Security Service, or FSB."

~~~
wongarsu
It should come as no surprise that a Russian anti virus vendor is the one
reporting about all this NSA software. Kaspersky has less to loose and more to
gain then their western counterparts and the Russian government would probably
be happy to help even if Kaspersky didn't already have these ties.

The question is: is Kaspersky going to abuse all that trust and good will they
are gathering?

~~~
cyphunk
hmm. even snowden lives in russia now. hmm.

the sad side effect of the moral elite proving hollow is that those you may
consider _enemies_ might become _allies_. Despite everything there is little
proof of malice at kaspersky while the same cant be said for many companies in
the west.

If the FSB is funding research that brings unwanted transparency to the NSA,
allowing us to better understand and criticize the US corporations and
agencies compliment with them, then I welcome it. I doubt it is the case but
if your fantasy turns out to be correct they would also deserve some poli sci
props.

~~~
mahranch
> _Malice_

Have proof of actual malice being committed? Intelligence gathering in of
itself isn't malicious. That's literally the very reason for the NSA's
existence. It's like saying the FBI is malicious because they "investigate".
That's what they do, that's their job. I'd be more pissed if they weren't
doing this sort of thing. I'd wonder where the hell my tax dollars are going.

The only thing that bothers me is _when they spy on their own citizens, us_. I
have no problem with them spying or hacking Russia, China or Iran. Their job
is to protect their country and their allies from foreign aggression and
international criminal organizations. When you wake up in the morning, China,
Russia, Iran, Etc... are all still going to try and hack U.S businesses,
governmental services and try to gain access to classified information.
Pretending like these acts don't happen doesn't make them go away.

~~~
simonh
American citizens have been involved in planning and executing terrorist
attacks, identified as enemy combattants and even been targetted for drone
strikes. If foreign terrorists operate in the US, the only way to find them is
to search. That means looking at everyone's communications, citizen or not.

I'm not an American, so it would be wrong of me to assert what you or your
government should or should not do in this regard. However in general I think
GCHQ and the NSA have a case for some of the kinds of monitoring they are
doing, I just think it's lacking in legal basis and appropriate oversight.
They have shown repeatedly that we can't trust them.

~~~
wongarsu
Both data from foreign citizens and from your own citizens are useful, but
usefulness shouldn't be the only consideration.

If you have lots of private information about someone that means you have
power over that person. For starters it makes blackmail a whole lot easier. In
combination with data about other people it helps you determine who you have
to remove from a group to make that group collapse.

Now if somebody has this sort of power about some foreigners, that's not
really a big problem for you country. But if somebody has that power about the
entire population of your own country, that's a bit worse. That somebody could
disable any form of democracy by silencing citizen protests before they even
start while covertly controlling key politicians.

If communism has thought us anything it's that you don't want anybody to have
intimate knowledge over large parts of your population, it doesn't tend to end
well. Oversight is a nice idea but there was already supposed to be all kinds
of oversight which apparently failed. I don't really trust oversight in things
this important.

------
_nullandnull_
Here is a link with some more technical details

[https://securelist.com/files/2015/02/Equation_group_question...](https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)

~~~
vvpan
"One such incident involved targeting participants at a scientific conference
in Houston. Upon returning home, some of the participants received by mail a
copy of the conference proceedings, together with a slideshow including
various conference materials. The [compromised ?] CD-ROM used “autorun.inf” to
execute an installer that began by attempting to escalate privileges using two
known EQUATION group exploits." Cool.

------
doczoidberg
What would americans and especially the us government do if germans would bug
every car they sell in the US? (this is a serious question)

~~~
ig1
You realize new BMWs have telematics data sent back to BMW ?

~~~
rgbrenner
Also Samsung Smart TVs.. or have we already forgot about that? it has been a
whole week.

I know it's not Germany.. just wanted to provide another example, so we know
Germany isn't special.

~~~
fr0ggerrr
A whole week, yes... It all started exactly 1 week ago...

------
guard-of-terra
I'm not an expert but I imagine any bit of code you put into firmware will
target very narrow configuration of other software on the PC, will be pretty
fragile and susceptible to bit rot.

To be able to routinely steal something from the PC it will need to be
tailored to specific configuration.

Am I wrong?

~~~
Htsthbjig
I don't understand what do you mean by "bit rot". Bits don't rot like
vegetables. They could last just fine for centuries, specially in protected,
privilege parts of memory were firmware stays.

NVDIA driver is the same for all cards.

Tablets and smartphones are very homogeneous and the most widely used, Apple's
totally closed source, including the hardware.

Most people use Intel processors.

Any of those vectors are very easy to target if you have the hardware and
software source code.

~~~
guard-of-terra
It's in wikipedia under "software rot".

The problem is, firmware is pretty small. You can't fit much function there.

Or it was; I imagine modern hard drives might have many megabytes of firmware
which allows for pretty sophisticated hacks.

~~~
ProAm
Firmware also operates on an extremely basic level, it's not suffer the same
usability/compatibility like normal end users software.

~~~
guard-of-terra
Once it needs to communicate via network, it needs a gateway into normal user
software somehow.

Ditto for accessing the file system.

~~~
ProAm
I think that is even possible to do at a low level, see how they embed
encrypted packets within other packets to sneak out of a network undetected
[1]. Even if this technology only lasted 10-15 years that is a LONG time to
have the upper hand.

[1] [http://www.jwz.org/blog/2015/02/ip-over-avian-carriers-
nsa-e...](http://www.jwz.org/blog/2015/02/ip-over-avian-carriers-nsa-edition/)

------
Htsthbjig
The Patriot Act means the US three letters agencies could get whatever they
want from whatever US company(or company that sells in the US).

As the article says, they could ask for the code for making an audit. Of
course they can do whatever they want with it.

They can abuse this power in so many ways, from giving this source code to
competitors but "closer to home", individual members of those agencies selling
it for profit, or analyzing vulnerabilities and not reporting them to you.

------
taylodl
It doesn't seem unreasonable that the NSA working in conjunction with the CIA
could place moles in various high tech firms of interest and thus obtain all
the source. Following this to its logical conclusion then it's not
unreasonable to assume the NSA has the source to most firmware and operating
systems in use today.

What the article doesn't reveal is the attack vector, how did the firmware in
these drives come to be infected?

~~~
adekok
> What the article doesn't reveal is the attack vector, how did the firmware
> in these drives come to be infected?

If criminals can target a bank to steal $300M from clients, the NSA can target
a HD company to steal the source code.

It's really not that difficult.

Remember, the best attack isn't a direct assault. It's a sneak assault.

The story is that during WWII, Ian Fleming was part of a group of spies in
training, who were asked to get into a secure nuclear research facility.
Everyone else got caught. Sneaking in under the wire, etc.

Ian called a professor friend to vouch for him. Then, call the facility, and
asked for a tour, as a visiting "researcher". After the tour was over, he
called his boss, and told them his briefcase was hidden next to a critical
part of the facility.

Bugging HD firmware is a brilliant ploy. Who looks there?

~~~
sesqu
There is no need to steal the source code. As mentioned in the article (or a
different article?), they can just demand the manufacturer send the source
code for NSA review before the government buys any drives.

------
guscost
I wonder if the team working on this has a "wrap party" when the vector is
inevitably exposed, or if there's some kind of politics/fallout if they didn't
show quite enough ROI. Sort of like modern NASA and ESA (and now ISRO)
missions, you know?

Anyway, I'm not interested in getting into a debate, but it sounds like an
impressive bit of work.

~~~
unreal37
Or the program continues uninterrupted because even once exposed, it still
works. All major hard drive makers have been infiltrated. Where's everyone in
the world going to buy hard drives?

~~~
rasz_pl
All it takes is a sata key doing ROT13 on passing data to defeat it, or
stripping raid array.

~~~
breul99
One would imagine that raid cards would be an equally appealing attack vector.

~~~
rasz_pl
There are driverless/non firmware upgradeable RAID controllers, for example
Sil3726 - SATA port multiplier with RAID functionality buildin. Connect couple
of drivers and host sees only one.

------
alexbel
Do ssd/hdd drives with open source firmware exist?

~~~
joshavant
Sorry, not an answer to your question, but I did think about this while
reading the article, and these new findings do seem to make Richard Stallman's
'entirely free and open laptop' efforts seem not so crazy, after all.

~~~
lifeisstillgood
No one thinks the rationale for the free and open laptop is crazy. Just the
cost and capability.

That said, right now there is not a single hardware manufacturer in the world
who is not open to government pressure.

Perhaps the only answer to all this is to make our institutions irrevocably
open - that there are open publicised hardware standards and means of
verifying the circuits are the design expected.

------
digitalchaos
Isn't this the same thing as IRATEMONK that was revealed a year or so ago in
the NSA ANT catalog?
[https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa...](https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html)

------
MichaelGG
Would this not be mostly thwarted by using full disk encryption and a TPM? FDE
means the firmware cannot do anything with your data; just view the disk as a
remote server and store like you would on AWS or so.

A TPM can then read the boot sector and ensure it hasn't been modified, so the
firmware can't take advantage of the unencrypted code there.

Of course there's other things the firmware can target, but at least not being
able to directly read/write data is a huge bonus. And it'll greatly reduce the
surface area for exploits, since just the encrypted block device code can be
messed with, not all the internals of various filesystems.

~~~
rjaco31
If they are hooking the full Windows boot chain, it's only a small step to
also hook the encryption/decryption process during the boot.

~~~
MichaelGG
Hence the part of the TPM and other DRM-capable technologies (Secure Boot, I
think). You can sign and seal the boot code, so just owning the firmware
doesn't get you there. (Of course the NSA might also compromise the Windows
boot keys, but then that's a detectable, major incident.)

------
aagha
Surprisingly, there's not one comment in this entire thread with either the
word "remove" or "uninstall".

Question: If there's a good chance a machine w/ one of the said HD's has the
NSA spying app, how do you remove it??

~~~
kbart
You can't. Unless you write your own HDD firmware. Buying new HDD won't help
much as well, because all major HDD manufacturers have been
infiltrated/persuaded by NSA.

~~~
danmaz74
The drives get infected if the virus is executed, they don't come pre-
infected.

~~~
kbart
It's not a mainstream malware, so if you get infected it means you are on NSA
list and buying new HDD won't help, because vulnerability remains unless HDD
manufacturer fix their firmware.

------
Old_Thrashbarg
Noob question: Is it reasonable to think that the spyware on these hard drives
is targeted for specific OS's?

I have a Seagate HDD and I run Linux (Ubuntu), so I'm wondering if I'd be
immune to the spyware.

~~~
pornel
If you're targeted by a 3-letter agency you can assume you're totally screwed
no matter what OS you use.

If they don't have an exploit for your OS yet, they'll write one.

Also, there's an independent OS running inside your Intel CPU (vPro).

~~~
psykovsky
Does the agency need to have 3 letters in its acronym for the attack to be
that effective?

------
japasc
You hace secret courts with secret orders. Nothing can be trusted....

------
rubyfan
FTA: "the spies made a technological breakthrough by figuring out how to lodge
malicious software in the obscure code called firmware"

Is this really a breakthrough? Hasn't this type of attack been around for a
long time? Yeah, Reuters. It _is_ interesting that likely a state actor is
using this type of attack in a coordinated way. Interesting, but is this
really surprising?

In other news, Apple and Google now make a device you can connect right to you
skin 24/7.

~~~
kbart
I find it strange too that people (even some with more technical background)
refer to a firmware as something obscure/magical. Chip technologies are so
advanced today that you can run a code, that was only possible on a PC a
decade or so ago, on a tiny controller. It would plainly stupid for NSA and
the like to ignore such opportunity.

~~~
warkid
Remember report on Toyota accelecator firmware, which had like 10K global
variables? Someone 'with technical background' could call this kind of
software organization 'obscure' and that fact that it actually (somehow)works
- 'magical'))

------
zxcvcxz
I hate to say it but I think the average person just doesn't care, even a lot
of HNers don't really think it's a big deal. I personally think it's time for
a revolution or at least mass social upheaval.

Politicians pretty much treat us like we're all mentally challenged, which,
compared to Ivy league educated officials, I guess most of us are. But it
really makes you wonder why such smart people just don't give a fuck.

~~~
wongarsu
Well, what is the big deal? What is even the real news here? "NSA does
intelligence gathering abroad"? "State founded malware uses known attack
vectors to attack computers in countries the US doesn't like"? "NSA probably
employs some programmers to write decent malware to infect selected targets"?

It's interesting insight from a technical perspective, but apart from that, is
it really surprising or upsetting?

Some things about the NSA like Prism are genuinely upsetting, but I don't
think this particular story is.

~~~
free2rhyme214
I agree. Also the reality is that most of us are working hard trying to
accomplish our own goals.

As long as the central bankers and whoever else is in power doesn't turn up
the heat too high too fast this isn't that relevant to most of us.

We're all pretty aware they can get our data so this isn't surprising. Just
search NSA on LinkedIn and you can see their army of programmers on there who
care about real threats and not people who read hacker news.

------
desdiv
_It is not clear how the NSA may have obtained the hard drives ' source code._

Probably just a nicely worded letter:

    
    
        To whom it may concern,
    
        Under the authority of Executive Order 12333 and
        pursuant to Title 18 USC Section 2709, you are hereby 
        compelled to provide the NSA with the source code of the
        firmware of your company's line of hard-drive products.

------
bane
> "There is zero chance that someone could rewrite the [hard drive] operating
> system using public information," Raiu said.

Anybody have anymore info on this? I've always been under the impression that
it's at least theoretically possible to copy the firmware off of something and
decompile it at least.

~~~
gizmo686
Unless the someone invented state-of-the-art anti hacking hardware and
couldn't think of any better use of it then protecting the secrecy of hdd
firmware, then that is just a lie (or knowledge gained by reverse engineering
the firmware is not considered "public" information). If you are interested,
here is a story of someone modifing hdd firmware [1].

[1] [http://spritesmods.com/?art=hddhack](http://spritesmods.com/?art=hddhack)

------
jwatte
We already saw IRATE MONK and friends a couple of years ago, right? Is this
different, or independent verification?

------
CHaro
Does it worry anyone else that China is starting to review code before
allowing it to be released? I can definitely see the US doing some thing like
this, especially if companies continue to get hacked.

Imagine having to wait 3 months before you can launch your start up because
you have to get the corresponding permits and have your code reviewed.

------
jaxn
In Soviet Russia the hard drive reads you!

------
wildchild
This is Kaspersky's advertisement.

------
beedogs
Time to shut down the NSA. They have no place in a free society.

------
higherpurpose
> _Snowden 's revelations have hurt the United States' relations with some
> allies and slowed the sales of U.S. technology products abroad._

God damn it. Again with the "kill the messenger" attitude. It's not the
disclosure of the acts that harmed the relationships. It's the spying and
hacking acts themselves. It's like your friend telling you your girlfriend is
cheating on you, and getting mad at the _friend_ instead of the girlfriend,
for "harming your relationship".

You don't want your relationships harmed? Uhh..here's a solution for you, US
government: _don 't fucking do it to your allies in the first place_ if you
don't want your relationships "harmed". It's not rocket science.

~~~
cecilpl
International relations is not as simple as your girlfriend cheating on you.

~~~
craigjb
I agree. How come as software engineers, we like to talk about larger emergent
behavior from large groups of simple pieces, but when we talk about
governments and nations (large groups of complex pieces) we use analogies to
simple systems? For example, the national debt does not operate like a
household debt. The cacophony of systems at work in a nation makes it
exponentially more nuanced. Some rules are emergent only at the larger scale.
Or, international relations. Nation to nation relations don't consist of just
the heads of state, but whole organizations of people interacting. Again, a
large group of complex things (people) interacting probably creates some
emergent behavior not visible in small groups. It's frustrating to see these
systems reduced without any thought.

