
Surviving reformats by infecting the hard disk firmware - graystevens
http://www.malwaretech.com/2015/06/hard-disk-firmware-rootkit-surviving.html
======
shawnee_
_This rootkit is designed for a major brand of hard disk and can infect the
firmware from within the operating system (no physical access required), it 's
also completely undetectable to software running on the host computer._

Skeptical about this -- especially the claim that it's "completely
undetectable". One of the projects[1] we've worked on for 01.org now ships
with UEFI SCT[2], which was designed to address this very issue.

Flash LUV to a USB and run the suites.. the tests will write to a folder on
the USB, both "raw" and "parsed" results, so you can essentially have a log[3]
of any issues.

    
    
      [1] https://github.com/01org/luv-yocto
      [2] http://firmware.intel.com/blog/linux-uefi-validation-project-incorporate-uefi-sct
      [3] https://01.org/linux-uefi-validation

~~~
mrb
Well the bootkit is undetectable to the _compromised_ OS, but not to another
OS booted safely from another boot device (such as a USB stick).

As the author explains in his slides, only the first read of the MBR will
return the bootkit. Subsequent reads will return the legit MBR. So a
compromised OS attempting to check its own MBR will see legit data. But an OS
booted from another boot device can read the MBR one time and can immediately
see the MBR contains non-standard code (eg. not the standard Windows or Grub
boot loader) and can conclude it is compromised.

------
michaelt
It's a mystery to me why, in this day and age, anyone is making firmware-
upgradable hardware and not checking a digital signature on the firmware
upgrade.

I mean, 20 years ago there might have been space constraints, but these days
that hardly seems like a worry. So why isn't secure firmware the standard?

Or will it take some malware being publicly released to get the hardware
companies to take notice?

~~~
gnu8
That would infringe on the end user's right to install their own customized
firmware.

Seriously though, signed firmware is something that is inevitable but also
easy to delay with some shady dealing. With NSA buying a non trivial number of
disks to store their illegal collections, they could easily induce disk
manufacturers to put off introducing firmware signing.

~~~
murbard2
You could have a physical switch on the device that lets it temporarily accept
unsigned firmware.

~~~
marssaxman
You could have a physical switch on the device that lets it accept firmware,
full stop. How often does a drive's firmware get updated during its lifetime?
Very slightly more than zero times on average, I would imagine.

~~~
murbard2
The manufacturer may need to push updates to consumers who aren't comfortable
opening their computer. The set of people who want to install alternate
firmware is however included in the set of people willing to physically open a
computer.

~~~
joe_the_user
The switch could be extended to the outside of the box - shock/horror.

How hard a single pin/paper-clip button that protects all critical files
unless it's depressed and when it's depressed let's you install new firmware,
OS and whatever else.

------
wang_li
This is why all the data that goes to a hard drive should be encrypted before
it gets there. No reason for the system to be trusting that the storage isn't
malicious. If all the storage sees is encrypted data then the worst that it
can do is fail to store the data. What it can't do is substitute malicious
code for my desired code.

~~~
bcg1
Maybe what could happen though is that when booting the operating system,
instead of reading whatever code normally runs as the kernel launches, some
malicious code could be sent to the processor instead

~~~
wang_li
I'd like to see the firmware decode/encode the MBR or MBR-equivalent.
Encryption only being available if someone sets a jumper on the mobo during OS
installation.

------
contingencies
The average computer has how many places to store malware outside of the
filesystem?

The classics are MBR and BIOS.

These days IPMI BMC and storage device firmware are becoming popular.

However, we also have PCI device firmware (eg. GPU firmware, network card
firmware), connected firewire device firmware, USB input device firmware...
others?

