Thursday, November 5, 2015

ICMC15: A Look Into Hard Drive Firmware Hacking

Khai Van, Security Tester, Gossamer Security Solutions

Malware: malicious software, typically used to gain unsolicited access to computers. It comes in many forms: Trojan horses, viruses, bots, adware and worms.  They can be annoying or dangerous. You might lose your financial data, or other personal information.

When people hack hard drive firmware with a custom one, they can execute unwanted software, defeat hard drive encryption, read your secure files, etc.

Kaspersky Labs unearthed the "Equation Group", who uses cryptography (RC5, RC6 and AES).  Some of these attacks are more than 14 years old!  Many countries are impacted: US, Algeria, India, China, Russia, Egypt, and Mexico and more.

All major brands are impacted: Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi. Of the drives researched, it seems the only ones that were tested are HDDs with physical plates.  At this time, it seems PCB layout in SSDs are still being researched.


Jeroen Domburg, creator of spritesmods.com, has a way of accessing and overwriting the cache memory.

Jeroen was able to use an on-chip debugger (OpenOCD) to dump data and commands from the JTAG interface. Processors have read/write access to the cache memory. Data in the cache memory can be read/modified... so you can run injected programs in memory!  Flash can be dumped/replaced. Malicious programs can be written to flash memory to remain persistent.

Hard drive vendors can make remote firmware updates, unbeknownst to a user. This can be leveraged by an attacker.

Now, using a portable SPI programmer requires physical access. you'd probably notice a hacker walking around with and one accessing your datacenter.  So, firmware updates are more practical to attack.

The risk to consumers is that it is undetectable by traditional antivirus software. it is persistent, and survives wiping.  One of the attack involves installing a virtual OS that the hard drive could not detect or disable.