In my recent reading on computer security, one of the things that keeps coming up is malware that rewrites your disk firmware.
Since the disk has DMA access to main memory, this allows malware to persist even if you wipe the disk and reinstall everything from clean media. It's generally not to hard to reflash the mobo BIOS, but disk drives you basically have to throw away if they get infected.
Since the evil firmware is uploaded using ordinary SATA commands, it seems like it would be quite possible to make a dongle that did nothing but intercept and ignore those commands. Does anything like that exist?
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
That's strange you would ask about that. Just recently the IT department had a bunch of new sata drives they wanted to install security software that involved being able to write to places in the drive that you normally can't do.
The install failed with some sort of CMD xx failure, the fix was after calling the sales desk where these drives came from, was to install a jumper so that the firmware could be reached or some additional functions turned on.
They also indicated that all warranties were void after this..
I suppose this would be a great feature for those like the NSA to load software on the drive.
I wonder if setting up the drive to a network share volume only would make it differcult to get to that level?
I was going to say, with the typical environment that most drives live in, the "dongle" could and should just be a jumper or switch on the drive itself -- install jumper to enable writes, take it out to disable 'em, and have a nice day.
--
Tim Wescott
Wescott Design Services
http://www.wescottdesign.com
Yep. Add malware that scribbles to the flash RAM on ethernet, video, and CD/DVD drives. However, I think you might be a bit overly cautious here. Malware that can fit into the hard disk firmware is not going to be able to do very much beyond announcing its presence. It will also need to be a very impressive bit of programming, which can identify a drive down to the firmware level and fabricate a functional firmware image that will allow the drive to continue operating normally, while adding its own routines. Like the now common boot sector and root kit viruses, the real work will need to be done in the filesystem by ordinary program files, which can be detected. My guess(tm) is that the initial releases of such a virus is more likely to brick a hard disk, than infect it.
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Unfortunately there's no way to prevent techniques originally paid for by T LAs (ours and others') from leaking into the toolkits of the bad guys. It 's a real issue today--see e.g. Bruce Schneier's blog, comp.risks, the qube s-users G-group, and the security coverage on The Register.
Sort-of related; change a computers BIOS and the firmware and tables in corresponding HD to get: BOOT "sector" in the middle of the drive, directories in 2 blocks surrounding that. Data further out toward edges.. Might make that HD obscene on other computers...
On a sunny day (Fri, 20 Nov 2015 13:28:09 -0500) it happened Phil Hobbs wrote in :
Hi, I am subscribed to one of these (German) security related bulletins, snipped-for-privacy@bsi-fuer-buerger.de every so often (few weeks or so?) I get an email with warnings and suggestions to re-install Adobe Flash, my web browser, My Android apps, what not.
With references to the latest news of some students or labs finding yet an other exploit.
I am past that now, do not upgrade Adobe Flash, let NSA and everybody else nose around in my most secret files, and generally ignore the threads,
YES it is possible to hack these things, yes I can do it, yes somebody does it, but get a life upgrading your OS or apps every few weeks is a major task.
What I do have in my Linux boxes is a good firewall (iptables) and it has hundreds of entries in it eh thousands: 4408 to be precise.
Theory here being: it does not make sense to put a lock on every door in the house, it makes living there very difficult, but it does make sense to put one on a big fence around it.
How Do You Know the harddisk you bought does not have its own firmware that sends its contents to Bad Guy[1]? I watch my cable modem light, I see data transfer that is not normal, I have several scripts that monitor the links...
[1] if it was US made or China it _should_ have, else I overestimated them, same for hardware BIOS.
Also I think these security soft selling companies have people working for them to create ever new attacks, stir up media to cause panic, and get people to buy their software. Linux does not have that problem so much, so that helps.
Still your chance of getting hit by cross-site scripting and that sort of stuff is much bigger then by SATA related tricks IMNSHO. And for what it is worth, how important is the stuff you want to protect? For a big attacker it has to be worth the money, for a government they can just bust your door in and take your PC with disks etc... And you with it.
Having a jumper on the drive that has to be installed to reflash would be great, but most don't (certainly not laptop drives).
Keeping a Linux box patched takes almost zero work. I have about a dozen of them all told, counting routers with FOSS firmware. I probably spend more time grinding coffee than patching them (cron is your friend).
Problem is, APT techniques are becoming common, since toolkits for building them are commercially available and getting cheaper. The 'eggshell' security model you describe is a recipe for maximizing damage when you do get hacked. No thanks.
On a sunny day (Sat, 21 Nov 2015 04:28:30 -0800 (PST)) it happened Phil Hobbs wrote in :
Well, damage ?you do make backups right? I have everything on optical media, and everything critical on magnetic, flash, and optical.
I once dropped a harddisk, oh well, life goes on.
What sort of 'damage' are you talking about? Industrial espionage? They already have access as I pointed out if they are any good. NSA ? They know what you have for breakfast too.
It is insane to put locks, and new locks on every cupboard and room and new windows in your house every two weeks because you read somewhere on some site that burglars exist.
It is a market, the same hidden commercial crap that makes people buy C++ and then they think they can program or their programs are better.
So how many 'attacks' have I seen? Hundreds, but most here would not even recognize those. At one time I was running the servers at home, it is a 2 hour a day job to read the logs and take counter measures and write scripts to keep the bad guys out. Updating your browser and putting some filter in the SATA connection would not catch anyone working at the current state, Yes, a jumper to protect the firmware, but WHAT firmware? The one with the NSA or Chinese backdoor? Sure you 'd want to protect that.
I'd get claustrofobia from all them locks on everything and would use dynamite to free myself from it, probably stop computing for ever.
Get serious, its all hype.
I just finished automatic resonance detection in say an other 250 to 500 bytes for the ultrasonic anti fouling system in a PIC 18F14K22, all together 11822 bytes.
I am still not 100% sure if I should add Packman to it (on the OLED and movement keys via RS232). Let them hack it. The resonance detection works great, steps through a list of frequencies, finds the best, then jumps to it, and stays there, no user intervention at all.
If the PC gets compro-mice-d I swith to the backup. Yes the LAN here has many things on it.
What is REALLY dangerous is WiFi, anybody can get access. So everything is wired here no WiFi nothing.
Do use use iptables as firewall? Do u use ANY firewall? I'd start there.
Hey, that exists! Many hardware RAID controller cards offer a similar level of isolation. At least the real hardware RAID cards that have their own CPU and BIOS usually do. Chipsets that offer "Software RAID" usually let the main CPU do the calculations and only function as an I/O adapter with a coprocessor for XORing the data streams, so at the driver level they still let the host CPU access the drives, but many RAID cards for servers (such as e.g. STEX8650 and similar) do the math entirely on the card and will present virtualized disk drives with user- configurable geometries (sector size, number of sectors) to the host CPU. On the other hand, while these virtualized disks only accept standard read/write SATA commands and basically nothing else, the controller itself is certainly firmware-upgradeable and usually also provides some kind of management console "port" to the host for remote disk array management (sometimes even over Ethernet!) - so go figure.
Dimitrij
P.S. At least there are some cheap hardware RAID controllers (usually based on older Silicon Image chipsets) where the Chinese card makers cheaped out on the EEPROM and - in order to save a couple of cents - put a factory-programmed OTP PROM on it. These cards tend to be (from a software view) indistinguishable from those with EEPROMs, except that if you try to actually "flash" one, it will just lock up because the OTP PROM won't handle the "sector erase" command and the firmware will be sitting in an endless loop waiting for an answer. Unfortunately the firmware of these cards sometimes happens to be very old and buggy, so that them being upgrade-resistant is more a curse than a blessing... But hey, that's probably still the best case of unintentional security that I've seen so far.
What about a NAS that appears on the host as an encrypted disk? A "bad" disk firmware would never see any data that is not encrypted. It could subvert the NAS server but still not be able to see anything.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.