How hackers could attack hard drives to create a pervasive backdoor

News that a hacking group within or associated with the National Security Agency compromised the firmware of hard drive controllers from a number of manufacturers as part of a 14-year cyber-espionage campaign has led some to believe that the manufacturers were somehow complicit in the hacking—either by providing source code to controller firmware or other technical support. But it's long been established that hard drive controllers can be relatively easily reverse-engineered without any help from manufacturers—at least, without intentional help.

Despite keeping hardware controller chip information closed, hard drive manufacturers' use of standard debugging interfaces makes it relatively simple to dump their firmware and figure out how it works—even inserting malicious code that can trigger specific behaviors when files are accessed. Reverse-engineering it to the point of creating a stable alternative set of firmware for multiple vendors' hard disk controllers that also includes persistent malware, however, is a significant feat of software development that only the most well-funded attacker could likely pull off on the scale that the "Equation group" achieved.

Hard drive controller boards are essentially small embedded computers unto themselves—they have onboard memory, Flash ROM storage, and a controller chip that is essentially a custom CPU (usually based on the ARM architecture). They also generally have diagnostic serial ports, or other interfaces on the board, including some based on the JTAG board debugging interface. Using software such as Open On Chip Debugger (OpenOCD), you can even dump the "bootstrap" firmware from the controller and analyze it with an ARM disassembler.

Read 4 remaining paragraphs | Comments