Cybernetic Entomology: Updatable Firmware in Hard Drives.
Careless design, even when it does not malfunction in its normal operation, can contain subtle bugs that permit it to be forced into abnormal operation by a determined attacker exploiting the bug. These exploits are used by criminals and others to force your software or hardware to do things which you rely on it not doing.
Case Study: Updatable Firmware in Hard Drives. Seagate, Western Digital, Samsung, and other hard drive manufacturers have produced many hard disk drives (in fact virtually all modern hard disk drives) with updatable firmware.
Updatable firmware has one massive problem: It can be updated. And when the firmware on a hard drive is updated, it can be updated with something that subverts the security and integrity of the machines on which it is loaded.
Worse than that, when it is updated, the updates often persist through resets, reboots, and reinstallations, meaning that a machine so subverted, remains subverted, even through normal security recovery procedures.
Here is an example of a hobbyist figuring out first how to update a hard drive firmware, then how to do it remotely, then how to use the capability specifically in order to permit root logins on the remote machine. Note that this exploit persists across reboots and reinstallations.
If a hobbyist has done it, then any criminal organization with a sufficient financial motive can also do it.
From a year or two later, here is the NSA’s ANT catalog, as of the Snowden leaks, confirming that they too had picked up the technique of using hard drive firmware modification to install persistent backdoors on machines remotely. Their version got a fancy codename: IRATEMONK substitutes data from the Master Boot Record, and works on Western Digital, Seagate, Samsung, and Maxtor hard drives, including RAID arrays built from those drives.
There are also a half-dozen codenamed tools to help get the exploit installed – for different operating systems and filesystems.
So, not only has a hobbyist done it, using methodology that any criminal organization could easily be aware of, but a large organization has standard tools to do it. And any large organization contains rogues who will deal with criminal elements. In the case of the NSA, there was also a rogue who will deal with the press, which is how we know about this.
If a device has updatable firmware, and that firmware can be updated by software running on the device, then that firmware can be used to house a security exploit. Therefore it is irresponsible to create a device with updateable firmware that can be updated using software alone. At the very least, a human being who has made a conscious decision to update the firmware should be required to physically hold down a button, or something else that is part of the basic hardware of the device which no software can fake or virtualize.
Updatable firmware which can be updated via software alone must be regarded as a security bug.
At this time I am not aware of any tool out there that can reliably be used to check for compromise or to restore compromised hard drives to a secure state. It could be done: There exists software that can read out the firmware of a device, and that firmware can be compared to the firmware of a known-good (new) device of the same type to detect changes. Tools of the kind we have seen in this article could be used to write the correct firmware image back to recover a compromised device.
But detecting a compromise remains an several-day job for a knowledgeable hardware hacker, and restoring the integrity of a compromised drive a job that would take weeks of painstaking work by a knowledgeable hardware hacker. These capabilities ought to be available in a standard security program for sysadmins, but are not.
Bird’s eye view:
- Does a device which is part of your computer, or which you are about to plug into your computer, have updatable firmware?
- If no, are you sure? Most people don’t think of hard drives as having updatable firmware, but almost all of them do.
- If yes, can the firmware be updated by software alone?
- If yes, be aware that there are programs out there in the hands of hobbyists, criminals, and intelligence agencies that can compromise the security of the device and the system in which the device is installed, on a permanent basis. We have specifically talked about hard drives here but this is true for almost all devices with updatable firmware.
Snails eye view:
- Any hard drive that has been mounted on a machine while the machine has been compromised is suspect. It should never again be used on a machine that serves in a role where you rely on that machine’s security.