Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Tom Simonite

A View from Tom Simonite

Not Only the NSA Knows How to Make Unerasable Malware

Hacking tools that burrow inside hard disk drives could also be made by nongovernment hackers.

  • February 17, 2015

Over the weekend Russian security company Kaspersky described a suite of extremely sophisticated hacking tools that since 2008 have been used to infiltrate government, military, and corporate computers in 30 countries around the world. Reuters reports that it was the work of the U.S. National Security Agency.

Kaspersky’s most striking finding was that the toolkit of what it calls the Equation Group could inject malware into the software embedded inside hard disk drives. Not only is that “firmware” invisible to conventional security software, but malicious code hidden inside it can emerge to take over a computer even after its hard disk has been carefully erased. Costin Raiu, a researcher with Kaspersky, told the New York Times that the technique rendered investigators like him “practically blind.”

That impressive trick sets a new bar for the sophistication in malware caught in the wild. And it has led to speculation that the NSA had assistance from hard drive manufacturers, for example by getting access to details on how their firmware worked.

But despite suggestions it would be “just about impossible” for even the NSA to reverse-engineer hard drive firmware without such help, it appears to be well within its reach—and that of many others, too. In recent years hackers and researchers with budgets far smaller than the NSA’s have reverse-engineered the firmware of hard drives and other devices and demonstrated their own “invisible” malware.

That raises the prospect that multiple national intelligence agencies—and perhaps even groups without government backing—could be using the technique. Few, if any, security researchers are on the lookout for such attacks because they are essentially invisible.

Anyone looking to get started hacking hard drive firmware would be well advised to start with this page on the subject from prolific hacker Jereom Domburg. In 2013 he gave several talks on his research and showed how it enabled him to remotely take over a server with a hard disk made by Western Digital, a leading manufacturer whose drives were also targeted by Equation Group.

Also in 2013, academic researchers independently went even further and developed several proof-of-concept attacks against a hard disk from a different manufacturer. They showed how a disk’s firmware could be infected remotely, and made a system to communicate over the Internet with the unerasable malware to send commands and copy data such as encryption keys. This line from the academic paper’s summary has gained new plausibility after what we learned over the weekend:

“The difficulty of implementing such an attack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.”

At the Black Hat security conference last summer, two researchers described how they had reverse engineered the firmware of USB sticks to hide code inside that can silently take over a computer.

A year earlier at the same event, another researcher showed off proof-of-concept malware that could hide inside a computer’s BIOS chip, which springs into action to get the operating stem ready when you press the power button. That malware could even back itself up inside the firmware of a computer’s other components, such as the network card, so as to restore itself to the BIOS chip if its firmware was for some reason cleaned up (see “A Computer Infection That Can Never Be Cured”).

None of these researchers’ attacks were easy to develop, or even proved in real-world attacks. And the skills needed to create such things aren’t as widespread as those needed to, say, hack a computer using an e-mail attachment. But they surely exist in places beyond the U.S. government.

Kaspersky’s report has likely inspired all kinds of people to think about hacking the firmware of hard disks and other computer components. Hopefully some of them will work to develop fixes and defenses.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.