![Page 1: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/1.jpg)
Khai Van November 5, 2015
3rd International Cryptographic Module Conference
A Look Into Hard Drive Firmware Hacking
![Page 2: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/2.jpg)
Topics � Background � How to replace the firmware � Risks/Hurdles � Questions
3rd International Cryptographic Module Conference 2 11/05/2015
![Page 3: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/3.jpg)
Background � Malware:
� Malicious Software � Used to gain unsolicited access to computers
� Many forms: � Trojan Horses � Viruses � Bots � Adware � Worms
3 3rd International Cryptographic Module Conference 11/05/2015
![Page 4: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/4.jpg)
Background � Overwriting hard drive firmware with a custom one
allows unwanted software to execute � Why care about overwriting firmware?
� Attackers gain backdoor access to all data � One of the Equation Group’s malware creates a virtual file
system that hides data the malware has saved off, allowing the data to survive “military grade hard drive wiping”
� Hard drive encryption can be bypassed
4 3rd International Cryptographic Module Conference 11/05/2015
![Page 5: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/5.jpg)
Background (EquationGroup) � Unearthed by Kaspersky Labs � Named “Equation Group”
� Named because of the malware’s cryptography
� More than a decade in existence (at least 14 years) � Many countries affected
� India � China � Russia � Egypt � Mexico
5 3rd International Cryptographic Module Conference 11/05/2015
![Page 6: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/6.jpg)
Background � Which hard drives affected?
� All major brands � E.g. Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi
� Of the drives researched, it seems the only ones that were tested are HDDs with physical plates
� At this time, it seems PCB layout in SSDs are still being researched
6 3rd International Cryptographic Module Conference 11/05/2015
![Page 7: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/7.jpg)
Hack It Up! � Physical access = All Access Ticket (unless device is
encrypted) � PSP-2000
7 3rd International Cryptographic Module Conference 11/05/2015
![Page 8: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/8.jpg)
Hack It Up! (PCB Layout)
8 3rd International Cryptographic Module Conference
Photo courtesy of HDDZone.com
11/05/2015
![Page 9: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/9.jpg)
Hack It Up! (Accessing Cache)
9 3rd International Cryptographic Module Conference
� Jeroen Domburg � Creator of SpritesMods.com
� Domburg’s Demo Quick Rundown: � Accessing data via JTAG inteface � Two processors -
Cache Memory
SATA PC P1 P2 Disk Logic
11/05/2015
![Page 10: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/10.jpg)
Hack It Up! (JTAG)
10 3rd International Cryptographic Module Conference
Photo courtesy of Jeroen Domburg (spritesmods.com)
11/05/2015
![Page 11: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/11.jpg)
Hack It Up! (Dumping data)
11 3rd International Cryptographic Module Conference
� Using an On-Chip Debugger (OpenOCD), one is able to dump data and commands from the JTAG interface � Processors have read/write access to the cache memory � Data in cache memory can be read/modified � Can run injected programs in memory � Flash can be dumped/replaced � Malicious programs can be written to flash memory to remain
persistent � How is this done without hardware modifications?
11/05/2015
![Page 12: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/12.jpg)
Hack It Up! (VSCs)
12 3rd International Cryptographic Module Conference
� Firmware Updates � VSC – Vendor Specific Commands � Each manufacturer (Samsung, Maxtor, Hitachi, etc.) has a set
of commands used to communicate with the hard drive controller � These are proprietary, closed-source
� Question: Given enough time and resources, can these commands can be recovered by reviewing disassembled flash images from the JTAG interface?
11/05/2015
![Page 13: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/13.jpg)
Hack It Up!
13 3rd International Cryptographic Module Conference
� MalwareTech blog states the following allows a hacker to infect the hard drive’s firmware: � Create a portable SPI (Serial Peripheral Interface) programmer
that can flash the firmware by being pressed against the test points on the bottom of the hard drive (would only take about 5 seconds)
� Sending firmware update commands over the SATA interface from the host computer (requires root/admin)
11/05/2015
![Page 14: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/14.jpg)
Hack It Up!
14 3rd International Cryptographic Module Conference
� Using a portable SPI programmer requires physical access � Firmware updates are more practical
� “updates” sent out to numerous harddrives � Can be done remotely
� Hurdles of firmware updates? � VSCs need to be used � Each hard drive model is different
11/05/2015
![Page 15: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/15.jpg)
Consumer Risks? � Undetectable by traditional antivirus software � Hack is persistent � Not a big threat (yet)
� Each firmware replacement is vendor specific � High cost of infection on each harddrive
� Reverse engineering VSCs require a lot of time and effort
� Complex
� Specific hard drives targeted � Kaspersky hints toward disjoint systems (or systems connected
to a closed network)
15 3rd International Cryptographic Module Conference 11/05/2015
![Page 16: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/16.jpg)
References � Jeroen Domburg’s OHM2013 Presentation on hard drive hacking -
http://spritesmods.com/?art=hddhack
� http://www.malwaretech.com/2015/04/hard-disk-firmware-hacking-part-1.html
� Equation Group - http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
� More Equation Group – https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
� https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
� http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage
� http://www.reuters.com/article/2015/02/17/us-usa-cyberspying-idUSKBN0LK1QV20150217
16 3rd International Cryptographic Module Conference 11/05/2015
![Page 17: A Look Into Hard Drive Firmware Hacking - ICMC18 · infect the hard drive’s firmware: ! Create a portable SPI (Serial Peripheral Interface) programmer that can flash the firmware](https://reader030.vdocuments.pub/reader030/viewer/2022040822/5e6c25417d9cb37451241dd1/html5/thumbnails/17.jpg)
Questions? Comments?
17
Contacts: � Khai Van
www.gossamersec.com www.facebook.com/gossamersec @gossamersec
3rd International Cryptographic Module Conference 11/05/2015