Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Speculation
Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion
by
bitserve
on 28/02/2020, 03:23:27 UTC
Quote from: jbreher on February 28, 2020, 02:55:11 AM
Quote from: bitserve on February 28, 2020, 01:09:11 AM
Quote from: jbreher on February 28, 2020, 12:23:32 AM
Quote from: bitserve on February 27, 2020, 04:12:51 PM
Quote from: jbreher on February 27, 2020, 04:00:41 AM
Indeed, I’ve shipped devices that provided canned boot sector data before - not as an exploit, but because the operating environment needed such in order to function. Of course, that was a ‘from the factory’ thing, not a field exploit.

Yeah, that's exactly what THEY wanted you to believe Tongue

Just kidding. Or maybe not... Was that "canned boot" somehow easily replaceable with a different one afterwards? Ie: the canned boot residing in another area of the HD which could be updated or using a custom tool? Or just reusing all the developed firmware, replacing the "canned boot" and generating the payloaded firmware?

Well, the canonical example would be to package a disk with a 'paddle card' protocol converter which sits between the drive and the system's SCSI | ATA | Fibre Channel | 1553 | Ethernet | InfiniBand | whatever bus. The canned boot sector would be resident in the FW of the paddle card. Used for things such as allowing contemporary HDDs to be used as boot devices on legacy systems built before the dawn of large HDDs.

Yeah, well, THAT doesn't look like it would be so easily repurposed for malicious intents. But anyways, the point stands, not only it is theoretically possible but also psycodad has provided some links that would suggest it being exploited in the wild.. even if rare and requiring the exceptional talents and resources of the Equation Group (the malwaretech PoC was not even close).

Also note that the malwaretech blog required one solder or otherwise affix a JTAG interface to the drive's PCB. And that it described -- in 2015 -- hacking 'an old drive' - which would precede the era of signature protected FW. Though admittedly, the JTAG exploit could sidestep the FW signature difficulty.

From psychodad's quoted article on the NSA:

Quote
The attack works because firmware was never designed with security in mind. Hard disk makers don't cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware.

^^^Obsolete info. Again, (most? all?) contemporary drives do indeed implement FW signature schemes preventing installation of unauthorized FW.

Then again, if my past employers had some backdoor agreement with the NSA, I'd likely not know about it.

Yeah, that's why I say "would suggest it being exploited in the wild"... The NSA/EG articule has a lot of incoherences and none evidence either. However spritesmod did indeed work out a proper PoC (https://spritesmods.com/?art=hddhack) probably outdated though as the article is from 2013 and the research prior that.

Anyway, still theoretically possible... and practically possible for state-level or equivalent attacker. If there weren't plenty of other easier attack vectors that is.