Hacker News new | ask | show | jobs
by wongarsu 4146 days ago
Detecting an infected hard drive in software would be the usual malware arms race: you find some characteristic of it, they improve the firmware.

But if we start to systematically check for it, it should be easy to discover via hardware debugging. Find the JTAG interface on the hard disk controller (or whatever debugging interface the specific processor uses), dump the firmware and compare it to firmware dumps from other hard drives of the same model. I don't see how they could fool that process (given that you have a clean machine to read out the firmware).

Of course to be thorough you would have to check pretty much the firmware of every component of the computer.
2 comments
CPLX 4146 days ago
> dump the firmware and compare it to firmware dumps from other hard drives of the same model

And then ponder the unstated assumption that said other hard drives may or may not have been exploited already. Dealing with a state level actor is hard, in the "trusting trust" sense.

link
XorNot 4145 days ago
Well update your threat model appropriately. What are the realities if they've somehow hit every single hard disk in the US? What is the likelihood this level of subterfuge can be maintained? How many people are involved?

Just because you can imagine it doesn't suddenly make it practical, and it certainly doesn't mean they're going to burn that capability outing some guys porn habits either.

link
CPLX 4145 days ago
> What are the realities if they've somehow hit every single hard disk in the US?

Who knows. The problem is you're not so concerned with "every single" hard drive in the US, but you may well be concerned with the other one you wish to use as a benchmark.

When you're dealing with things like hardware being compromised on the way from the plant to the store, or (as mentioned) a burned CD being compromised in the mail, and other things that really only governments can do, it changes the whole nature of the threat model.

link
atlbeer 4145 days ago
You don't have to actively infect every HDD in the US through the front door.

- Target the build machine used by the dev team to make the firmware

- Target the manufacturing plant and alter it before loading

- etc

link
rasz_pl 4145 days ago
next step is hiding malware using silicon backdoors (fake boundary chain), or seeding infected firmware at the source (manufacturer)
link