Teenager Mimics NSA Malware On Zero Budget

In February, I wrote about some malware that lives inside the firmware of a disk drive.  As a result of where it lives, no anti-malware software can detect it. (Curious note:  The firmware of a disk drive can be written to in order to update it, but there is no command to read it back.  You have to un-solder the chips and put them in a chip reader to read it).  Well, a teenager has decided to mimic this and did it with basically no budget.  If he can do that, so can any well funded hacker, not to mention a nation state.

The original post is here;  the teenager’s web site is here.

On his web site, the 20 year old from the UK calls this a Super-Persistent  Boot Kit or SBK.  If you think about it, it really is not that hard.  The kid, who is obviously quite bright, has created a Powerpoint on his web site.  The Powerpoint talks about his methodology and is actually quite lucid, even readable without having to be a total nerd.

What he did required that he had physical access to the drive, but the hard part – figuring out how to modify the firmware is done.  Now all he needs is a delivery vehicle, perhaps a phishing email.

For him, secure boot is a problem because the boot process checks the integrity of the master boot record on boot, which his malware changes.  I am sure that, with a little time and money, you can bypass that too (assuming the NSA has not already done that – remember the Snowden revelations are from several years ago).

When disk drive controllers were first designed 20 years ago or more, no one thought about security.  We have never had a revolution in that arena.  For example, do you really need a programmable chip on the disk drive controller that can be software writable after it leaves the factory.  The disk drive makers want to do that so that if they boo-boo, they can issue a patch to drives in the field.  If they can do it, so can a hacker.

There is no simple solution;  it will take a lot of small, incremental. “out of the box” thinking to make headway.  But we have to start taking those baby steps.

But first, we need people to stop using 123456 as their password.  Sigh!

Leave a Reply

Your email address will not be published. Required fields are marked *