Hardware hacking is a reality now, much more so than it has been in the past. Certainly it used to be more theory than reality that someone could intercept a shipment of a piece of hardware and then proceed to inject their own special version of firmware onto it without the knowledge of anyone else. It almost seems like something out of a spy movie. But in fact, it’s actually very real.
Sophisticated hackers can actually replace hard drive firmware.
Kaspersky Labs has revealed a very sophisticated cyber attack group, the Equation Group, that was actually able to intercept hard drives and other pieces of hardware while they were in transit so that they could inject a custom firmware that may have included back doors hard coded into it. But more than that, the Equation Group apparently they also had a piece of malware that was able to rewrite the firmware on the fly, and was able to do so on all the major brands and manufacturers. Dan Goodin from Ars Technica called this “a never-before-seen engineering marvel,” in that it also was able to provide a sophisticated back door for the rest of their malware payloads.
It’s very persistent in that the firmware of hardware generally isn’t scanned by any sort of commercially available anti-malware software. Also, according to Kaspersky, rewriting legitimate firmware over it doesn’t seem to work either. It’s also quite the marvel because rewriting the firmware to provide at least the same functionality, to include their new malicious code, while not affecting the user experience is a rather difficult thing to accomplish. Usually rewriting firmware breaks functionality while its in progress. A front end or pop-up of some kind must have been to add some type of legitimacy to the process.
Hardware hacking such as this obviously is a very advantageous method of attack. And to do it near effortlessly, as Equation Group has, can add to the complexity and danger of it. Infected CD’s that were also intercepted while in transit were an attack vector to help install the less sophisticated, but still dangerous, portions so that the rest could come later. Unfortunately not much is truly understood about the infection vectors, even the distribution of CD’s. Dan Goodin writes that;
“Even less is known about a CD for installing Oracle 8i-8.1.7 for Windows sent six or seven years earlier, except that it installed an early Equation Group malware program known as EquationLaser.”
Hacking of HDD firmware isn’t necessarily new or that difficult. But it usually doesn’t involve an automatic rewrite either. Demonstrations were made at a Las Vegas security conference where some researchers were able to reverse engineer the firmware and write in a simple script that stole login credentials of specified sites once the HDD cache recognized them. But this was with physical access to the hard drive.
A much more common and far less difficult to implement way of hardware hacking is that of pharming. This involves exploiting some kind of web vulnerability, usually Flash of Java based, and taking advantage of common login credentials for routers in order to change the DNS servers used by the router.
The exploit uses SSH to log into routers, which quite a few now support, to change those settings. Sometimes they inject certificates that can attest to the safety of non-safe sites, similar to the Lenovo SuperFish fiasco.
While the Equation Group is no longer quite the threat it once was, and you shouldn’t necessarily go around changing your hard drives for the sake of security, you should be mindful that such things are indeed real, if a bit improbable to affect the masses at large. It is, though, only a matter of time before others copy the ingredients of the Equation Groups workings and create similar firmware flashing techniques. Imagine if your video card were flashed with infected firmware. Welcome to the future I suppose.
But what you should do, and should have been doing since the beginning of Internet time, is changing your passwords. Please change that router password from the default and even consider changing the admin account name, if its supported. That can go a long way from people taking control of it. It seems it’s the weakest link in most peoples network precisely because most seem to not think about changing those passwords!