The NSA's Undetectable Hard Drive Hack Was First Demonstrated a Year Ago

A paper published last year proved the NSA's newly discovered exploit can be done by any skilled hacker.

​ News broke earlier this week about the NSA's "most sophisticated" malware yet: An undetectable backdoor that can filter information to and from a hard drive, using the underlying framework of the drive itself. It surprised a lot of people, sure, but maybe it shouldn't have. A group of ordinary security researchers warned this was possible, and in fact installed hard drive backdoors themselves, nearly a year ago.

The paper " Implementation and Implications of a Stealth Hard-Drive Backdoor," published in March 2014 by a team of eight researchers from Eurecom in France, IBM Research in Zurich, and UCSD and Northeastern University in the US, reads almost exactly like security firm Kaspersky's expose on the NSA malware. The full paper is absolutely worth your read if you've been fascinated by Kaspersky's revelations.

The malware, developed by Travis Goodspeed and his colleagues (Goodspeed has spoken the most publicly about the exploit), can be installed remotely by people who have no physical access to it. In fact, the paper asserts that such an attack "is not limited to the area of government cyber warfare; rather, it is well within the reach of moderately funded criminals, botnet herders, and academic researchers."

To install it remotely, a hacker would need to infect the operating system of the user's computer with run-of-the-mill malware, alter the hard drive's firmware, and then delete the original, operating system-side virus. From then on, the hacker would have complete access to everything on the person's hard disk, the exploit would be almost completely undetectable, and it would persist until the hard drive was physically destroyed.

The exploit could also be installed by someone who had physical access to the drive.

"Once you have firmware control of a disk, you can also have it commit suicide or overwrite itself," he explained at the 0x07 Sec-T Conference last year. "You can also have it act as a backdoor."

That, apparently, is what the NSA was doing with its exploit. Though we just discovered the NSA was actually doing this, it seems likely that the program was going on for a while, perhaps a decade or more.

The team explains in its paper that a "catastrophic loss of security occurs when hard disks are not trustworthy." Information can be funneled remotely from the disk and new information can be written to the disk, using remote commands sent to the exploit. An infected hard drive loses less than 1 percent of its read and write speed, so it's essentially undetectable from a performance perspective.

A diagram showing how files can be written to an exploited drive.

Creating this exploit didn't require proprietary information. Rather, the team used publicly available information about the hard drive and reverse engineered a set of hard drives—breaking about 15 of them in the process, Goodspeed said. Over the last year, other researchers have compromised other brands of hard drives, and the team notes that, though every model of hard drive is slightly different, just two major manufacturers—Seagate and Western Digital—make up 90 percent of all hard drive sales.

That the research team was able to do this without cooperation from the manufacturers, using off-the-shelf hardware, pokes holes in the idea that the NSA did anything overly special or required the hard drive manufacturers to be complicit in creating the backdoor.

A jury-rigged hard drive the team set up after it was sick of breaking them.

So, how can you protect yourself? Well, there's honestly not a whole lot you can do, other than make sure you don't have any sort of malware on your operating system whatsoever. There are a whole host of viruses and exploits that can be used to install the firmware exploit in "a matter of seconds," Goodspeed said.

The best you can do is encrypt your data "at rest" on your hard drive—as in, encrypt everything that's on your hard drive. And hardware-based encryption, the most popular way to protect files, isn't even safe. The hacked firmware can be programmed to grab data before it's encrypted.

"The hard disk will encrypt and decrypt data for the backdoor," the team wrote.

So, you can use slower, software-based encryption, or, you could just smash all of your hard drives to hell and go live in a cabin in the woods.