3

I have read at least twenty articles dating from the time Edward Snowden's startling revelations about rogue nations and bad actors embedding malicious rootkits and spyware in the firmware of hard disk drives and solid state drives. What they did not mention is how to remove them.

There are some articles on the internet that mention the use of ATA Secure Erase/Enhanced Secure Erase feature in Linux's hdparm for the job.

I would appreciate it if you could point out if my understanding of the following issues is correct:

  1. Disabling Host Protected Area (HPA) and resetting Device Configuration Overlay (DCO) to factory defaults will remove any existing malware/spyware embedded in the firmware of an HDD/SSD

  2. HDD/SSD will not be bricked (that is, rendered unusable) if HPA is disabled and DCO is reset

ssdhddinfected
  • 139
  • 8

1 Answers1

1

No, the HPA and the DCO simply limit the size that the apparent drive size. The DCO could be used to standardize drive size in a company wide deployment where the drives are source from multiple vendors. A HPA is accessible by software which is "HPA Aware". Neither of these are where firmware malware would exist.

The firmware is is a completely different storage, a different chip entirely from the main block storage that you see on a normal Hard Disk or SSD. The firmware is able to be read, and flashed (not edited, but completely overwritten) using a special utility completely unique to the specific manufacturer, chipset (vendor and version).

The firmware of a SSD (and USBs for that mater) acts as it's own computer, with a processor, memory, and storage for the firmware. The firmware handles wearleveling, reading, and storing data. A malicious firmware could simply lie and say it was overwritten and you would be none the wiser. A more complicated firmware would also need to dump a fake 'untampered' firmware if it was read using the special utility.

In summary, no. You're not correct, there's no 100% way to prove a devices firmware isn't compromised, without taking the chip off the device and forensically dumping the firmware directly from the chip.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
  • 1
    Thanks for your detailed explanation. You mentioned that an SSD's and USB's firmware acts like its own computer. What about the firmware of an HDD? – ssdhddinfected Oct 29 '18 at 06:07
  • You wrote: "there's no 100% way to prove a devices firmware isn't compromised, without taking the chip off the device and forensically dumping the firmware directly from the chip." Where can I find photos/images of the chip of an SSD or USB flash drive that contain the firmware? I am curious to see what it looks like. – ssdhddinfected Oct 29 '18 at 06:09
  • 1
    Each devices hardware (and thus the firmware) will different depending on the manufacturer. Hard Drives (the spinning kind) are simpler, they just store and read blocks. I'm not as familiar with older hard disks, but I think they have firmware too. I figure they must if they have any sort of cache (where days gets written before it finally hits the disk). – Daisetsu Oct 29 '18 at 07:15
  • Can the firmware of an SSD be infected by malware/malicious rootkits via the internet? I am asking this because based on Snowden's relevations, bad actors "interdict" shipments of routers, HDDs, SSDs, servers, etc., install malicious rootkits in the firmware and then send the infected hardware to their intended targets. – ssdhddinfected Oct 29 '18 at 08:17
  • 1
    This should really be a new question. Simple answer is anything is possible, if your hardware can have its firmware updated ... then technically it would be possible for a hacker who has compromised your system to maliciously update the firmware as well. – CaffeineAddiction Oct 29 '18 at 09:18
  • @CaffeineAddiction Thanks for letting me know that I should have made a new post with a different question. I shall do it now. – ssdhddinfected Oct 29 '18 at 09:34