Hard Drive Hacking – Hardware Backdoor even if Drive Wiped!

Hard Drive Hack

With all eyes on the Vegas security conferences, some amazing news comes out of OHM2013, a security conference in The Netherlands. At the show a security researcher demonstrated how a hacker could re-program the firmware on a hard drive to maintain a backdoor, and apparently the attack would still work even if the hard drive was erased and reformatted!

This week at a European security conference a security researcher demonstrated an attack that would allow a hacker to access and modify the Flash Firmware on a hard drive and program it to protect his access.

Firmware is code stored on a special flash-able chip on the drive. The built in code tells the drive how to work, how to read and write data. It is flashable (can be reprogrammed) so the manufacturer can release updates to the firmware. Most people never re-flash or update their hard drive firmware.

At the security conference, the presenter demonstrated how the attack works. He ran the program to modify the firmware on a drive. He pretended his access was detected and the administrator password was reset.

The firmware was programmed to look for a special trigger code, a special website address perhaps, that once the hard drive cache sees, it grabs the password file the next time it is accessed and changes the password back to what the hacker set it to.

And it worked!

So basically, if the hard drive firmware is compromised by a hacker, they could change it to allow them to have access to the compromised system again, even if the entire drive was erased and re-formatted.

Crazy stuff.

For more information, including a step by step explanation and proof of concept code, check out Spritesmods.com.

The Jester’s Site back Online – Questions Remain

The Jester Webpage

The Jester’s site is back! After being redirected to a DHS “Domain Seized” webpage for a couple days, The Jester’s site is now unceremoniously back.

All well and good, but here is the kicker. From what I have seen, the ICE has denied seizing it and, well, it is back online already. So it probably wasn’t the Feds.

Rumors abound, some say that from his Tweets he seemed to be at the Vegas security conferences (Black Hat, and Defcon) and maybe wanted some additional press, so he did it himself. Some are saying he was hacked and the DNS record changed and his internet provider restored the original DNS record back. And some are saying that aliens did it.

Whatever the case, it’s back online now and so far the Jester has been completely silent on the whole issue.