What's in my hard drive?
jd1008
jd1008 at gmail.com
Tue Feb 17 22:28:39 UTC 2015
On 02/17/2015 02:39 PM, Chris Murphy wrote:
> On Tue, Feb 17, 2015 at 2:31 PM, Chris Murphy <lists at colorremedies.com> wrote:
>> Or could the firmware at power on not
>> actually supply the firmware with LBA0 contents to execute but some
>> arbitrary code (possibly even stored on hidden sectors on the drive)
>> that acts as a persistent bootkit?
> Oops. Rewrite: Could the [drive] firmware....supply the [computer]
> firmware...arbitrary boot code.
>
> That'd be evolutionary not revolutionary, in that it's still a
> bootkit. The evolution is making it persistent, i.e. issuing ATA
> Secure Erase to the drive would not wipe out the bootkit as expected.
> However, that'd be rather easy to test for after the Secure Erase...
> "read() LBA 0" and the hard drives returns some cute pile of code
> instead of zeros.
>
> For UEFI Secure Boot systems this would first seem to require a
> previously successful attack on the computer firmeware... OR less
> likely the arbitrary code supplied by the drive is properly signed.
>
Well, the malware could be a chip on the controller board,
or could be part of the board's firmware, which would make
it not available to user access.
More information about the users
mailing list