This was a great read. One of the things we've done in the past is to modify the firmware of the drive to be able to give errors on command. The purpose was for testing RAID systems in real life scenarios. One can include a 'unit test' drive in a RAID array which will run through a series of known bad disk behaviours. From the simple like returning read failure, to the more complex like returning the wrong block or returning a block that has been silently corrupted (both things NetApp observed in the wild on 'real' drives), and my personal favourite acknowledging a write but not actually writing the data (nearly killed the Cisco relationship they had at the time)
If you liked this, then you might like Travis Goodspeed's really cool talk about "Writing a Thumbdrive from Scratch" (for antiforensics) [1] at the 29th Chaos Communication Congress [29c3].<p>[1] <a href="http://www.youtube.com/watch?v=D8Im0_KUEf8" rel="nofollow">http://www.youtube.com/watch?v=D8Im0_KUEf8</a>
The thing that interests me, though, is the idea of modifying your hard drive firmware for better performance.<p>My understanding is that the effective width of the write head is 10x the width of the read head... E.g. with the right firmware, it should be possible, if you are okay with a write-once medium, to write the outermost track, move the write head in 1/10th what you'd normally move it, then write the next track, etc... and get 10x the space out of the drive you normally would. In theory, the read head wouldn't have trouble. (of course, this would be write once storage, as the effective width of your write head is still pretty huge; but for a bunch of things? I can totally work with that... if more than X% of a drive was garbage data, I copy the good data to a new drive and reformat the old one. Done.)<p>I hear rumors that both the major drive manufacturers are actually shipping drives with this technology, but are only selling those drives to really big players, for some reason.<p>Here's a reasonable reference to the 'shingle' technology, and he roadmap for the rest of us:<p><a href="http://www.theregister.co.uk/2013/06/25/wd_shingles_hamr_roadmap/" rel="nofollow">http://www.theregister.co.uk/2013/06/25/wd_shingles_hamr_roa...</a><p>but that's the thing, with the datasheets (and, well, a lot more skill than I personally have) we should be able to setup something like shingling on the cheap disks we have today.<p>Of course, from reading the article, I'm not sure I'm any closer to that particular dream.
My knee-jerk reaction was, why didn't WD sign the code and use on-chip fuses and a secure boot path to verify the code before transferring control to anything outside their boot ROM? (Many ARM-based systems-on-a-chip are capable of doing this).<p>Adds cost, for one thing. But you can arrange for the unit to never run a byte of code (even one loaded from the platter) that didn't come from WD.
something I hadn't really considered about hard disk encryption, before reading this, is how it could protect against compromised disk controllers. if the OS encrypts the data stored on the disk, it would be a lot harder (perhaps, with the right composition, impossible) for a malicious disk controller to insert/change/modify important data (like code, or password files) stored on the computer.<p>we think of the system as a holistic entity, but turned on its head, you can see how the inside of a computer is just a network...
Could this attack compromisse dedicated/rent servers? If so, the attacker could rent, install the exploit on the hardware and terminate the contract.
What about cloud servers? Sure there are virtualization layers, but can't those be breached? If so that would pose imense danger given the distributed nature the hardware exploit could render the entire farm vulnerable
A fascinating read, and an excellent piece of work.<p>It reminds me of a similar proof-of-concept hack on a common network card firmware: <a href="http://esec-lab.sogeti.com/post/2010/11/21/Presentation-at-Hack.lu-:-Reversing-the-Broacom-NetExtreme-s-firmware" rel="nofollow">http://esec-lab.sogeti.com/post/2010/11/21/Presentation-at-H...</a> (the slides linked from that page have a good more technical overview that the blog post).
I think some hard drives like some Seagates has a serial console in the firmware that provides low level access that data recovery companies for example use.
> Because Linux caches the shadow file (like all files recently accessed), I have to generate a lot of disk activity for the file to be 'pushed out' of the cache<p><a href="http://linux-mm.org/Drop_Caches" rel="nofollow">http://linux-mm.org/Drop_Caches</a><p>$ echo 3 > /proc/sys/vm/drop_caches<p>or as non-root<p>$ echo 3 | sudo tee /proc/sys/vm/drop_caches
Great article. But what I came away from it thinking was about how much money is spent by state security institutions to prevent this sort of thing, and yet secrecy breeches at scale are the Walkers, Mannings, and Snowdens using USB sticks and DVD's and copiers.
This is some hard core hacking! Love it! First, as others mentioned, this is why you should always encrypt your os drives. Second, it also got me thinking, how many other devices are open to this kind of attack. Like a network switch, perhaps? Say you buy 100 network switches, alter the firmware to call home and maybe even load a Linux instance, and then resell them on amazon, eBay, or even better, give a "good" cash deal to some local IT company. Then you just seat back and wait for your 100 bots to call home for their new business class Internet homes.
This is incredibly scary. Will HD vendors start implementing firmware code signing anytime soon? Or will some enterprising hackers start working on an open source firmware implementation?
That's a whole world of spying opportunities. A government could make secret deals with hard drive manufacturers. Perhaps not US government, but Taiwan government, if it makes you happier... (I'm from neither country)
This is very cool. I have a pile of dead and old hard drives. I should see if my local hackerspace has something that can connect to JTAG, and if so, see what secrets the old drives contain.