The NSA may be hiding payloads in the firmware of consumer hard drives, according to a new report from Kaspersky Lab. The report tracks a group that researchers have dubbed "Equation," which uses previously undiscovered methods to plant targeted malware in hard drive firmware, where it is difficult to detect or remove. The report found exploits for hard drives made by many of the largest brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi. The group is closely tied to Stuxnet, using many overlapping vulnerabilities and techniques over the same time period, and those similarities combined with previously published NSA hard drive exploits have led many to speculate that Encounter may be part of the NSA.
If true, the program would give the NSA unprecedented access to the world's computers, even when disconnected from the larger web. Viruses stored on a hard drive's firmware are typically activated as soon as a device is plugged in, with no further action required. They're also usually undetectable and survive reformatting, making them difficult to detect and remove. In July, independent researchers discovered a similar exploit targeting USB firmware — dubbed BadUSB — but there was no indication of the bugs being developed and deployed at this scale.
It also raises real questions about device manufacturer's complicity in the program. It would take extensive and sustained reverse engineering to successfully rewrite a device's firmware. The NSA would certainly be capable of it, but it's also possible the NSA compelled companies to hand over the firmware code or intercepted it through other means. Reached by Reuters, only Western Digital actively denied sharing source code with the NSA; the other companies declined to comment.
