5

When we buy a new hard disk drive, what steps can we take to ensure that it is virus-free?

For example, there are many vendors selling hard disk drives on Amazon. When we purchase one, how do we know that it is free of virus?

Disclaimer: I'm pretty paranoid about security.

Pacerier
  • 3,313
  • 7
  • 36
  • 64
  • @ekaj, Wouldn't some persistent rootkits be unformattable? – Pacerier Jan 31 '14 at 04:45
  • A rootkit is generally tied to an operating system, and starts as the OS starts. You can just do a quick format of the disk if you're not too worried, or a full format will overwrite every sector individually, but take much longer. – cutrightjm Jan 31 '14 at 04:47
  • @ekaj, Isn't it possible for the instructions to do formating to be hijacked at a much lower level? – Pacerier Jan 31 '14 at 04:49
  • I'm honestly not sure about that, it's possible I assume but highly, highly unlikely. – cutrightjm Jan 31 '14 at 04:52
  • 1
    You can put malware into the drive firmware. So only erasing the disk is insufficient. Depending on how good the attacker is, you won't be able to remove the malware from the firmware even if you try to reinstall it. – CodesInChaos Jan 31 '14 at 08:41
  • @CodesInChaos, When you say "won't be able to remove malware from the firmware even if you try to reinstall it", do you mean that the hard ware (electronics) of the hard disk itself is fraudulently modified? – Pacerier Jan 31 '14 at 13:51
  • 5
    If your adversary can modify your hard disk's firmware or hardware between the time that you order it from Amazon and the time that you plug it into your system, I suggest quitting your job, taking out a large loan, and flying out to somewhere sunny like the Bahamas, because you'll be glad that your last few days on earth were comfortable. – Polynomial Jan 31 '14 at 14:06

4 Answers4

13

Given a sufficiently smart adversary with significant resources, you can't.

There are five potential attack vectors:

  • Malware on the disk within a partition.
  • Malware within the boot sector.
  • Malformed partition or filesystem structures that exploit bugs in your OS (example)
  • Malware within disk firmware.
  • Modified hardware (e.g. replace the firmware PROM with mask ROM containing malware)

Malware on a filesystem on the drive is easily defeated by formatting the disk when you get it.

Boot sector malware is a little trickier. Whilst an OS install would overwrite the boot sector anyway, this doesn't apply to drives that are going to just be used for data. This kind of thing can be fixed by doing a low-level wipe of the disk with dd or a similar tool, or by re-writing the boot sector with a disk maintenance tool.

Malformed partitions or filesystems can be killed with dd, but then you still have to get into an OS to run the command. It's a good idea to do the first format operation from a Live CD with no other persistent storage attached.

The modified firmware issue is a very tricky one. We know that hard disk firmware can be modified, and there are surely patch vectors from the OS level. Detecting malicious firmware is a tricky task, and you can only really get assurance of firmware integrity by manually (i.e. at the electrical interface level) overwriting the firmware with a manufacturer-supplied and digitally signed firmware image. Since you'd be interfacing directly with the EEPROM, and would be able to read the image back and verify its integrity, you'd have strong assurance that the "safe" firmware was written. This doesn't fix the problem of backdoors at the manufacturer's end, though.

Finally, there's the potential for modified hardware. In such a case, the firmware EEPROM could be ignored in favour of a mask ROM, stored either externally or inside the controller IC package, so that flashing the firmware seems to work but does not actually succeed in changing the firmware code that is actually executed by the device.

At the end of the day, though, does it even matter? Most of the time you're going to get a clean hard disk, and things have to be going very wrong somewhere in the world if you end up with boot sector malware on a signed-and-sealed disk. If an adversary can find out that you've got a hard disk on order from Amazon, get another of that exact drive, backdoor its firmware or hardware in a useful way, break into the delivery truck, and replace the disk with a modified one without anyone noticing, then you are screwed no matter what.

In summary, I'd like to quote from an excellent paper by James Mickens:

If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.

Polynomial
  • 135,049
  • 43
  • 306
  • 382
  • No I'm not saying that the adversary is hacking the hard drive just for me. I'm saying he could be mass-producing hacked hard drives... and thus, "how can we unvictimize ourselves from that situation". – Pacerier Jan 31 '14 at 14:55
  • 1
    If they can influence a sensitive manufacturing process with hundreds if not thousands of people involved, and tens of thousands of affected customers world wide, then you're even more screwed. – Polynomial Jan 31 '14 at 15:07
  • no I'm not saying the manufacturer is hacked. I'm saying the manufacturer is the hacker, probably on government orders to hide some unethical code somewhere – Pacerier Feb 02 '14 at 18:04
  • My advice still holds. You are screwed if that is the case. – Polynomial Feb 03 '14 at 10:03
4

As a rule, you don't. You can't. But you might be able to improve your chances.

But what know that instances where hard drives or computers or other devices get "bugged" by adversaries is that these attacks are personal. Either the attacker wants you or your company or your family member or your friend or your neighbor or some other person somehow associated with you.

We know that governments intercept and modify computer hardware shipped to interesting targets. And we know that these modifications often happen in firmware or other chip-level components so as to persist reformatting. And we know that anything a government can do a criminal organization can do also.

So what do you do? You make this rule: At no point is the hardware associated with you ever entrusted to a third party. So at no point does an adversary have an opportunity to intercept your hardware.

So for example, you go to Best Buy or Fry's or Joe's Computer Hardware and Auto Parts 3 hours from home and you pick a hard drive off the shelf. The moment it becomes "yours" it also enters into your personal protection and care. So instead of targeting you, they have to target everyone who shops within a 3-hour radius of you. So are you safe now? Nope. You're never safe. But you've improved your chances.

tylerl
  • 83,435
  • 26
  • 152
  • 232
1

There is not even need to overwrite the full disk. As soon as you quick-format, there's no data the OS will see. And if there's no data the os will see, it should not execute any viruses.
To improve security, you might want to recreate the partition table. So boot Linux and overwrite the first 100MB with dd: 

sudo dd if=/dev/zero of=/dev/sdx bs=1M count=100

-> Be absolutely sure to run this on the right disc! If not, you will destroy your data.

We assume it's just about mainstrean malware, not a personal attack on you. If somebody will try to attack you, there are hundreds of ways to infect your computer, from installing a malicius thumb drive in a mouse you buy, to installing an radio sender in your screen, installing a cctv in your room...

davidbaumann
  • 213
  • 2
  • 11
  • 1
    You can't assume that the boot sector will be clean, and if you're using the drive for data rather than an OS then the boot sector probably won't get replaced. Then all it takes is for your BIOS to attempt to boot from it. – Polynomial Jan 31 '14 at 13:35
  • I assume mainstream malware here. Also there is this dd command in my post which will delete the boot sector. – davidbaumann Jan 31 '14 at 13:36
  • 2
    That still doesn't cover other attacks, like firmware modification. – Polynomial Jan 31 '14 at 13:37
  • So please give me a link where mainstream malware is placed on firmware. And tell me how to make sure, that rewriting firmware (which will use the existing firmware's interface to write) makes you safe. – davidbaumann Jan 31 '14 at 13:39
  • 1
    No link to mainstream malware, but that's a moot point - you should protect against unknown and future threats. It's possible, though. Give this a read: http://spritesmods.com/?art=hddhack&page=1 – Polynomial Jan 31 '14 at 13:48
  • I think you're right. But if you think this way, there is no way to obtain a disk he can trust! – davidbaumann Jan 31 '14 at 13:52
  • Exactly my point. You can't ever 100% verify the security of anything. Trying to do so is an exercise in futility. Like it or not, you have to rely upon implicit social constructs like trust and faith. There's nothing to stop the guy at Starbucks from filling your morning coffee with cyanide, but we have faith in the fact that he is deterred by the consequences, and faith that the judicial system would rightly prosecute him if he did poison you. Conversely, he trusts that you won't try to steal his cash register or throw your piping hot Grande Macchiato in his face after he serves you. – Polynomial Jan 31 '14 at 14:12
  • So I say, it's enough to delete the first 100MB, so it will be ok for him. If a clean os creates a clean partition, there will be no data in can access. – davidbaumann Jan 31 '14 at 14:16
-1

Assume it isn't, and reformat using a dedicated Linux box to overwrite the drive fully before use.

Daniel Miessler
  • 605
  • 4
  • 3