embedded software boot camp

Government-Sponsored Hacking of Embedded Systems

Wednesday, March 11th, 2015 by Michael Barr

Everywhere you look these days, it is readily apparent that embedded systems of all types are under attack by hackers.

In just one example from the last few weeks, researchers at Kaspersky Lab (a Moscow-headquartered maker of anti-virus and other software security products) published a report documenting a specific pernicious and malicious attack against “virtually all hard drive firmware”. The Kaspersky researchers deemed this particular data security attack the “most advanced hacking operation ever uncovered” and confirmed that at least hundreds of computers, in dozens of countries, have already been infected.

Here are the technical facts:

  • Disk drives contain a storage medium (historically one or more magnetic spinning platters; but increasingly solid state memory chips) upon which the user stores data that is at least partly private information;
  • Disk drives are themselves embedded systems powered by firmware (mostly written in C and assembly, sans formal operating system);
  • Disk drive firmware (stored in non-volatile memory distinct from the primary storage medium) can be reflashed to upgrade it;
  • The malware at issue comprises replacement firmware images for all of the major disk drive brands (e.g., Seagate, Western Digital) that can perform malicious functions such as keeping copies of the user’s private data in a secret partition for later retrieval;
  • Because the malicious code resides in the firmware, existing anti-virus software cannot detect it (even when they scan the so-called Master Boot Record); and
  • Even a user who erases and reformats his drive will not remove the malware.

The Kaspersky researchers have linked this hack to a number of other sophisticated hacks over the past 14 years, including the Stuxnet worm attack on embedded systems within the Iranian nuclear fuel processing infrastructure. Credited to the so-called “Equation Group,” these attacks are believed be the the work of a single group: NSA. One reason: a similar disk drive firmware hack code-named IRATEMONK is described in an internal NSA document made public by Edward Snowden.

I bring this hack to your attention because it is indicative of a broader class of attacks that embedded systems designers have not previously had to worry about. In a nutshell:

Hackers gonna hack. Government-sponsored hackers with unlimited black budgets gonna hack the shit out of everything.

This is a sea change. Threat modeling for embedded systems most often identifies a range of potential attacker groups, such as: hobbyist hackers (who only hack for fun, and don’t have many resources), academic researchers (who hack for the headlines, but don’t care if the hacks are practical), and company competitors (who may have lots of resources, but also need to operate under various legal systems).

For example, through my work history I happen to be an expert on satellite TV hacking technology. In that field, a hierarchy of hackers emerged in which organized crime syndicates had the best resources for reverse engineering and achieved practical hacks based on academic research; the crime syndicates initially tightly-controlled new hacks in for-profit schemes; and most hacks eventually trickled down to the hobbyist level.

For those embedded systems designers making disk drives and other consumer devices, security has not historically been a consideration at all. Of course, well-resourced competitors sometimes reverse engineered even consumer products (to copy the intellectual property inside), but patent and copyright laws offered other avenues for reducing and addressing that threat.

But we no longer live in a world where we can ignore the security threat posed by the state-sponsored hackers, who have effectively unlimited resources and a new set of motivations. Consider what any interested agent of the government could learn about your private business via a hack of any microphone-(and/or camera-)equipped device in your office (or bedroom).

Some embedded systems with microphones are just begging to be easily hacked. For example, the designers of new smart TVs with voice control capability are already sending all of the sounds in the room (unencrypted) over the Internet. Or consider the phone on your office desk. Hacks of at least some VOIP phones are known to exist and allow for remotely listening to everything you say.

Of course, the state-sponsored hacking threat is not only about microphones and cameras. Consider a printer firmware hack that remotely prints or archives a copy of everything you ever printed. Or a motion/sleep tracker or smart utility meter that lets burglars detect when you are home or away. Broadband routers are a particularly vulnerable point of most small office/home office intranets, and one that is strategically well located for sniffing on and interfering with devices deeper in the network.

How could your product be used to creatively spy on or attack its users?

Do we have an ethical duty or even obligation, as professionals, to protect the users of our products from state-sponsored hacking? Or should we simply ignore such threats, figuring this is just a fight between our government and “bad guys”? “I’m not a bad guy myself,” you might (like to) think. Should the current level of repressiveness of the country the user is in while using our product matter?

I personally think there’s a lot more at stake if we collectively ignore this threat, and refer you to the following to understand why:

Imagine what Edward Snowden could have accomplished if he had a different agenda. Always remember, too, that the hacks the NSA has already developed are now–even if they weren’t before–known to repressive governments. Furthermore, they are potentially in the hands of jilted lovers and blackmailers everywhere. What if someone hacks into an embedded system used by a powerful U.S. Senator or Governor; or by the candidate for President (that you support or that wants to reign in the electronic security state); or a member of your family?

P.S. THIS JUST IN: The CIA recently hired a major defense contractor to develop a variant of an open-source compiler that would secretly insert backdoors into all of the programs it compiled. Is it the compiler you use?

Tags: , , , , , ,

2 Responses to “Government-Sponsored Hacking of Embedded Systems”

  1. Geoff Revill says:


    Of course we all have a moral imperative to secure our systems.

    But let’s face the facts – there is no such thing as a secure system – security is a risk mitigation exercise – and to be honest a cost issue. So before worrying about security first think about the attack surface.

    i highly recommend system developers look up the 7 principles of privacy by design – it’s gonna be a hot topic in coming years as privacy becomes a C (as in Company exec) level issue – and privacy cannot be accomplished without security.

    So what’s the attack surface? In short – it’s the data. So my suggestion is this – audit your data – all of it, including the meta-data used to manage the data – it can often be more insightful than the data under management.

    Only once you have done this can you even start to assess the security risk.

    My next suggestion – don’t focus first on security first – instead focus on data minimisation – reduce the attack surface – make your system less useful to hack (vs your competitors for example)- and easier to secure because less data is in general easier to secure. i realise this flies in the face of the Big data petrol heads who think more is better – and the historic trend towards data collation for potential sale – but the repetitional risk to your company is going to make this revised way of thinking a new imperative.

    luckily embedded systems developers tend to be more frugal by design – they tend towards mitigating storing and sending unnecessary data in the pursuit of cost efficiency…its a mentality that puts the average embedded developer way ahead of the average IT developer. Just now try and take that mentality to the next level of investigation – make data temporal that does not need to be stored for example.

    Does any of this mitigate the super funded government sponsored hacker – no. But we can make it harder for the hack to go undetected – in general the hacked data has to be accessed and sent somewhere – so think about building active monitoring systems into your comms infrastructure – not to debug what you know should be happening – but to look for patterns of comms occurring outside the known patterns of use of your system….at least then if hack occurs you may be able to be aware its happening even if you don’t know how. But step 1 is detection….

    • Alan says:

      It is strange how people are afraid to think out loud about government spying on them. In fact, the USA is headed toward the same repressed population conditions of China and the Soviet Union now, in that everyone who speaks out is called a “dissident” and risks prison time or even execution. We see this starting in America now with the Patriot act “laws” essentially allowing the government secret court to order your disappearance with no recourse whatsover. Posse Comitatus was illegally repealed, etc.

      That is your threat, and you should take it seriously. Corporations have a different set of available methods than individuals. But as individuals, it would be well worth considering the following methods.
      Turn off your Internet connections when not in use. Turn off your printers and TVs when not in use. Put your smart phones in a soundproof basket by the front door when you arrive at home. If you really want to be free of it, remove your smart phone battery as needed (Apple users cannot really do this).

      Every access path you restrict lowers your visability to hackers. You should never use your real name on the Internet. If you are concerned about privacy, why are you putting all of your personal information on Google and Facebook, who have stabbed the consumer in the back? Take it off there, and keep it off. Use other search engines like duckduckgo and startpage.

      The problem faced is more extensive algorithms used by the govt. that are correlating huge amounts of data. Google uses them too. That is how they follow you from your PC at home and over to your cell phone. They read your emails, form up lists of your social contacts and put weighting on them each based on number of minutes connected per month. The only way you are really safe from this is to reduce your hacker exposure, and use practices that mitigate much of this.

      Beyond that, if you become a target, the government will sit down the street in an RV bouncing lasers off your windows which modulate on the window vibration caused by the sound within. If they want to make you a target, you are screwed. Best to not become a target in the first place. Stay private. Shred your docs. Put your trash in black trash bags. Do these types of things to minimize your exposure.

      As far as Kaspersky and other commercial security products companies go, who knows what they are up to? They are in Russia – who polices them or any other security company. These guys might be the proverbial double agents for all we know. How can you count on them when you do not have access to their source code?

      If you write code for the public, you will be faced with contact from the NSA (if you are in the USA) demanding that you insert backdoors and other flaws into your code. How will you handle that?

Leave a Reply