Kapersky reports that hackers in the “Equation Group” (see Ars Technica coverage) infiltrated the firmware of most major hard drive manufacturers:
rewrote the hard-drive firmware of infected computers … on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.
The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group’s sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.
This is incredibly dangerous because nobody can detect that your hard drive’s firmware has been hacked: the manufacturer can’t (they can’t get at your drive in your computer after you installed it), and nobody else knows what the firmware is supposed to look like, because it is an inscrutable blob.
This is the time we need to ask the world’s drive manufacturers to open-source their firmware. The commerical downsides for doing so are small, but the security advantages are immense. Will that give away some trade secrets to competitors? Yes, but they will do it, too, and nobody has ever bought (or not bought) a hard drive because of better firmware. I would buy a hard drive because of better security, however.
While this in itself will not fix any security problems, it does create the opportunity for third-parties — whether that is a security vendor, or the hacker next door — to figure out whether your hard drive is a carrier of something insiduous or not. Unless we can figure this out, we are all screwed.
And even if you cheer “USA, USA, USA” (under the assumption that it was the NSA that did this, which is purely conjecture at this time), I hope you realize that now it has been proven this can be done, every other nation state, and every criminal group with some technical clout (those bank robbers come to mind) will do the same over the next few years. We need to stop this, and open-source firmware is the way to do it IMHO.