Kaspersky Lab, a Moscow-based cybersecurity firm, says spy software has been embedded in the hard drives produced by many of the world’s largest computer hardware manufacturers, opening a backdoor to a western surveillance agency.
That agency is widely believed to be the U.S. National Security Agency. Though Kaspersky does not directly name the NSA, the firm does say the code infecting the firmware on the drives is closely related to the Stuxnet virus, the malicious code developed by the U.S. and Israel that caused widespread damage to the Iranian uranium enrichment program.
Though no one is disputing the point anymore, it is still proper at this point to say that the US has never officially admitted involvement with Stuxnet.
A former NSA employee and another former intelligence “operative” confirmed to Reuters that the NSA had developed the ability to hide a surveillance portal on commercial hard drives. Concealing the code in the drive’s firmware is particularly useful because the computer essentially re-infects itself every time it starts up the hard drive.
The proprietary source code on drives is a closely guarded trade secret for hardware manufacturers. Kaspersky said there was zero chance that someone could rewrite drive operating systems based solely on public information, though it is not clear how a government intelligence agency gained access to the code. One drive manufacturer, Western Digital, told Reuters it had “not provided its source code to government agencies”; other manufacturers wouldn’t say if they had cooperated with the NSA on this matter.
The revelation by Kaspersky comes on the heels of last week’s Silicon Valley standoff between tech executives and President Barack Obama. The chief executives of Facebook, Google and Yahoo declined a sit-down with Obama, reportedly to express their displeasure with some aspects of government surveillance and the administration’s latest cybersecurity plan.
The tech sector objects to the government’s behavior in a couple of crucial areas: the intelligence community’s fight against certain kinds of data encryption and/or their insistence on a pass key for government agencies, and the NSA’s hording of so-called “zero-day flaws,” bugs that allow spies or hackers to access supposedly secure computer systems.
Exploiting a zero-day flaw is one possible way in which the NSA gained access to hard drive source code.
In the eyes of U.S. tech companies, continued revelations about the vulnerability of their systems — from the Snowden leaks through today’s Kaspersky report — mean a direct assault not only on their integrity, but on their bottom line. Governments and foreign businesses, alike, have no interest in good ol’ American know how if it means good ol’ Uncle Sam has access to their data and operating systems.
In 2013, Brazil publicly discussed creating their own in-country Internet in the wake of leaks about US spying on Brazil’s leaders. And just last month, China announced that companies selling computer equipment to Chinese banks would be required to turn over source code and submit to government security audits.
While Kaspersky Labs says the bulk of infected drives turn up in “Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria,” past experience has shown it is hard to keep the genie in pre-ordained bottles. Stuxnet was discovered because it got into the wild, infecting computers that had nothing to do with the Iranian nuclear program. And a variant of Stuxnet became the basis for the Wiper virus, which not only erased the database of the Iranian Oil Ministry in 2012, but, at present, has U.S. financial institutions very anxious.
Like with aspects of Obama’s cybersecurity push, the latest window on NSA behavior has big business and privacy watchdogs looking nervously at the backdoor.