0

Say you buy a used hard drive, or a computer (wondering about both cases, something that is just a drive for storage, and something that is an actual running chip). I am not interested in whether or not it's a good idea to buy used stuff, I am purely wondering as an intellectual exercise to better understand security.

I am a programmer with a bit of experience but I can't imagine how you can guarantee that there is nothing installed on the computer or hard drive. If you buy something with an operating system already installed on it, then I imagine that you could have something hiding behind the operating system, so that is potentially insecure. If you instead "start from scratch" with a baremetal machine somehow (by "deleting everything from memory and data bus or whatever"), that would require you using BIOS or something to install, then it seems even then (assuming you knew everything about the BIOS / initialization software), that there could still be something lingering on the drive or computer that, after you get something fresh installed on it, it will leap back into action. I don't know how this would work, which is why I'm asking the question. It's as if the electrons or magnets would spring back into action, even after memory (and anything potentially else) was "cleared". I wonder how to check that stuff.

The question is, if you start from "bare metal" drives or chips or computers, with nothing installed on it, how you actually guarantee that, in fact, nothing is "installed" after you think you've uninstalled everything. I wonder what you can/should check, like perhaps you need to check the memory manually with some debugger or something, or check the databus somehow. I have no idea how this would work.

Lance
  • 598
  • 5
  • 16
  • 3
    Why limit yourself to *used* hardware? Even if you buy new there is no fully controlled supply chain which guarantees that nobody tampers with the systems. And sometimes even the original vendor adds explicit backdoors or the systems are shipped with seriously buggy software with essentially result in a backdoor too. – Steffen Ullrich Nov 22 '18 at 07:04
  • Still the same question in that case. – Lance Nov 22 '18 at 08:34
  • **I think this question is too broad.** You're effectively asking how to detect compromised firmware for any variety of peripherals. Unless you're happy to limit yourself only to malicious data on a hard drive (which can be destroyed with a simple quick format), you'd have to break out SPI readers, JTAG debugger probes, etc. and analyze each and every chip that stores firmware. This would include the hard drive, NIC, BIOS, option ROMs for every PCI device, maybe even motherboard-specific CPLDs or microcontrollers, and more... Nothing for the CPU though. It lacks storage (just a few OTP fuses). – forest Nov 22 '18 at 08:42
  • @forest That is basically the answer I am looking for. I am not looking for an in depth answer and solution for every case, I would just like to know at a broad swath where stuff can actually exist hidden and how to find it. – Lance Nov 22 '18 at 08:52
  • @forest please extend this list! "SPI readers, JTAG debugger probes..." that is very helpful, all new stuff to me. – Lance Nov 22 '18 at 08:55
  • @LancePollard I think there is already an answered question here which provides some examples of where malicious software could theoretically hide. Let me try to find it... – forest Nov 22 '18 at 08:55
  • 1
    @LancePollard This is a duplicate of https://security.stackexchange.com/q/121100/165253 – forest Nov 22 '18 at 08:57

0 Answers0