Hard drive firmware attack possibilities? (network access possible?)

General Discussion
#1

Went to buy a hard drive cash and at first they didn’t have it and would take two weeks to get. Then I was updated they it was suddenly available in less than 36 hours. There was some other signatures at the location that matched previous signatures before attacks were carried out.

Anyways instead of gaslighting myself, I am curious mainly if I did recieve a modified SSD with malicisious firmware customized for qubes, would it be possible for this to upload my data or allow access to my qubes by an advesary? If so how?

#2

IMHO, not enough information to tell whether it was something nefarious or just a coincidence.

I’m not an expert in this area, but my understanding is that it’s possible for malicious drive firmware to infect dom0 (after which anything is possible). Note that this assumes the drive is an internal storage drive connected directly to dom0 and not some external (e.g., USB) drive. The proposed “storage domain” mitigates this risk, but it has not been implemented yet. You can read more here:

https://groups.google.com/g/qubes-users/c/9cso2wnw8Bg/m/BZU7pHrmKzwJ

1 Like
#3

Thank you. This arch spec is beautiful. Is this the latest version? I’ll be pouring over this.

Also any idea when the ‘storage domain’ would be implemented? Is there timeline or somewhere I can see what’s implented and pending according to the envisioned architecture specifications?

Hoping there’s an pending area that aligns with my expertise where I could start to contribute sooner rather than later.

#4

Concerning my search for a pending timeline I found this: Release 4.1 Milestone · GitHub

But still curious about ‘storage domain’ and other concepts covered in the arcspec. If there exists somewhere people are either working on them or talking about them, I’d like to read up!

Thanks.

#5

Yes, I’m afraid it hasn’t been updated in a very long time (and probably won’t be).

No, sorry. I tried to find an open issue for this but couldn’t.

No, I’m afraid there’s no up-to-date public roadmap.