A few years ago, Danny Day, the brilliant and visionary founder of Eprida, Inc. brought an afflicted Mac laptop to our shop.
Danny complained that his laptop acting up and slowing down. He had placed a sniffer – a device that monitors Ethernet traffic – on the Ethernet port and discovered that business files and other information were leaving his computer for cyberspace, without any prompting on his part. Whenever the laptop was on and connected to the Internet, it acted possessed.
Danny – who is technically savvy – reformatted and replaced the hard drive, but the covert activity continued. Files streamed out of his computer into the digital void. This could mean only one thing: the computer’s EEPROM (a reprogrammable circuit containing essential computer code, called firmware) was infected. The fix would involve “reflashing” the EEPROM or replacing the entire logic board.
Malicious computer code called malware, while common in Windows® machines, are rare in Macintosh® computers. Being a Mac user with lots of Mac clients, this problem got my attention.
Danny had recently returned from a trip to the People’s Republic of China to talk about a technology that he had developed using charcoal to improve soil characteristics and crop yields – not exactly national security material. He had left his laptop unattended in his hotel room, and returned to find that it had been disturbed. After that, he surmised, the problems began.
Although there are documented cases of malware hiding in the deep recesses of hard drives, I had never heard of infected Macintosh firmware. It would require considerable technical acumen to reprogram Apple’s firmware to perform this kind of covert activity. The bigger question was why anyone in China would have the interest and takes the trouble to do so on Danny’s personal computer?
Was this a real threat or paranoia? Gifted people can be creative in many ways.
I placed a call to Jim Pace, the retired former head of computer forensics for the U.S. Army. Jim opined that if anyone was technically capable and possibly inclined to do it, it probably would be the Russians or Chinese. He was unaware of a precedent for Apple firmware infiltration.
I don’t recall if Danny continued to use the laptop, or if he replaced, but I put the matter on the back burner.
In November of 2008, Danny sent me a link to an article published by the Daily Artesian: (http://www.dailyartisan.com/news/and-now-the-manchurian-microchip/)
The article contained a bombshell:
“The myth: Chinese intelligence services have concealed a microchip in every computer everywhere, programmed to ‘call home’ if and when activated.
The reality: It may actually be true.
All computers on the market today — be they Dell, Toshiba, Sony, Apple or especially IBM — are assembled with components manufactured inside the PRC. Each component produced by the Chinese, according to a reliable source within the intelligence community, is secretly equipped with a hidden microchip that can be activated any time by China’s military intelligence services, the PLA.”
If Danny’s concerns were founded, did his hosts actually reprogram the firmware, or did they simply switch on the “call home” feature? If the latter were true, then the laptop would still be vulnerable after a firmware reflash or logic board replacement. The implications of such a security breach are truly boggling.
On March 30 of this year, Fox News published a story from the Associated Press entitled, “Cyber Spy Network Hacks Computers in 103 Countries.” (http://www.foxnews.com/story/0,2933,511316,00.html) According to Canadian researchers:
“A cyber spy network based mainly in China hacked into classified documents from government and private organizations in 103 countries, including the computers of the Dalai Lama and Tibetan exiles, Canadian researchers said Saturday.”
Furthermore,
“Once the hackers infiltrated the systems, they gained control using malware — software they install on the compromised computers — and sent and received data from them, the researchers said.”
According to an additional link cited in the URL:
“The Chinese government on Monday denied it was behind GhostNet, a vast hacker network that infiltrated the computers of foreign governments, political organizations and Tibetan exiles around the world.”
A confirming article was written by John Markoff and published on the front page of the Sunday, March 29 edition of The New York Times. The article’s revelations were even more chilling: the suspected malware can even turn on a computer’s built-in camera and microphone to provide both video and audio surveillance.
It is plausible that the U.S. Government may have its own secret programs for spying on enemies and competitors. In any event, public awareness of the threat to computer users in the United States is in its infancy. In the meantime, almost anyone without a competent defence strategy is vulnerable.
So far, it appears that the Chinese are waging and winning the next cyberwar, and few – if any – defenses are yet available to counter the threat. Such defensive measures might include reflashing the firmware to monitor and shut down suspicious processes, or connecting every computer to a suitable firewall that can prevent unauthorized data transfers.
At minimum, the clear implication for our industry – data recovery – is that care must be taken whenever a client’s computer is connected to the internet.
* * * *
Author: Jonathan Yaeger
Copyright 2009 by Data Savers, LLC
www.datasaversllc.com
Macintosh and Apple are registered trademarks of Apple Computer, Inc. Windows is a registered trademark of Microsoft, Inc.