Hardware backdoors are a substantial threat to today's information systems: they can evade today's malware detection mechanisms and survive software updates. Moreover, they are an increasingly likely threat because of extensive outsourcing of hardware manufacturing. While the feasibility of implementing backdoors in CPUs, PCI devices, and network components has been studied before, this paper investigates a new type of threat: a backdoor that leverages storage devices. We show that a remote attacker can ex_ltrate data from a storage device in the absence of a direct communication channel and without a priori knowledge of the various layers (OS, applications, filesystem) between the attacker and the device. We implement such a backdoor to demonstrate the real-world feasibility of attacks. Our experiments show that /etc/passwd of a standard Ubuntu/Apache/PHP/MySQL installation can be remotely exfiltrated in 40 seconds. Consequently, we conclude that this attack vector should not be overlooked when assessing a system's security, and we discuss, e.g., encrypting data at rest to thwart such attacks.
