It’s the one of the most widely believed myths in the infosec world. Yet, at the same time it’s the most non-standard one. That double-sided nature is likely the reason why the myth is so enduring.
At the dawn of the PC era, the late 20th century, users frequently spread scary stories that happened “to one of good friends of theirs,” from a virus. In such stories, viruses, for instance, fed some ‘wrong’ interlacing to a CRT monitor and ‘burned out’ the PC’s hardware components. In other tales, malware made HDD plates ‘resonate’ fiercely, ultimately destroying hard drives. Or overclocked a floppy drive to cause an imminently deadly rotor overheat.
Antivirus developers have constantly busted those myths. Sure some of these cases are theoretically plausible, but built-in foolproof protection mechanisms don’t allow such failures to happen.
Fact or Fiction: can a #virus actually damage PC hardware? #infosec
Tweet
Users pretend to be satisfied with these explanations, yet continued to believe in myths. Anything can happen, after all, with vendors hushing up things.
Yet, life is a curious thing and full of surprises. For example, back in 1999 a massive Win95.CIH (a.k.a. Chernobyl) virus pandemic took over thousands of machines. That malware corrupted data stored both on a hard drive and on BIOS chips on motherboards. Some of the affected PCs would not start as their boot program was damaged. To level the adverse effects of the attack, one had to replace BIOS chips and rewrite the data.
Was that effectively a physical damage inflicted on a PC? In reality, no. After a series of manipulations motherboards could be cured and returned to the operating state. But the problem could not be solved by standard ‘home emergency kit’ and required specialized equipment.
Today, everything is even more confusing.
First, any standalone piece of hardware is bundled with a rewritable microprogram, at times with even more than one. I’m surprised this trend did not affect screws which hold this too smart hardware together.
Indestructible malware by #Equation cyberspies exists, but don’t panic yet: https://t.co/a3rv49Cdnl #EquationAPT pic.twitter.com/Gaf0HCjHoY
— Kaspersky (@kaspersky) February 17, 2015
Each of those microprograms has been evolving for years, having become quite a complex piece of software, which is by design potentially open to an attack. Once the attack is successful, the consequences are not always immediately remediable.
Take the story about modified firmware of hard drives. For the record, while analyzing the Equation cyber-espionage campaign, Kaspersky Lab experts explored spyware modules injected into microprogram code for a number of different HDD models. These pieces of malware are used to gain complete control over the affected disk; which cannot be remedied even by formatting.
The only way to remove nls_933w.dll #TheSAS2015 #EquationAPT pic.twitter.com/zfVE1kKyha
— Fabio Assolini (@assolini) February 16, 2015
One cannot change the firmware by means of a standard toolset — the firmware is responsible for updating itself. As you would expect, it puts a hell of a fight when someone tries to lure it from where it belongs. Of course, if you happen to be in possession of specialized equipment, you might be able to apply force and change any microprogram. In real life, an affected drive goes straight to the trash – it’s the most cost-effective option.
Can it be considered physical damage? Well, that’s disputable. But the number of stories about hardware-based vulnerabilities continues to increase.
5 threats that could affect hardware – http://t.co/CP1DSfkgy3 pic.twitter.com/cnse35hAr3
— Kaspersky (@kaspersky) April 27, 2015
Second, it’s quite unclear what kind of machine can be defined as ‘computer.’ For instance, any current car is, to some extent, a computer — and what’ even more important – a connected computer on wheels. It is exposed to remote hacks and compromise, as we found out in a recent well-publicized demonstration of the remote hack of a Jeep Cherokee.
#BlackHat 2015: The full story of how that Jeep was hacked https://t.co/y0d6k8UE4n #bhUSA pic.twitter.com/SWulPz4Et7
— Kaspersky (@kaspersky) August 7, 2015
Right, the hack was performed by hackers, not a virus — Ok, it was a piece of cake, given years of research this hack took. However, it won’t come as a surprise if an attack like that will end up with a car hitting some pole on the roadside. I guess this can be called damage.
So, can a virus actually damage PC hardware? Is it fact or fiction?
That’s truth. However, the answer here heavily depends on what you actually mean by “damage”, “virus”, “PC”, etc.