‘badBIOS’ Malware Discovered To Be Capable Of Transmission Over Unplugged Machines

rated by 0 users
This post has 16 Replies | 0 Followers

Top 10 Contributor
Posts 26,486
Points 1,196,300
Joined: Sep 2007
ForumsAdministrator
News Posted: Fri, Nov 1 2013 2:00 PM

In enterprise environments, it's long been accepted that keeping a particular machine "100%" safe requires little more than keeping it off of an external or internal network, making sure to disable its network devices - wired or otherwise - and of course, disabling its optical drives and USB ports. A machine can't get infected when all of its data transmission lines are closed, right?

Wrong, according to security consultant Dragos Ruiu and the league of colleagues that side by his research. Three years ago, Ruiu's MacBook Air was acting strange. The oddities began with an auto-updated EFI firmware, and later moved on to the disabling of the ODD and removal of some data. Typical trojan behavior - but this was no ordinary trojan.

When trying to get down to the bottom of the issue, Ruiu did what any security analyst would do: He removed points-of-entry into the computer one-by-one. He disabled the network, had the machine's Wi-Fi and Bluetooth cards removed, and even went as far as to unplug its power cord since, oddly enough, data could potentially be delivered that way.


Security consultant Dragos Ruiu - Credit Flickr: Foxgrrl

After all this, Ruiu's problems remained. After restoring his notebook, and keeping it off the network, his computer became infected almost immediately. Imagine installing a fresh copy of Windows, only to discover that registry access has been restricted. That's a situation Ruiu found himself in.

Ultimately, the problem stems from what he calls "badBIOS", where computers can use high-frequency noise to transmit data from one PC to another, over "air-gapped" machines (machines not connected to others). Further, bugs like this could be transmitted through connected speakers and microphones.

Is this the making of a great Halloween story, or what?

As complex as badBIOS is, it didn't come from nowhere: Ruiu established that it's initially delivered via USB. While that might not seem so surprising, we're not dealing with a simple autorun mistake or something of that nature - this goes beyond simple data stored on the USB device. Through the use of a potential buffer overflow via the USB connection, the bug can be planted that way. At this point, Ruiu isn't entirely clear on how this works, but he hopes to make use of some high-tech USB analyzing equipment soon to help figure it out.

What's disturbing about all of this is that despite how outlandish it seems, it's possible. It's a little scary, then, to consider the fact that PCs entirely off of a network with USB/ODDs disabled might still not be safe. Are we going to have to design our chassis in the future to block such transmissions? Let's hope not.

  • | Post Points: 125
Top 50 Contributor
Posts 2,363
Points 48,690
Joined: Apr 2000
Location: United States, Connecticut
ForumsAdministrator
MembershipAdministrator
Marco C replied on Fri, Nov 1 2013 2:52 PM

I'm not buying it. Seems to me that the machine was likely infected with something that resided in a tiny hidden partition or perhaps a piece of flash memory in the system, i.e. the BIOS EEPROM. Which would explain how the machine was infected again even after being completely isolated from the outside world.

Marco Chiappetta
Managing Editor @ HotHardware.com

Follow Marco on Twitter

  • | Post Points: 5
Top 100 Contributor
Posts 1,044
Points 9,705
Joined: Mar 2012
Location: LA, CA
sevags replied on Fri, Nov 1 2013 2:54 PM

I am not fully understanding the article. What do you mean by through connected speakers and microphones? Are you saying that an infected computer can use its speakers to transmit the bug via high frequency speaker noise an another computer could get infected by listening to it through its microphone? If that is the case it definitely sounds very odd. How long would it take to transmit an average sized bug in this way? Would the computer to be infected require the microphone to already be on? Will the microphone need software to understand the "noise" it is listening to and then convert it to 1's and 0's? So many questions.. Even if this is possible it sounds like it would require the "perfect storm" or an alignment of planets for this to work...

  • | Post Points: 20
Not Ranked
Posts 14
Points 70
Joined: Jul 2013

Sounds fake to me.

  • | Post Points: 5
Top 25 Contributor
Posts 3,649
Points 55,380
Joined: Jul 2004
Location: United States, Massachusetts
ForumsAdministrator
MembershipAdministrator
Dave_HH replied on Fri, Nov 1 2013 5:45 PM

Reportedly, this is NOT a Halloween hoax... there's a bit of feasibility here but it does seem thin.

Editor In Chief
http://hothardware.com


  • | Post Points: 20
Top 200 Contributor
Posts 358
Points 2,565
Joined: Sep 2011

Amazing. Malware being transmitted over the power line or the air?

  • | Post Points: 20
Top 150 Contributor
Posts 541
Points 4,525
Joined: Apr 2012
Location: Schertz, Texas
ajm531 replied on Fri, Nov 1 2013 8:35 PM

so from some reading ive done his evidence is thin because hes really the only to report on it. However hes respected enough to where its doesnt seem like a sci-fi movie virus. But yes its to some degree feasible. In the end really the moral of the story here applies to a lot things. Don't download things from websites you dont trust. For phones dont download apps from 3rd party markets or sketchy websites. And in this case DONT STICK THINGS IN YOUR COMPUTER FROM UNTRUSTED PEOPLE!! its really fairly simple solution. Oh and keep a close eye on your laptop in public

  • | Post Points: 5
Top 10 Contributor
Posts 8,705
Points 104,490
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator

I transmit data over power lines every day.

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Not Ranked
Posts 41
Points 355
Joined: Sep 2012

Even if it could transmit data via speakers/microphone, there is nothing on the other PC telling it to listen to that data. If there WAS something telling it to listen, it would have to be the malware doing it in the first place, making it pointless to have to listen for the "rest" of it.

  • | Post Points: 65
Not Ranked
Posts 10
Points 60
Joined: Mar 2013

My thoughts exactly. Wonder what that's about.

  • | Post Points: 5
Not Ranked
Posts 73
Points 780
Joined: Jun 2013
basroil replied on Fri, Nov 1 2013 11:31 PM

Not that he mentioned using a Macbook. Apple's been notorious for leaving microphones open despite the user turning it off, just look at the Siri debacle on the iPhone. Since the computer is always listening for new information at a low level, you could theoretically get direct CPU access though low level systems like a microphone. But yes, ridiculously impossible in terms of variables you have to account for, the virus would have to be several hundred MB of code even in the best scenarios.

  • | Post Points: 5
Top 150 Contributor
Posts 627
Points 5,605
Joined: Sep 2012
Location: Canada
ForumsAdministrator
Moderator
RWilliams replied on Fri, Nov 1 2013 11:37 PM

That's a bit of information we're lacking for sure. I'm hoping that we'll learn a lot more in the next month, because at this point there are more questions being generated than answers.

  • | Post Points: 5
Top 150 Contributor
Posts 541
Points 4,525
Joined: Apr 2012
Location: Schertz, Texas
ajm531 replied on Fri, Nov 1 2013 11:56 PM

well thats basically it. It mentions in the article that it would have first be transmitted via an infected usb device. so its not like they can just magically transfer a virus all willy nilly. you have to be infected first thru a physical device as mentioned then a person in control of the malicious code could then send commands or other malware via the microphone or speaksers or some kind of frequency.

  • | Post Points: 5
Not Ranked
Posts 73
Points 780
Joined: Jun 2013
basroil replied on Sat, Nov 2 2013 9:49 AM

Doesn't have to be malware, apple always has their microphones on to minimize issues initializing the device. If you turn on speech recognition services in android or windows then other oses are at risk too.

  • | Post Points: 20
Top 50 Contributor
Posts 3,109
Points 38,260
Joined: Aug 2003
Location: Texas
acarzt replied on Sat, Nov 2 2013 10:52 PM

I'm with Marco here. I call BS.

There is no way an isolated computer that is legitimately clean of any virus is going to get reinfected.

There are so many different locations this virus could store itself. In the BIOS rom, in a vga rom, or any other storage for that matter. It just sounds like an other root kit.

For all we know the guy is installing a bad driver that is already infected with the virus when he reinstalls the OS.

The electronics inside of a computer without a radio (wireless adapter) cannot produce RF, at least not without causing damage to itself. And the worst they would be able to do with that RF is cause interference with wireless networks, assuming they could even hit the right frequency. You device will just ignore this noise.

If we are talking EMI... the device would fry it's internal components before producing enough EMI to have any effect on an other device that was 2 inches away.

This just isn't possible. Everyone thinks wireless is Magic, well I just so happen to be a wireless network engineer...

BS Flag is waiving violently!

  • | Post Points: 5
Top 50 Contributor
Posts 3,109
Points 38,260
Joined: Aug 2003
Location: Texas
acarzt replied on Sat, Nov 2 2013 11:14 PM

Also to touch on the whole audio theory...

The only way, one computer could produce a sound through the speakers and have an effect on ANY other computer would require:

1. The device producing the sound is already infected with the virus.

2. The second device is already infected with a virus that runs an application in the background that is specifically listening for the sound that the first device is going to produce.

3. The sound will have to be at a frequency humans can hear.

Speakers were designed for humans to hear, and they only work inside the narrow scope that we are able to hear sounds. Most speakers are not about to produce sounds at a frequency we cannot hear. We can hear in a range from 12Hz up to 20Khz. The range of a speaker in a portable device is much less. The range in high end audio equipment can reach the upper end of our range or hearing, but not the lower end. Highly specialized and very expensive speakers design for use by professionals, like biologists, exist to produce sound beyond our range of hearing, but you're not gonna find that in any normal persons home.

4. The sound will have to be loud enough for the microphone and humans to hear.

Most microphones are not going to be able to hear anything that you can't hear yourself. Only very high end microphones can pick up on sounds that are not loud enough for the human ear to detect and even then to pinpoint said sound would require professional equipment and an isolated sound chamber(check out how bang and olufsen tests their speakers for clarity some day). On top of that, if the noise is too quiet, it will be attenuated by other sounds waves in the air and the microphone will not be able to hear it. Basically, you would absolutely hear the device making this suspected noise.

Again, BS flag is still waving.

  • | Post Points: 5
Top 50 Contributor
Posts 3,109
Points 38,260
Joined: Aug 2003
Location: Texas
acarzt replied on Sat, Nov 2 2013 11:17 PM

This would imply there is some secret backdoor phrase that you could say to cause mass devastation on all of these devices.

Also, how many times do you have to repeat yourself to your phone before it understands you?

How clearly and loudly do you need articulate?

Do you really think you would not hear the command that causes your device to implode?

  • | Post Points: 5
Page 1 of 1 (17 items) | RSS