‘badBIOS’ Malware Discovered To Be Capable Of Transmission Over Unplugged Machines

In enterprise environments, it's long been accepted that keeping a particular machine "100%" safe requires little more than keeping it off of an external or internal network, making sure to disable its network devices - wired or otherwise - and of course, disabling its optical drives and USB ports. A machine can't get infected when all of its data transmission lines are closed, right?

Wrong, according to security consultant Dragos Ruiu and the league of colleagues that side by his research. Three years ago, Ruiu's MacBook Air was acting strange. The oddities began with an auto-updated EFI firmware, and later moved on to the disabling of the ODD and removal of some data. Typical trojan behavior - but this was no ordinary trojan.

When trying to get down to the bottom of the issue, Ruiu did what any security analyst would do: He removed points-of-entry into the computer one-by-one. He disabled the network, had the machine's Wi-Fi and Bluetooth cards removed, and even went as far as to unplug its power cord since, oddly enough, data could potentially be delivered that way.

Security consultant Dragos Ruiu - Credit Flickr: Foxgrrl

After all this, Ruiu's problems remained. After restoring his notebook, and keeping it off the network, his computer became infected almost immediately. Imagine installing a fresh copy of Windows, only to discover that registry access has been restricted. That's a situation Ruiu found himself in.

Ultimately, the problem stems from what he calls "badBIOS", where computers can use high-frequency noise to transmit data from one PC to another, over "air-gapped" machines (machines not connected to others). Further, bugs like this could be transmitted through connected speakers and microphones.

Is this the making of a great Halloween story, or what?

As complex as badBIOS is, it didn't come from nowhere: Ruiu established that it's initially delivered via USB. While that might not seem so surprising, we're not dealing with a simple autorun mistake or something of that nature - this goes beyond simple data stored on the USB device. Through the use of a potential buffer overflow via the USB connection, the bug can be planted that way. At this point, Ruiu isn't entirely clear on how this works, but he hopes to make use of some high-tech USB analyzing equipment soon to help figure it out.

What's disturbing about all of this is that despite how outlandish it seems, it's possible. It's a little scary, then, to consider the fact that PCs entirely off of a network with USB/ODDs disabled might still not be safe. Are we going to have to design our chassis in the future to block such transmissions? Let's hope not.