1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News BadBIOS malware claimed to defeat air-gaps

Discussion in 'Article Discussion' started by Gareth Halfacree, 1 Nov 2013.

  1. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    Yea i get the need to keep a sample for study so to speak, but wouldn't you take the simple precaution of having some clean USB drives around (as in factory sealed) for just such an occasion.

    If my understanding is correct it doesn't infect through audio, merely communicates through it for things like self repair.
     
  2. Sparrowhawk

    Sparrowhawk Wetsander

    Joined:
    14 Feb 2004
    Posts:
    584
    Likes Received:
    1
    Honestly, I think what's happened is the badBIOS affects either or all of:
    ACPI
    Flash controllers
    Sound cards (RealTek is near ubiquitous and attacking the firmware would be easy.)
    and the BIOS.

    Something here is serious enough to survive just a simple OS wipe or hard drive change.
     
  3. greypilgers

    greypilgers New Member

    Joined:
    23 Jan 2011
    Posts:
    442
    Likes Received:
    23
    Awww... I was kinda looking forward to a World War CPU-Z or summat...
     
  4. LordPyrinc

    LordPyrinc Legomaniac

    Joined:
    7 Mar 2008
    Posts:
    597
    Likes Received:
    5
    Now where did I put that tin foil hat?
     
  5. ChaosDefinesOrder

    ChaosDefinesOrder Vapourmodder

    Joined:
    6 Feb 2008
    Posts:
    706
    Likes Received:
    7
    don't forget the ear-plugs given the sonic nature of this malware!
     
  6. tuk

    tuk Don't Tase Me, Bro!

    Joined:
    28 Oct 2012
    Posts:
    493
    Likes Received:
    10
    It a great idea, create a vpn from nothing, less chance of being monitored ergo detected, bypass network firewalls, packet sniffers etc + using sound frequencies outside the range of human hearing.
     
  7. RichCreedy

    RichCreedy Hey What Who

    Joined:
    24 Apr 2009
    Posts:
    4,699
    Likes Received:
    172
    use sound cancelling technology to prevent the communications?
     
  8. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    Would sound cancelling technology work seeing as its using sound above normal human hearing ?
     
  9. Tyr

    Tyr New Member

    Joined:
    7 Jun 2006
    Posts:
    133
    Likes Received:
    0
    LOL! It is technically possible for this to happen. But it would be a complete and utter waste of time.

    You would need a high quality speakers and microphones. Your normal run of the mill ones distort too easily and have a more limited frequency range. Even high end speakers will not produce sound pressure waves at useful frequencies and energy levels.

    Say some speaker can produce sound at 30kHz at a usable volume and a microphone elsewhere can pick it up. That is still only 30kpbs at best! That is roughly 1MB every 5 minutes. It is pretty useless in this day and age.

    This is ignoring the fact that most microphones are not sensitive enough past 16kHz to have a decent signal to noise ratio. Mainly because they don't need to be and would be far more expensive if they were. Pretty much the same story with speakers they do not produce useful sound over 25kHz if at all.

    All in all we can agree that this is a massive pile of BS.
     
  10. tuk

    tuk Don't Tase Me, Bro!

    Joined:
    28 Oct 2012
    Posts:
    493
    Likes Received:
    10
    You wouldn't need a clean signal, just being able to effect( even adversely...static? ) the transducer in the mic would be enough to give you a binary communication link, it might even be possible to do this over some distance using the right kind of signal/interference.
     
    Last edited: 1 Nov 2013
  11. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    Seeing as most virus are extremely small i would think 30kpbs would be overkill, and seeing as the transmission and reception via audio is only used as a self repair mechanism it probably wouldn't need to send more than a few bytes.
     
  12. Deders

    Deders Well-Known Member

    Joined:
    14 Nov 2010
    Posts:
    4,053
    Likes Received:
    106
    ^This^
     
  13. Cheapskate

    Cheapskate Insane? or just stupid?

    Joined:
    13 May 2007
    Posts:
    10,977
    Likes Received:
    1,018
    It sounds very interesting. I'd like to read the rest of his doc. Anyone interested in printing it out and mailing it to me?
     
  14. Guinevere

    Guinevere Mega Mom

    Joined:
    8 May 2010
    Posts:
    2,482
    Likes Received:
    176
    I'm not claiming that such attacks as re-flashing USB sticks is impossible, I'm saying it's extremely unlikely that a single piece of malware can attack the firmware of PCs and Macs, prevent USB booting, flash USB drives, attack via USB flash drive in Windows, Linux and OSX... and communicate via ultrasound.

    And don't get me started about how he thinks his friends laptop was attacked when it was initially clean and kept off any network.

    He's found no software. No malware. No evidence. He's not been peer reviewed or provided anything like detailed information on his findings. So....

    Slap with a wet fish and call be sceptic... but...

    I. AM. NOT. BUYING. IT.
     
  15. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    Its not much of a stretch on what can already been done, Flashing BIOS, EFI, and UEFI firmware is a simple thing to do and is not dependent on what OS is installed. Firmware rootkits have been in use since 2008 when criminals tampered with European credit-card-reading machines before they were installed. Most modern systems come with UEFI type BIOS that make disabling or enabling devices a very simple thing to do, and seeing as all BIOS can issue beep codes its not difficult to see how this could be used to communicate more than error to a person.

    But i to share some scepticism due to the lack of published evidence, although when someone with 15 years experience in his field makes a claim about something i think its best to given them the benefit of doubt. Even if he is running the PacSec security conferences in two weeks and it could just be a publicity exercise.

    I found this an interesting read on how simple it would be for something like BadBIOS to do all the things that are claimed. http://blog.erratasec.com/2013/10/badbios-features-explained.html
     
    Last edited: 2 Nov 2013
  16. wolfticket

    wolfticket Downwind from the bloodhounds

    Joined:
    19 Apr 2008
    Posts:
    3,099
    Likes Received:
    312
    It seems it can only defeat airgaps if both machines are already compromised, in which case the airgap is already defeated. Saying it can "infect" past an effective airgap is misleading

    However, given that, I do think think transmitting quite small but useful amounts of data over audio from one infected machine to another is quite feasible.
    If the amount of data is small and the system knows what to look for then a high signal to noise ratio shouldn't be too much of a problem. The audio equivalent of a bar code. Shazam is presumably doing something roughly similar often with a very high SNR.

    You say 1MB every 5min is pretty useless. Stuxnet was half a MB...
     
  17. Woodstock

    Woodstock So Say We All

    Joined:
    10 Sep 2006
    Posts:
    1,783
    Likes Received:
    2
    From other articles the first symptom was simply, a laptop that refused to boot from a CD. The audio networking link, was discovered off a machine sending and receiving IPV6 packets despite not having OS level support for IPV6.

    As for the comments about his skill based on the 3 years, your talking about techniques never seen in the wild, on bizarre symptoms and seemingly unrelated. Plenty of other respected security workers, are taking him seriously. This is all happening at a level below the OS too, for initial infection.

    USB hosts on all platforms, also assume the device is friendly, most implementations in BIOS/UEFI and OS drivers, trust that if the spec says the device will send 16 bytes that it will, and doesn't actually check the amount. Some fairly standard buffer overflow problems are present. The number of different controllers for USB is not very many either. It all sounds quite plausible, and defiantly interring.

    Also I doubt he would risk his credibility on a hoax (would ruin him in so many ways) to drum up support for an already well attended conference.
     
  18. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    Yea the skill thing was based on the way it has been reported, saying how he has been unable to clean his network for over 3 years. Maybe its just me that thought it sounded like he kept getting reinfected by not doing a proper job, when in fact he probably reinfected devices almost on purpose while running tests and such.

    And i also doubt its a hoax, but you never know stranger things have happened.
     
  19. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,920
    Likes Received:
    258
    Sorry, i don't buy it. What is so hard in :
    1) turn off all computers.
    2) turn on one of them, detect if it is infected. If yes, turn it off, mark that computer as patient zero.
    3) turn on another computer, disinfect, turn off. Repeat for all computers in the network.
    4) Network is now clean, except patient zero. Put that computer in soundproof room, with power filtered by a online UPS.

    Network clean, sample preserved.

    I call it a hoax too.
     
  20. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    386
    You know in the old days of medicine and diseases doctors used to experiment on them selves and deliberately expose people to watch how quickly they started to exhibit symptoms.
     

Share This Page