Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.
In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.
“We were like, ‘Okay, we’re totally owned,'” Ruiu told Ars. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”
Triulzi said he’s seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer’s peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.
It’s also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.
Of course, it’s one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it’s another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran’s nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.
“Really, everything Dragos reports is something that’s easily within the capabilities of a lot of people,” said Graham, who is CEO of penetration testing firm Errata Security. “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.”
For you more technically-inclined folks, I suggest you read the full article…it’s a doozy.
Thanks to our Commenter Tim
They are discussing this right now on “security now”, Leo is skeptical. EP.#429
They already covered this on Tek Syndicate. (Google it, if you dare to use Google.)
My router was down for a while and I rebooted my puter only to find a notice from Adobe Systems that an update was available and did I want to install it? I wondered how this was possible given the system status, so I clicked “ok”. 5 Seconds later I got a notice the update could not be installed…I forget the reason why but it was not stated it was because I was off the internet.
Our computers….. lie. Not very artificial intelligence if you ask me.
Please don’t show your idiocy like that.
Anyone who uses Adobe products like Reader, Flash or even one of their editors is clearly an IDIOT! Probably not stupid by choice, but then ignorance is non selective when we become complacent.
Quite simply, there are alternatives to Adobe. Things like implementation of HTML5 instead of Flash or even Firefox’s now built in ability to read PDF’s. But since those alternatives are not as easy to use the techno pawns like yourself don’t care to even know about them. In fact, it’s a good bet that all of the techno pawns out there have also bought into an even bigger lie — that Apple is immune from viruses. Just look at the sales!
Of course, Apple virus immunity is total bullshit. But beliefs are hard things to refute even when there are overwhelming facts. And I’d even be willing to bet that this latest virus/worm/RK is being spread almost exclusively by those numbnut Apple owners who are probably oblivious to the horribly infected systems they themselves are running too.
And since no one of any significance makes a descent virus scanner for Apple, things may have to get worse before they get better. Because admitting failure like that – that a belief is indeed wrong – might be too much for the Apple community to take. Sort of like Russian communism!
Now, would you care to learn about the evils of Google?! Or have you also fell victim to that even bigger swill of stupidity? (Don’t take my word for it. If you’re brave, try checking it out on your own at, http://ddg.gg.)
…And don’t even get me started on Java (not Java Script).
Excellent review. All conclusion and no analysis though.
Totally missing/not addressing the point of my post. Did you notice that or was it just a trip wire?
Lets test:
…………………………Adobe…………………….
I like *old* SumatraPDF. It clunks around just enough to pop open processexplorer so smooth as to permit one to make a copy of what just happened and forward it to an ObomaSCoare navigator.
What’s the big deal?
We now know every single bit and byte is archived by NSA.
They should easily be able to thwart the foreign terrorists who make this crapware.
I can’t wait for the lawsuit requiring NSA to provide exonerating evidence for someone that was falsely accused in a federal trial.
Has anyone ever wondered why federal prosecutors have 95-99% conviction rate?
They have inside info. They know you’re innocent they never bring it to the grand jury or indict you. You never find out why. NSA? Surely.
I told you so.
UEFI is BAD!
But then your fist clue should have been why why Microsoft and Apple have tried to push it onto everything we use while most of the Linux camps were bitterly complaining.
Just why this “virus” didn’t happen sooner is the question I want answers to. Because it would seem like they were just waiting to let things settle down while we all got more comfortable with the idea of UEFI before they started “probing” our systems.
Now, it seems that someone like the NSA or even AlQuaida has got in on the fun and has developed code to append to UEFI dependent devices (too). What’s more, they appear to be in the process of delivering it!
And this whole turn of events almost has me looking for a Ethernet card for my old 8-bit Comodore 64.
+1
Still got mine!
Naturally, the guy is now getting ARS-consensused pegged as *stressed* but they, also, use the term ‘denier’ for people who think carbon taxes are odious. It’s sad, when the good ones crack like that — I think, he might have a bright future as a crisis actor, or something.
From reader comments —
“” Regardless of what happens, the security field just got murkier. If Ruiu is right – well, we are truly fucked. If he isn’t right – well, it’s a sign that the paranoia is starting to eat away at the people who we rely on for advice, and that we can’t even trust people who are on our side. Either which way, we all just lost.
“”I also continue to believe that @dragosr is a respectable professional in my industry (infosec) and he isn’t deliberately hoaxing us.
“”BUT the seed of doubt is being well-nurtured I’m afraid. Last night he tweeted that it appeared someone had tampered with his uploaded files and removed sections. He then deleted that tweet overnight. I don’t want to say it but I think the very paranoia that makes one a good infosec professional is wearing on him. I don’t want to see anyone being mean about it. It could happen to any of us and it WILL.
I don’t NOT believe in badBIOS: I believe that at least part of it might be real. But I now really doubt that *all* of it is real.
— a professional paranoid 🙁
http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/
And, Really. Goodin is probably playing the Faux News fair-and-balanced act for his life — What is a journalist to do?? Does anyone here really want to read about Dan Goodin’s flawless auto-performance of David Carradine on bigger dick pills?
Think high tech acoustic coupler.
http://gizmag.com/ultrasonic-data-and-power-transmission-through-metal/18097/
“Three years ago, ” ????
Talk about zero-day
I’m not buying it.
Good!
The virus does indeed exist. But that crap about high frequency inaudible sound being the path of infection does peg the ol bullshit meter.
I’m with you on the sound transmission vector (as regards the topic article). Total bullshit.
Surely {may I call you that?}, you jest?
Hmmm. If I can’t say anything nice…
fuck y’all *grins*Got a link??http://securityartwork.es/2013/10/30/badbios-2/?lang=en
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
Dummy Up, your first link has been analysed by some to a ‘consensus’ that the guy got paranoid and started hearing
squirells when a sinkhole swallowed his brothera bad disk bearing and thinking pwned machines were talking.My tangent would be that everyone is now paranoid — Some have been called paranoid for years for pointing this crap out. Some made predictions like how the DirecTV menu would get slower and slower {and harder to see}.. long story.. Some thought kirsty alley would get fat.. I dither {sic?}.
Me neither. It’s rubbish.
This explains Dallas’s toadying.
I think that I have just been tricked into beliving it’s April First.
It is clear that the guy infected his systems with a USB key and not some weird alien like virus spreading through the airwaves.
It is also funny how some people on this blog pretend to know anything about computers, software and or security.
Funny
Oh, look. Someone has poured Gadolinium all over your keyboard. I wonder if that’s a good way to clean it?
I designed computer hardware in the 80’s-90’s, I wrote microcontroller assembler for data acquisition systems and robotics, and even did some work with TI. Am also published. For the past two decades I have been an IT Pro and software programmer in the fields of server virtualization, and GIS/3D for film and games…
Is that enough pretending for you Diesel? :-p
The article is full of BS with enough sprinkling of bits to make people believe it “just might be” true.
Not even a Picard Double-Facepalm is sufficient for this one.
Perhaps. But I believe Goodin did a great job in bringing it into the conversation. People have been kicking these ideas around for awhile and it seems all the little sub-ideas have been shown to work, in concept?? If it can be thought up, it can be done, hmmm?
I wonder who has budget, advanced technology, and manpower and has probably been doing such things as that for a very long time. I wonder if the on-board watch battery in combination with the bios (or UEFI, whatever) can make the onboard speaker ‘chirp’ under it’s own power?
I’m sure there are plenty of unscrupulous IT guys out there, only most of which are forced to don cheap Ray Banz and uncomfortable shoes, doing their best Goldblum The Fly knuckle-balling imitation and thinking “Why didn’t I think of that? It. Can. Work!! Mhuuuhhaaa. {and it would have been all mine exept for those meddeling kids…}”
And, sonic couplings aside, consider this —
“”This combination of hardware from Intel enables vPro access ports which operate independently of normal user operations. These include out-of-band communications (communications that exist outside of the scope of anything the machine might be doing through an OS or hypervisor), monitoring and altering of incoming and outgoing network traffic. In short, it operates covertly and snoops and potentially manipulates data.
http://tgdaily.com/hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-pcs-compliments-of-intels-vpr
The majority of desktop and server motherboards no longer have an on-board POST-code speaker, even if they still have the header pins for one, they usually only have the audio IC.
Portable devices like laptops, tablets, and phones have a variety of audio configurations, but they are all limited cheap designs with limited frequency response that will not produce ultra-sonics.
The issue with attempting to send ultra-sonics over standard computer audio systems is three-fold:
1. I would require both a microphone and speakers on the systems. External powered speakers would have to be on.
2. The majority of the audio codec ICs use a DAC filter with a cutoff of 16kHz to 20kHz, so they cannot produce ultra-sonic frequencies.
3. The driver (cone/diaphragm) frequency response is less than 20kHz, so they cannot produce ultra-sonic frequencies.
Which means that the audio system and speakers cannot reproduce ultra-sonic frequencies. It would require special hardware connected to the device to achieve ultra-sonics.
The next issue is, even if I had a modified laptop that could produce ultra-sonics and send a virus in that manner, so what?
Any nearby laptop would require a microphone, AND modified hardware with an ADC whose filter was also >20kHz, AND already be infected by malware that overrode its default microphone ADC input management (ie. inject incoming data vs record as pcm wave).
So it would be impossible to transfer malware in this manner from an infected system to a non-infected system unless I installed special hardware and pre-infected both of them.
IF we assume that the manufacturers of computer systems are not secretly putting specific extra hardware and firmware/software into their systems in order to covertly attack, monitor, or control a consumer device, the only other method that malware programmers can use is finding exploits on existing firmware/software systems where they can inject code and force it to execute.
But these types of malware are becoming very difficult to do with the current move into sandboxing, virtualization, etc., since “catching” malware on a virtual devices does not give it direct access to the underlying physical devices, so it cannot infect the host.
For the past few years I do all of my Internet access through virtual machines, not only for significantly greater protection against malware, but also for the easy backup and restore, rollback, cloning, replication, etc.
And I don’t own an iPhone etc.
I certainly wouldn’t limit the possibility to what *high fidelity* above 20 kHz would entail — one may just as well call ~15 kHz *ultrasonic*.
I can imagine other schemes to check for ‘on’/’off’ bits — imagine a sort of psuedo pink(white?) noise that sounds just like ordinary hiss and Johnson noise with lack of audio input but can certainly still be superimposed upon it. Now, if there were a time-based way to sync up when exactly to listen for the coded state then one may employ the whole frequency spectrum, but at around the noise floor in any given band, such that if it’s only polled a few milliseconds each second then we’re not going to hear it with our ears. Or perhaps listen for two tones or do phase-shift modulation with one of them — No one is talking high data rate, here. Just enough information to trigger a switch for the other machine to do something. Bad machine may have all day to whisper a few bytes to other bad machine at, say, 5 or 10 baud??
“”if I had a modified laptop that could produce ultra-sonics…
Ultrasonic Local Area Communication
http://alumni.media.mit.edu/~wiz/ultracom.html
“”the audio command packet is transmitted using a simple Frequency Shift Keying (FSK) modulation at some carrier frequency, where fc is the center frequency, fc+δf is the frequency for the transmission of a binary 1 , and fc-όf is the frequency for the transmission of a binary 0. The packet consists of a stream of binary digits sent using one of these two tones. The puφose of the various segments of the packet are as follows:
Preamble – to allow the CADM to synchronize to the symbol centers of the binary data signal. The preamble is typically an alternating binary sequence, such as 1010101010.
Frame Synch – to provide word alignment to the control, data, and parity portions of the command packet. The frame synch is typically a short binary sequence such as a Barker code, Lindner Sequence, Maury-Styles Sequence, etc. One suitable frame synch word consists of the binary sequence 0010 0000 0111 0101………………………………
bla
bla
bla …………………………..
http://google.com/patents/WO1997031437A1
So. It’s not a matter of if this *technique* is practical but rather a question of if a sort of *McGuyver* may take off the shelf hardware and do these things to
mess with grandma’s headallow one to have a home network through concrete walls or heavy radio pollution and such.and this seems outside the realm of ultrasonics — curiouser and curiouser.
“”It uses communication via SDR (Sotftware Defined Radio) to bridge air gaps (computers out of the network). It works even if the wireless and Bluetooth cards are physically removed.
http://securityartwork.es/2013/10/30/badbios-2/?lang=en {thx, Dummy Up}
Some user comments shot at another debunker article —
“”It is obvious that assuming this was real, most features would run on the OS level as a rootkit, with a tiny module in the BIOS used to re-infect clean operating systems (or possibly providing an hypervisor, I think something like that was also mentioned). It would certainly be possible to generate interceptable signals. There was a paper analyzing the sound emitted from some power regulating component on mainboards during RSA private key operations, and AFAIK they were able to at least distinguish which key from a certain set is being used. On many cheap notebooks, you can observe this yourself by simply listening very closely while applying different CPU loads (e.g. encryption, scrolling in a PDF file, …)
If the mechanical vibrations caused by the varying load are strong enough to be audible to the human ear, I’m pretty sure you can use it to send signals to highly sensitive equipment designed to intercept such signals. You can transmit AM radio, receivable with a regular shortwave receiver, using just a CRT and a piece of software (google “tempest for ELIZA” if you don’t believe me – it works, I tried). TEMPEST is a problem by itself, so it certainly can become a bigger one if it is used intentionally.
“”As for the acoustic data transfer, it seems that he may not be very far off in his analysis of that, I did a little searching and came across this http://www.disneyresearch.com/project/mobile-phone-arrays/ granted they are combining the data with audible sound so they could simply be modulating that, but what about the high frequencies, I know that the ‘cricket’ ring tones were popular with young kids because adult hearing had been sufficiently been diminished in the high end that most adults couldn’t hear them.
http://rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/
We have met the enemy… and the enemy is feature-rich, complex technology hurried to the consumer marketplace to turn a quick buck.
These ain’t toasters folks. We’re all Tyfoid Mary’s swapping binary spit at the speed of light. Kiss me.
Ack ……………………………………………. RST ……………………………….
cache poisoned
error 601
have a nice day
stop
end
I hear ya, brother {stupid git}. Yea, they’re free; But, two packets exchanged and those stupid ObamaComputerBrainInterface implants make you feel like the guy with the gecko at a David Icke rally.
If he hadn’t peeled off the mask to reveal a little tiny human face on the lizzard then he might still be amongst correctly-status’d welfare recipients today. <– {I have it on good authority that this statement's construct is never wrong. Then again, I've never been an outspoken supporter of logic-nazi fascism.}
The ultrasound is NOT a vector for infection. It’s how the already infected computers communicate.
Any time I hear some computer expert tell me they run without using anti-malware because they know how to avoid infections I just want to laugh at them.
I don’t run any anti-mal ++++++++
[stop]
[overflow error 666]
[reinit]
[All your base are belong to us]
WTF?!
I would certainly not be an expert but I don’t run anti-malware until I’m pretty sure I’ve got malware.
I have been bitten from time to time and have learned to at least find instructions for the various cleanup tools. Active malware scanners would not have saved me from one serious breach as that was due to my own ignorance and sharing nature {people of the future — it is probably not a good idea to set up as a ToR outlet node allowing everything through an unpatched machine}.
That being said, I find the great advantage to not running it is our greater sensitivity to any variations in its now hyper-responsive state; That is, one *gets to know* their machine. But, as one can’t judge subtle changes in his vehicle performance with the stereo bumping so hard the headlights are modulating niether can one just instinctively pick up on something ‘amiss’ with his I-Cherry-2000 if the *normal* state is for it to be running off and doing only M$-knows-what all the time or non-stop making sensual drive crunching sounds everytime your back is turned or the lights are out.
and I hate it when my Cherries break.
http://youtube.com/watch?v=Y6KJtFZoflc
It’s pretty sad that most people associate the word “virus” when they really mean to say “trojan” or even “crapware.”
That said, it would be my guess that your system is running 100-percent and that you believe there is nothing wrong with it.
GOOD! That’s exactly what they want you to think.
Please also don’t look up what a zombie system is because your picture just might pop up.
Fast Zombie {screw those horn’d beasts of suck} – yaaaee?
And, how would one know?? Oh, wait… You are waiting for some third-party protection racket to send you a ping.
“This computer is clean. No, really. We thought about it alot…”
I just buy three computers at a time, so when one goes down, I have a backup ready.
But, if you leave them sitting on concrete too long then the memory discharges.
Kind of reminiscent of the Varley story “Press Enter■”.
Asus makes motherboards that can flash it’s firmware with a USB stick into a special blue USB port that has a button next to it, and press the button.
The PC doesn’t even need to be turned on, the motherboard doesn’t even need to have RAM nor a CPU installed. It just needs standby power from a PSU and you can flash it’s BIOS.