
Mysterious Mac and PC malware that jumps airgaps? - mercurial
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
======
RazorOfOccam
This story is false. Not intentionally so, but evidently some technical
misunderstandings and a lot of paranoia have led to the claims being made. I'm
using a throwaway because I don't want to get involved in a public battle, but
I've analyzed everything that he provided, and he jumped to wrong conclusions
for everything so far. I am sorry that I'm making this claim without data, but
I ask that you consider that he has also made extraordinary claims without
providing any data.

The entire audio channel theory is based on a simple twitter suggestion from a
third party, and Dragos saying it must be correct because he has also been
unable to remove audio interference from his home audio system.

He has yet to provide anyone else with anything but perfectly clean files,
with signed and matching hashes from clean Windows 8 installations.

Although some of the methods he claims are rooted in things that have been
demonstrated as a proof-of-concept in previous research, his claims represent
added twists in ways that are very difficult to swallow. More importantly,
it's based on assumptions, and not anything that has actually been analyzed.

(For what it's worth, I analyze malware professionally)

~~~
emmelaich
Yes, it's got all the hallmarks of self-deception.

My guess is that someone (in his lab or close to him) is/was pranking him. And
now that it's got this big, doesn't want to admit it.

------
marijn
What triggers my skepticism is

* "Ruiu said he plans to get access to expensive USB analysis hardware" \-- I'm not an expert on USB, but I do believe it should be trivial to tap the traffic between a machine and such an infected stick, and compare it to what should normally be happening.

* No effort seems to have been made to capture the sound waves made by this (supposedly reproduceable) high-frequency audio networking.

* The infected bios hasn't been dumped and compared to the bios the machine was supposed to have.

* For some reason, there's no mention of other researchers getting access to or investigating infected machines and usb sticks.

These are all extremely basic steps that could be taken to make the story go
from vague conjecture to actual proof (or disproof). Why weren't they taken?

~~~
dangero
Yes, a hardware USB bus analyzer could record the entire usb session from when
you plug it in to when you unplug. You'd think any researcher would have one
of those considering they cost well below $2000
[http://www.totalphase.com/products/beagle_usb480/](http://www.totalphase.com/products/beagle_usb480/)
[http://www.saelig.com/category/UA.htm](http://www.saelig.com/category/UA.htm)

The other thing suspicious is the manner of troubleshooting: "Even then,
forensic tools showed the packets continued to flow over the airgapped
machine. Then, when Ruiu removed the internal speaker and microphone connected
to the airgapped machine, the packets suddenly stopped."

Hold on a second. What forensic tools were showing packets flowing? If he's
saying that a software application on an infected machine showed "packets
flowing"? That doesn't mean any data was actually going to and from the
machine. That could even mean that the virus just simulates data transfer. Did
he try putting tin foil around the machine to block any space signals that
might be beaming down?

I'm not sure if it's the researcher or the ars writer who doesn't know what
they are talking about.

~~~
Zancarius
What about this part:

> Strangest of all was the ability of infected machines to transmit small
> amounts of network data with other infected machines even when their power
> cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards
> were removed.

When I read that, I had to check the date to make sure this wasn't posted on
April 1st. That seems completely implausible, unless the author completely
misunderstood some information relayed to him.

There's something (okay, several things) about this entire article that just
screams April Fools.

Edit: The additional information others have posted here regarding malware in
USB controllers seems far more likely and that the article itself was written
as a ridiculously implausible story until the very end where it alludes to the
notion that nearly the entire first 2/3rds is completely false. I guess I
would've expected better of Ars.

~~~
Zancarius
Please disregard this comment and others I have made in this thread. Or at
least read this interchange first:

[https://news.ycombinator.com/item?id=6650186](https://news.ycombinator.com/item?id=6650186)

TL;DR: My reading of the article incorrectly assumed the infection vector was
via microphone. It wasn't; the ultrasoncis bit is apparently how the malware
communicates (presumably). The tweet referenced in the above link clarifies
this.

Please do not upvote my comment further. It is incorrect.

~~~
joshstrange
Thank you for this, too often people change their minds (or have their
statements disproved) and don't say anything. Thank you for taking the time to
"set the record straight" as it were.

------
DanBlake
From reading the facts in the article, it seems totally unrealistic. Post some
dumps of executables, network packets or SOMETHING besides a story.

Honestly, this type of paranoia sounds more like someone on the brink of a
breakdown. Can you imagine spending years working on this and still having no
'data' about it? If its infecting stuff from this USB drive, just post the
contents of the drive for analysis.

~~~
kitd
Pretty sure it won't just be the mass storage device contents that are causing
the problems. More like the USB driver supplied by the stick when plugged in
does the infecting. And you don't see that when you download the stick's
contents.

~~~
Dylan16807
USB devices don't provide their own drivers. Your methods for infection are
either filesystem exploits, or changing the firmware of the drive to send
invalid/exploitative USB traffic.

~~~
mschuster91
Not so fast - many "exotic" devices (3G/LTE modems, some HID controllers,
older U3 USB sticks, even some medical devices!) ship "virtual" USB CD-ROM
drives with software and drivers.

~~~
beagle3
... None of these auto install on macosx or Linux, and even not on windows
since win7sp1 if I am not mistaken. So, no, this cannot be the reason for the
symptoms listed by dragos

~~~
Dylan16807
I don't think windows has ever automatically installed drivers. It would
automatically run a program as the current user, but again that's only for CD
drives, virtual or not, and nothing stops you from supplying your own drivers
for the hardware.

~~~
robryk
But you can always additionally simulate a keyboard. I've heard unconfirmed
statements about some devices actually going that route to install their
driver and/or associated crapware.

~~~
mschuster91
Wow. And still worse, the device can, due to timing attacks or just plain
characteristics in the device requests also determine the likely platform of
the host (BIOS, Linux, Windows, Mac OS X,...) and thus react on the content.

And if you don't exactly hit the conditions the malware is supposed to expose
itself, you have _no_ way to read out the EEPROM inside the flash controller.
The data chips maybe, but the controller chip of a USB stick is an entirely
different thing.

------
XorNot
The lack of low-level analysis is incredibly suspicious. If you think its
moving at the BIOS-level on USB sticks, then you find someone with a high-
frequency recording oscilloscope and capture every single electrical signal
you see on that bus because it's certainly not going to be moving an encrypted
version of its own infection code. Same thing you'd do to the microphone and
speaker.

I mean I get a few months of nothing you don't do this, but 3 years? A USB bus
is not high bandwidth - there's off-the-shelf hardware that will do this.

This story is just too fantastical to be true. We're talking about a
ridiculously sophisticated piece of malware, which has been found nowhere
else, and is absurdly high visibility (people don't keep using computers which
are obviously infected with something).

If you had something as resistant as this in your pocket, you didn't write it
on your own, and the absolute last thing you would do is give it high-
visibility infection symptoms and toss it out into the wild.

EDIT: It's worth noting this would very much hardly be the first time a
researcher suddenly went off the reservation. Happens to even Nobel Laureates.

~~~
at-fates-hands
>>>> This story is just too fantastical to be true. We're talking about a
ridiculously sophisticated piece of malware, which has been found nowhere
else, and is absurdly high visibility (people don't keep using computers which
are obviously infected with something).

Unless you're a state sponsored agency looking to test a zero day exploit.
What better way to test it then to attack one of the top infosec researchers
in the industry?

Think about it. You get one of the top researchers to figure out your malware,
bring in all his friends to figure out how it works and then publish the
results - giving you exactly what you need to refactor it so it's completely
untraceable, and non-responsive to efforts to try and stop it from
propagating.

I'm not sayin, I'm just sayin. . .

~~~
XorNot
That's not the problem I'm posing.

What I'm posing is, if you had malware this successful at spreading itself,
the very last thing you would do is attach a high-visibility payload to it
(disabling system devices like the CDROM drive - allegedly).

Your hypothesis isn't much better - hostile organizations don't give you a
chance to figure out a defense strategy, especially when there's no risk of
deployment. You don't need a test for a virus - you use it, and then you make
another one.

~~~
PeterisP
The allegation of breaking boot-from-CD isn't that high visibility - you
wouldn't notice it during normal operations.

~~~
XorNot
But you would notice being unable to use regedit or the like.

There's no point hampering removal once you're detected if you have a good
mechanism for hiding or repairing the infection.

------
DanBC
The article is long and a bit rambling. It doesn't do a good job of explaining
what steps Dragos took to eliminate different attack methods. It doesn't sound
like a particularly clean fault finding / debugging session.

> For most of the three years that Ruiu has been wrestling with badBIOS, its
> infection mechanism remained a mystery. A month or two ago, after buying a
> new computer, he noticed that it was almost immediately infected as soon as
> he plugged one of his USB drives into it. He soon theorized that infected
> computers have the ability to contaminate USB devices and vice versa.

I don't want to sound mean, but what? This paragraph just reads like Hurp-Durp
to me. I'm an idiot, but even I know that there are some very nasty things to
do to USB drives.

EDIT:
[https://news.ycombinator.com/item?id=6534617](https://news.ycombinator.com/item?id=6534617)
[https://news.ycombinator.com/item?id=933210](https://news.ycombinator.com/item?id=933210)
[https://news.ycombinator.com/item?id=1855936](https://news.ycombinator.com/item?id=1855936)

------
tptacek
The audio channel doesn't make any sense to me; when I heard it from Dragos on
Facebook the first time, I was actually a little worried about him. It's not
that I think it's impossible to create a covert channel over audio; it
obviously isn't. It's that for the malware story to play out, the covert
receiver needs to already exist; if it does, you're already infected, so what
does "air gapping" matter?

~~~
pdonis
The question that came to my mind was, how is he capturing these "network
packets" that are being transmitted over the audio channel?

~~~
pjungwir
Exactly. From the article: "Forensic tools showed the packets continued to
flow over the airgapped machine." How do they know? Where do they hook in to
log these packets?

~~~
teilo
Not difficult. Wireshark running on either PC will tell you this.

~~~
RazorOfOccam
Wireshark doesn't listen on audio devices though. You have to choose an
interface. There is no obvious way to capture what he claims to be seeing, and
if he used wireshark or tcpdump, he would have a log. Furthermore, if you had
a covert audio channel, you wouldn't encapsulate it in TCP or IP. Under close
examination, these claims don't make any sense.

~~~
nitrogen
Wireshark can also capture raw Ethernet and raw USB frames, but it still needs
an interface from which to capture. Maybe it was the loopback interface?

~~~
pdonis
The loopback interface is localhost only; it doesn't see any packets coming
from or going to any other host.

~~~
nitrogen
Software infecting the running system could send packets received via audio to
localhost. I'm not saying it's likely, but it's a remotely plausible
explanation for the article's description of the attack and investigation.

~~~
pdonis
_Software infecting the running system could send packets received via audio
to localhost._

Hm. I suppose this is theoretically possible, but I don't see why it would be
done in a practical sense. If the malware needs to "phone home", it doesn't
need to send packets via localhost; it just sends them out on whatever
interface is connected to the Internet. (But how would you distinguish those
packets from any others being sent out to the Internet?) If the malware is
divided up into multiple processes that need to communicate with each other,
why would they betray themselves by connecting via localhost? If they are on
OS X or Linux, they can use Unix sockets, which don't need to go through any
network interface. If they are on Windows, they can use any of several Windows
IPC mechanisms that don't require a network interface.

------
peterwwillis
What could easily explain all of this is he's installing OSes using pirated
media (which commonly bundles trojans). Plugging in the USB drive could just
be triggering the trojan that came in the OS.

The most telling thing about the article is he hasn't been able to capture any
of the malware code _in three years_. Either it's all in firmware and not
being delivered to the OS, or it's already in the OS.

...And it could also be a series of unfortunate coincidences that just _look_
like malware activity. CDROM doesn't boot? Probably a bad CDROM drive.
Registry editor disabled? Probably a bug in Windows. Strange networking where
it shouldn't be? Apps transmit random networking crap all the time, and you
don't need OS support to send arbitrary raw packets. 'Modifying settings and
deleting data' could be anything, like a log rotater, I don't know.

If it sounds impossible, it probably is.

~~~
furyg3
But he doesn't need pirated media for, say MacOS on his MacBook Air, or Linux
machines. Seeing as though he's a security researcher, I'm guessing he is
capable of md5ing his FreeBSD ISOs...

~~~
peterwwillis
It's just as possible he checked against the MD5s supplied in the torrent he
got the ISO from, or never did the check, if he hadn't thought of it.

It's much less likely that he's experiencing the most advanced malware in the
world, and much more likely that he just overlooked something simple.

------
jameshart
Is this a computer ghost story for halloween? Now I'm never going to be able
to get my laptop to Sleep.

~~~
Zancarius
Considering the article goes so far as to claim that infected machines can
still continue infecting others when they're unplugged from A/C, I'd argue
that yes, you're absolutely right. This sounds like a "ghost story."

Edit: I should note that after about the first 2/3rds of the article, there is
some effort made to explain this (and negates the entire first bit of the
article), but there is much better information others have shared here
regarding malware embedded in USB controllers. I still like jameshart's
assertion that this is just an elaborate ghost story for Halloween.

Edit edit: The conveniently mention toward the latter part of the article that
the machine unplugged from A/C was a laptop which was then running off
battery. I'm growing more and more suspicious of the quality of this
particular article.

~~~
wahsd
I agree, that can't be right if the article is not well written. </s>

------
ChuckMcM
Interesting story. The use of audio is fascinating, even with 20khz carriers,
using FSK[1] you're looking at maybe a 6666 baud which is 666 bytes per
second. That is about 2 seconds per 1500 byte packet. So not exactly a "fast"
way to communicate.

You might use QPSK (basically two FSK ranges using phase to indicate
00/01/10/11 states but that would still make for a pretty small pipe. Perhaps
enough for a C&C channel be not really enough to exfiltrate data.

[1] Frequency Shift Keying - generally takes three complete cycles to of a
'tone' to reliably recognize the frequency. So 20,000 / 3 = 6666.666 bauds per
second.

~~~
verytrivial
Okay, so because he could not remove the audio interface, is MUST was the only
logical infection vector remaining? That is a very strong claim, particularly
since I do not see any claims that he is also HEARING the requisit very long
and loud screeching sounds that would imply. Audio data transmissions on
consumer grade devices unavoidably involve sound, right?

~~~
ChuckMcM
Well that is the thing, if it were pitched high enough then no, you probably
wouldn't hear it. (that is also beneficial for higher speed transfers).

What the article said was that he was seeing packets from the airgapped host
(that means nothing but air around it, no wifi) which stopped when he disabled
the speaker and microphone. That suggested that this was the 'wire' between
the two.

One of the side effects of using peizo electric speakers (which are nice and
flat so adored by mobile device makers and laptop makers alike) is that they
often have frequency response ranges above 20khz. Many people cannot hear
frequencies over 15Khz, although 15Hkz (which was the scan rate of CRT
monitors) _can_ be heard by some folks and poorly wound flyback transformers
would drive them nuts.

~~~
nknighthb
> _poorly wound flyback transformers would drive them nuts_

Those and marginal capacitors _do_ drive us nuts. And that's one reason such
communication wouldn't have to be completely out of human hearing range. Those
of us who can hear it aren't going to be shocked by yet another high-pitched
whine in a room full of electronics.

------
EFruit
So wait, it's a BIOS virus that covers the platforms he tested (multiple BIOSs
to exploit/patch)...

that can communicate via Sound (Requires DSP)...

that can defend itself against the registry editor (Deep integration to the
OS, for at least windows, linux/OSX noted as well)...

that can alter data...

that can infect network cards (implied in the article)...

that can possibly use the power system to communicate (Ok, on a laptop, that
might be possible. Otherwise, PSUs aren't completely isolated from the
computing system's logic?)...

that all still fits within a BIOS chip? Either BIOSs are complex (read space-
intensive) enough to stop being Basic, or they can fit this AND a functioning
BIOS in to a payload that would be delivered by sound, USB, network cards...

Can it modulate the fans to transmit data too? Or change the screen brightness
faster than the human eye can see, but can be detected with cameras? How about
using the Wifi, HDD activity, sound mute, caps lock, numlock, scroll lock and
power indicators to transmit?

How about opening and closing the HDD to transmit data?

I can't agree more with MacsHeadroom's assertion that this is a situation
where the simplest explanation wins.

Not to mention I REALLY don't want this kind of thing to exist...

EDIT: Added fans paragraph

~~~
hellerbarde
If these were all EFI/UEFI machines, there is a lot more code in these preboot
EFI environments than one expects. Room enough to hide this kind of payload.

~~~
EFruit
I could expect ONLY the DSP, ONLY the windows-individual portion, maybe 4 or 5
BIOS exploits and maybe 2 or 3 BIOS patches, about the same for Ethernet
cards, maybe the CD controller, maybe 1 or two different USB firmware exploits
and patches, maybe the entire PSU manipulation logic

but ALL of that? In the BIOS?

(I'd like to point out I am nowhere near the caliber of the man who's
supposedly experiencing all of this. I do not know the true size of any of the
aforementioned payload.)

~~~
Glyptodon
With UEFI/EFI it's pretty plausible that you can load additional code at
runtime from elsewhere even outside of the large space available for UEFI/EFI
itself. Some versions even self contain quick booting minimal environments
that contain web browsers and such.

------
DanI-S
For anyone having trouble believing that their computer can network using
sound, give this demo a try:

[http://smus.com/ultrasonic-networking/](http://smus.com/ultrasonic-
networking/)

------
FlyingAvatar
This sounds really fishy.

> Ruiu said he arrived at the theory about badBIOS's high-frequency networking
> capability after observing encrypted data packets being sent to and from an
> infected laptop that had no obvious network connection with—but was in close
> proximity to—another badBIOS-infected computer. The packets were transmitted
> even when the laptop had its Wi-Fi and Bluetooth cards removed.

Observed how? If not a standard interface (i.e. disk, network, etc), using
what? How could he know they were encrypted unless he intercepted a payload?

> With the speakers and mic intact, Ruiu said, the isolated computer seemed to
> be using the high-frequency connection to maintain the integrity of the
> badBIOS infection as he worked to dismantle software components the malware
> relied on.

What would be the point of this communication? It's BIOS would already need to
be infected in order to be able to communicate via sound. The situation I can
see this being useful is using another infected machine's Internet connection
to download an OS specific payload, which makes some sense.

~~~
marijn
Phoning home, I'd guess. Spying with malware is hard when the infected machine
can't communicate with its controller.

~~~
thinkling
If, like Stuxnet, your goal is to infect specific machinery, then reporting
back infection can be valuable. Once the right machinery is infected, others
could wipe evidence of malware presence. You might object that uranium
centrifuges probably don't have decent speakers to generate a signal... But
they would instead generate unusual spin patterns, exactly what Stuxnet was
designed to achieve, and those patterns would be audible to nearby equipment.
Seems like a fine way for Stuxnet to report success back up the infection
chain and then cover its tracks.

------
brudgers
As I read the article I thought, "Gee, my phone has a USB port and a radio or
two."

By the end I'd added, "And a speaker and a microphone."

If I was [metaphorically] a state sponsored espionage agency, that's the way I
would go. I wouldn't be fooling around with USB sticks. That 1990's vector has
been publicly outed and people can easily live without them.

And by writing this, I've just now tinfoil-hatted my way to the belief that
pretty much every electronic device, if it isn't p'wned, it's just by the
blessings of laziness or disinterest. After having read about the scale upon
which the US pursued cryptography during the Second World War in _Battle of
Wits: The Complete Story of Codebreaking in World War II_ by Stephen
Budiansky, I'm not betting on either.

------
3JPLW
Interesting that such a seemingly well-designed piece of malware would have
such an obvious tell (refusing to boot from any other hard disk). Although I
suppose that it is a rare thing to do. (Now's the time to check…)

Also fascinating that his infection is at least three years old. Was Dragos
targeted? Or perhaps someone within the pwn2own contest was?

Such persistent malware that targets air gapped machines reminds me of other
malware created by nation-states.

~~~
Tloewald
Also, if you've compromised BIOS what do you care if the user boots from CD?

~~~
dublinben
Booting from a CD would [let you replace the infected
BIOS]([http://www.flashrom.org/Live_CD](http://www.flashrom.org/Live_CD)).
Restricting the boot devices presumably helps preserve the BIOS infection.

~~~
Tloewald
Fair enough, presumably it's easier to simply prevent booting from CD than
subvert every tool for flashing BIOSes.

In the end, it seems to me that blocking boot from CD is a net loss, since it
alerts the user (who can undertake drastic measures including hooking up a
different hard drive), whereas allowing boot from CD but reinstalling the BIOS
malware from the (presumably thoroughly infected) hard disk would not.

~~~
dublinben
Who knows. There's a lot of inconsistencies in this story.

------
Spooky23
I wonder if the Absolute Software Computrace BIOS integration has been
compromised?

[http://www.absolute.com/en/products/absolute-
computrace/pers...](http://www.absolute.com/en/products/absolute-
computrace/persistence)

All of the major OEMs embed code from these guys into their BIOS. Once
activated, it can brick the box, delete files, re-install their Windows/Mac
agent that allows for location tracking, etc.

~~~
pgeorgi
Worse, Computrace ends up in the management engine firmware, which is more
powerful and less auditable than the BIOS/UEFI (and works with powered off
main CPU, too).

See
[https://events.ccc.de/congress/2013/wiki/Projects:MEre](https://events.ccc.de/congress/2013/wiki/Projects:MEre)

------
aryastark
This is the type of article that we need less of in the world. It's full of
conjecture and fear mongering. It serves only the anti-virus corporations and
Ars Technica.

I'm convinced "encrypted" is the new scare word, similar to "terrorist." When
you hear it, all rational thought and discussion just vanishes. This article
mentions network traffic as being "encrypted." Yet apparently, no one knows
how to analyze the traffic beyond that? Are you kidding me? Was it using TCP?
UDP? Just IPv6? How big were the packets? How frequent? What interface were
they coming from? (because, you know, the kernel has to have _some_ entry
point into its network stack)

It's "encrypted." Oh. I see. Well nevermind then.

> Things kept getting fixed automatically as soon as we tried to break them.
> It was weird.

"It was weird." What is this, Scooby fucking Doo?

------
300bps
_Strangest of all was the ability of infected machines to transmit small
amounts of network data with other infected machines even when their power
cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards
were removed._

Anyone else having flashbacks of John Nash?

[http://en.wikipedia.org/wiki/John_Forbes_Nash,_Jr.#Mental_il...](http://en.wikipedia.org/wiki/John_Forbes_Nash,_Jr.#Mental_illness)

~~~
gnaffle
Yes, especially coupled with the "been going on for 3 years" and yet no actual
analysis of the virus, no oscilloscopes, digital signal analyzers or spectrum
analyzers put on the task, no third party researchers confirming this. Sounds
very odd indeed.

~~~
nknighthb
The post announcing discovery of the HF audio was made October 15th, 2013.
Remember you're reading a reporter's dumbed-down summary of what someone else
has found.

[https://plus.google.com/103470457057356043365/posts/3reWRqDM...](https://plus.google.com/103470457057356043365/posts/3reWRqDMbn4)

~~~
gnaffle
So 14 days and still "pending analysis". I don't know where he lives, but it
can't be that difficult to find someone with an oscilloscope and the knowledge
of how to use it?

Again, sounds very fishy. I would expect a more methodical approach from a
security researcher.

------
rdtsc
Extraordinary claims require extraordinary evidence.

So far it sounds very conspiracy theory to me. I don't know his credentials,
so it is hard figure out what to make of it.

Had this come from Schneier I would have taken it a lot more seriously.

Like others have mentioned, where is the evidence? Give us the audio recording
at least.

~~~
polof
>Extraordinary claims require extraordinary evidence.

What seems extraordinary to you might not be to someone else. Go be a
pretentious pseudo-intellectual somewhere else.

>I don't know his credentials, so it is hard figure out what to make of it.

First of all, his credentials are irrelevant (see: appeal to authority
fallacy). Secondly, they are listed in the article itself, which you obviously
didn't even bother reading.

~~~
rdtsc
> What seems extraordinary to you might not be to someone else. Go be a
> pretentious pseudo-intellectual somewhere else.

It is not extra-ordinary to you that computer viruses travel through sound
waves using computer speakers and microphones, yet when this supposed "expert"
tries to uncover and provide samples of it, the evidence magically disappears.

> First of all, his credentials are irrelevant (see: appeal to authority
> fallacy). Secondly, they are listed in the article itself, which you
> obviously didn't even bother reading.

Oh I see you are an expert on fallacies. As an exercise try finding a few
fallacies in your comment.

------
mrtksn
This is quite cool actually. It reminds you that if your device has a sensor,
it can communicate.

It should be possible to communicate through a webcam and a screen when the
airgapped devices are on the same room. It could be possible to communicate by
accelerometer(macs has these) and inducing vibrations using the HDD when the
devices sit on the same table.

~~~
jmpe
webcam <-> screen: QR codes?

accelerometer: is very low bandwidth (think ~10-1000 measurements per second).
The noise is ~100μg/√Hz - with 12 bits samples I'm not sure you'll pick up HDD
vibrations (but rather easy to test).

Someone should lend the people researching this an oscilloscope.

~~~
mrtksn
No, not QR codes since it would require the webcam capturing the screen
directly. The screen may be used as a light source for the transmission and
the webcam can capture the light reflecting from the walls...

------
fein
Transmitting over HF waves via mic and speaker? That is currently blowing my
mind.

Looks like my laptop needs a tinfoil hat more so than myself!

~~~
brkumar
Chirp.io uses sound to transmit & receive links between nearby Android/iOS
devices. IMO, interesting tech[1], thats more useful & less secure than
bluetooth, for such use cases.

[1] [http://chirp.io/tech/](http://chirp.io/tech/)

~~~
zaroth
Chirp is doing some really interesting work in this space, trying to improve
the user experience of fast-forming short range communication.

My understanding is that Chirp uses audio to basically detect WHO you are
standing near, but the actual data transfer happens over more typical links.

"An inherent limitation of the audio protocol is its highly limited
transmission rate.

To send larger amounts of data, we have built a RESTful network infrastructure
which allows arbitrary pieces of data to be associated with Chirp shortcodes.
A sending device can thus upload a photo to the cloud, and obtain a shortcode
representing it to be send over the air. A receiving device hears the
shortcode over its microphone, and resolves it with a GET request."

------
yk
So the oldest mention I did find, is from the 21st of October [0] and then
more at the 23rd. [2,3] So until I see an actual zombie, my money is on a
ghost story for Halloween.

[0]
[https://twitter.com/dragosr/status/392348130101829632](https://twitter.com/dragosr/status/392348130101829632)
[1] [https://kabelmast.wordpress.com/2013/10/23/badbios-and-
lotsa...](https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-
paranoia-plus-fireworks/) [2]
[https://plus.google.com/103470457057356043365/posts/9fyh5R9v...](https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga)

~~~
mrtksn
maybe, there are problems with the story.

------
MacsHeadroom
Some of dragosr's claims/suspicions come off as next to impossible. I think he
could use a healthy dose of Occam's razor.

Never the less, this does sound like a nasty piece of malware.

~~~
nknighthb
> _Some of dragosr 's claims/suspicions come off as next to impossible._

Which ones? The technical aspects are all known to be practical. The only
thing odd is that a reasonably sophisticated and determined attacker is
seemingly targeting him specifically and no one else.

~~~
300bps
Please explain this one:

 _Strangest of all was the ability of infected machines to transmit small
amounts of network data with other infected machines even when their power
cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards
were removed_

~~~
nknighthb
It is explained. HF audio via speakers and microphones. In other words, a
modem. Your username is highly ironic.

~~~
300bps
My main question was regarding the power cords not being plugged in but
apparently these are laptops.

As for communications via speakers and microphones, that makes as much sense
as any other outrageously insane theory I've ever heard.

------
votingprawn
I'm also struggling to find any reference to this 3 year struggle prior to two
weeks ago. Sounds like a nice little Halloween hoax, the "Editor's Pick"
comment stating how its definitely not a hoax only makes me more inclined to
believe it is.

In fact, after a quick browse it seems to me the Editor is only "picking"
comments that support the concept, not those that offer plausible explanations
or interesting discussion.

------
betterunix
Reading this, I think back to CRYPTO, Usenix Security, and other conferences
in the field where participants are _handed thumb drives with the proceedings_
\-- and people thought I was crazy to refuse to plug them into my computer.

~~~
fphhotchips
Reminds me of a demo at PyCon-AU this year - JKM (a Django Core-Contrib)
showed a pip install (or perhaps an apt-get, I forget) on screen for a minute
or so. I don't think he explicitly said "run this" but of course people did
anyway.

Cut to a live display of computer-name/.passwd hash pairs.

------
thinkling
Going out on a limb for a moment and assuming that Dragos Ruiu's story is
legit, then it seems likely that someone at a gov't agency decided to leak the
existence of this malware by intentionally infecting a security researcher.

In that scenario, can this be related to Stuxnet? Would the audio signaling be
used to report back successful infection of non-networked machinery?

------
Sephiroth87
How could a machine that is not infected, thus not listening to HF packets,
get infected? Or are they listening by default?

~~~
jstalin
Did you read the article? USB drives.

~~~
Sephiroth87
I got that, but this part here didn't mention any USB drive...

 _" We had an air-gapped computer that just had its [firmware] BIOS reflashed,
a fresh disk drive installed, and zero data on it, installed from a Windows
system CD," Ruiu said. "At one point, we were editing some of the components
and our registry editor got disabled. It was like: wait a minute, how can that
happen? How can the machine react and attack the software that we're using to
attack it? This is an air-gapped machine and all of the sudden the search
function in the registry editor stopped working when we were using it to
search for their keys."_

Air-gapped and no mention of USB... Magic or just inaccurate description?

~~~
jstalin
One of those "keep reading" things to keep your interest, I suppose. A
journalism thing?

"For most of the three years that Ruiu has been wrestling with badBIOS, its
infection mechanism remained a mystery. A month or two ago, after buying a new
computer, he noticed that it was almost immediately infected as soon as he
plugged one of his USB drives into it. He soon theorized that infected
computers have the ability to contaminate USB devices and vice versa."

------
suprgeek
If all of this pans out to be true and verifiable then this has to be the most
sophisticated Malware that I have ever heard of, even beating Flame, Stuxnet
and what not - really fascinating.

\- Self-healing (of sorts).

\- Able to spread via multiple vectors

\- Falling back to increasingly stealthy and unlikely vectors

\- Actively hampering efforts at eradication

However (and I am trying to phrase this delicately) A few other notable
security researchers need to cross-verify that the infection agent exists and
behaves in the fantastical manner described. I am somewhat worried that this
seems

1) Either like a gigantic hoax that is trying to see how much people will
believe or

2) The security researcher in question has other issues unrelated to security
or

3) Some kind of viral marketing campaign for a book/movie/game something else

------
undoware
I admit the journalism is sensationalistic and the datafiles uncompelling, but
so is the response here on HNN.

Literally the DAY AFTER we learn about MUSCULAR, which far exceeds PRISM in
its scope, extralegality and generalized dastardality, and half the comments
here are, "nope, I didn't think of that before, hence impossible." Well, you
didn't think that Linda and John at the station were enjoying your
girlfriend's selfies in your inbox, did you? And yet they are.

Bakane. I want to hire all of you as shills, as the best shill is the one who
just knows they're right. And I don't even have anything for you to shill!
Expect calls from headhunters with federal ties soon.

------
busterarm
I deal with malware day in and day out at my job and have never seen any of
what this story is talking about.

Like everyone else, I'm highly skeptical and a little annoyed at what seems to
be a total lack of fact-checking in this story.

------
frezik
Don't speakers/mics tend to have a built-in cutoff? I've played with
generating higher and higher frequencies before, and I was able to hear it up
to 18kHz. That's probably hitting the high range of my own hearing, but there
was an audible pop when the speakers started playing that frequency. The sound
card seemed to simply refuse to play that high.

I suppose the malware could be working at a low enough level to override a
cutoff in the sound card's firmware. But then wouldn't it have to implement
drivers for almost every kind of sound card in existence?

------
mariusmg
This is bullshit. The article is highly sensationalistic and light in facts.
Sounds more like the product of a sci fi writer than a article for a tech
site.

------
btbuildem
Explain to me how a non-infected machine would receive and process data from
an audio channel so that it ends up interpreted as code and executed.

Yes, back in the day of computers with rubber keyboards, software was recorded
on audio tapes, and you could listen to a program loading (sounded basically
like a prolonged modem handshake). But even on devices specifically designed
to receive data this way, you still had to initiate the procedure. There was
code already on that machine that processed the audio stream, loaded it into
memory and called the initial JMP.

If I put my tinfoil hat on, I could speculate that yes all the hardware has
been made in China for decades, and yes nefarious forces could have very well
implemented an always-on listening layer, which by the power of copypasta has
now spread to every BIOS-having device, and now it lay in wait waiting for
D-day when all your base are belong to us.

TL;DR: the audio attack vector would be like causing a buffer overflow by
whistling the right tune into a microphone. This seems impossible without the
machine already being compromised.

~~~
teilo
That's not what the article claims at all. He's claiming the audio is used to
maintain a network connection for command-and-control continuity using other
already-infected machines:

"Ruiu said he arrived at the theory about badBIOS's high-frequency networking
capability after observing encrypted data packets being sent _to and from an
infected laptop that had no obvious network connection with—but was in close
proximity to—another badBIOS-infected computer._ The packets were transmitted
even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also
disconnected the machine's power cord so it ran only on battery to rule out
the possibility it was receiving signals over the electrical connection. Even
then, forensic tools showed the packets continued to flow over the airgapped
machine. Then, when Ruiu removed the internal speaker and microphone connected
to the airgapped machine, the packets suddenly stopped."

~~~
btbuildem
Thanks, I missed that!

------
Shank
He posted some files that were "created" by it on a Windows 8.1 machine on
Google+:

[https://plus.google.com/103470457057356043365/posts/K7WeA1gq...](https://plus.google.com/103470457057356043365/posts/K7WeA1gqH2h)

Anyone want to try and download it?

Edit: Really odd. Closing on a 1GB archive on Mega -- it seems unlikely that
the network equipment can store that much anywhere.

------
miles932
When I read this it sounded like a weaponized version of Chirp..
[http://chirp.io](http://chirp.io)

------
segmondy
Happy Halloween. Gee can't you guys get a joke!

It's clearly obvious on the second paragraph " Strangest of all was the
ability of infected machines to transmit small amounts of network data with
other infected machines even when their power cords and Ethernet cables were
unplugged and their Wi-Fi and Bluetooth cards were removed"

~~~
lreeves
I don't think it's real, but I certainly have computers that still function
when their A/C cord is removed. They're called laptops.

------
cantankerous
Couldn't one verify that this malware is present with some kind of listening
device...or a dog ;-)? The article didn't mention that the sound theory was
verified with some kind of external measurement, but I assume it must have
been at some point? I'd like to see what that would look like.

~~~
raldi
Or clip out the speaker and replace it with an oscilloscope.

~~~
cantankerous
Good call! Didn't think of that.

------
bitwize
This had me suspicious. The methods of propagation ranged from the difficult-
but-plausible all the way into Stieg Larsson territory. And all the Google
results pointed to Dragos Ruiu. There was no other researcher who had
encountered or studied this malware; all the major ones were just saying
"check out Dragos Ruiu's research, this is serious" or similar.

For now the signs point to the very first case of computer Morgellons. I
suspected at first that this was an elaborate troll in order to convince the
netsec community to get serious about fact-checking and research-doing before
propagating BS, but the theory that he is paranoid is beginning to sound
increasingly likely the more I find out.

------
rthomas6
Would it be possible to infect device firmware? If this guy's airgapped
computers keep getting infected, assuming he's smart enough to not plug a USB
drive into the computer, perhaps a hard disk's or CD drive's firmware was
infected.

~~~
dublinben
According to the article, he plugged a (presumably) infected USB drive into
the fresh computer, providing the most likely means of infection.

~~~
rthomas6
>"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a
fresh disk drive installed, and zero data on it, installed from a Windows
system CD," Ruiu said. "At one point, we were editing some of the components
and our registry editor got disabled. It was like: wait a minute, how can that
happen? How can the machine react and attack the software that we're using to
attack it? This is an air-gapped machine and all of the sudden the search
function in the registry editor stopped working when we were using it to
search for their keys."

I read this as the computer being infected without a USB plugged into it.
"Air-gapped" would mean no USB, right?

~~~
nknighthb
> _" Air-gapped" would mean no USB, right?_

No, it means air-gapped. Traditionally this just meant no wires to other
computers (and an autonomous power source if you're extra paranoid). Today of
course it more broadly means no direct communication with another computer,
including things like WiFi or Bluetooth.

External media has always been used to transfer data between air-gapped
systems, and it's always been a weakness. USB drives are just smarter than
older forms of external media, posing a greater potential threat.

------
adulau
Can they share the MD5 hashes of the malware samples? or it didn't happen...

------
j_s
I saw this on TV (circa spring 2008)!

[http://terminator.wikia.com/wiki/Episode_108:_Vick%27s_Chip](http://terminator.wikia.com/wiki/Episode_108:_Vick%27s_Chip)

 _During further hacking of the T-888 chip, John accidentally applies too much
voltage and the T-888 brain starts up, takes over the computer it 's attached
to, then connects to John's phone (via bluetooth) to reach the internet. John
and Cameron realize what is happening and yank the batteries and cables,
eventually unplugging the chip itself._

------
GigabyteCoin
Bravo arstechnica, you got us.

IMHO this is a purposefully written scare piece to be released on Halloween.

Who says computer scientists don't like scary stories?

------
davidkhess
Is this Ars Technica's 2013 version of the "War of the Worlds" radio broadcast
scare in 1938?

------
yiedyie
« Strangest of all was the ability of infected machines to transmit small
amounts of network data with other infected machines even when their power
cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards
were removed. »

How is that possible ?

~~~
ZoF
Did you read the article?

~~~
yiedyie
Hard for me to buy the sound transmission stuff. Keeping in mind the noise,
sound diffusion etc. I suppose the packet correction takes an error limit
before dropping out the entire packet.

------
Zenst
Interesting how you put a news item onto a bigger media portal how much more
serious it appears to be taken.

Previously article week ago :

[https://news.ycombinator.com/item?id=6614458](https://news.ycombinator.com/item?id=6614458)

------
DavidWanjiru
In keeping with the theme of paranoia, many of the comments attacking the
veracity of the article are posted by NSA agents masquerading as benign HN
users to discredit someone breaking out one of their best kept secrets.

------
fela
Shouldn't the speaker/mic communication theory be easy to test? If computer
microphones are being used by the malware a simple computer mic should be
enough to detect if there is any communication going on...

~~~
dublinben
According to the last few comments on his G+ post, he was able to isolate the
communication to the mic/speaker and disable it. He also took some recordings.

[https://plus.google.com/103470457057356043365/posts/3reWRqDM...](https://plus.google.com/103470457057356043365/posts/3reWRqDMbn4)

------
josh-wrale
A number of investigative tools come to mind: Faraday cage, anechoic chamber,
Amiga 500 with Ethernet, Conway's Game of Life, and ummmm.... arp -a

------
od2m
Allow me to summarize:

Guy who knows nothing about computers probably has unstable power, or EM
radiation causing computer problems.

He imagines a vast conspiracy instead of the obviou.

~~~
binaryatrocity
A well respected security researcher who runs multiple conferences and Pwn2Own
is hardly a "guy who knows nothing about computers"

hard to summarize when you don't read the article.

~~~
od2m
Yea, so...

[http://arstechnica.com/security/2013/11/researcher-
skepticis...](http://arstechnica.com/security/2013/11/researcher-skepticism-
grows-over-badbios-malware-claims/)

;-)

------
MaysonL
This article is #1 on the front page. The news that Intel is going to fab ARM
chips is totally missing from the front page.

Has HN officially jumped the shark?

------
jhallenworld
It's fun to use psk31 or hellschreiber to communicate between two PCs over
speakers. Install "fldigi" to try it..

------
ddoolin
Wow. A bit scarier than CryptoLocker...

~~~
mercurial
In theory, nothing would prevent CryptoLocker from using the same attack
vector.

------
golergka
For some strange reason, it seems to me that arstechnica decided to treat
Halloween like 1st of April.

------
2close4comfort
This is incredible...it makes me wonder who wrote it...

------
jpalioto
I was waiting for the last line to be something like "If you listen very
closely, you can hear the virus spreading OoooOOoooOOOoooOOOoooh!"

------
batgaijin
should've called it lazarus

------
angelortega
It sounds like a hoax to me. Even the "Dragos Ruiu" name is odd enough to be
an anagram of something.

~~~
thinkling
"Radios Guru", coincidentally. (Or "A drug is our".)

[http://wordsmith.org/anagram/anagram.cgi?anagram=Dragosruiu&...](http://wordsmith.org/anagram/anagram.cgi?anagram=Dragosruiu&t=1000&a=n)

------
ulope
Bullshit

------
promoCode

      has the ability to use high-frequency transmissions 
      passed between computer speakers and microphones to 
      bridge airgaps.
    

FUCK. FUUUUCK ME.

God fucking damn it. That shit right there just blows the fucking lid off damn
near everything. It's worse than fucking laser interferometers as far as I'm
concerned.

That, combined with a nasty firmware hack, pretty much fucks everything. Like,
in addition to BIOS, consider the ramifications of hard drive firmware...

[https://news.ycombinator.com/item?id=6148347](https://news.ycombinator.com/item?id=6148347)

And now I have to think twice about that whole microphones inside random
domestic appliances business:

[https://news.ycombinator.com/item?id=6628627](https://news.ycombinator.com/item?id=6628627)

I guess the audio attack vector isn't so outlandish after all, considering fax
machines have piggybacked on audio channels for decades, but the whole bug-
inside-the-iron thing is still pretty random.

