Hacker News new | comments | show | ask | jobs | submit login
Mysterious Mac and PC malware that jumps airgaps? (arstechnica.com)
407 points by mercurial 1245 days ago | hide | past | web | 246 comments | favorite



This story is false. Not intentionally so, but evidently some technical misunderstandings and a lot of paranoia have led to the claims being made. I'm using a throwaway because I don't want to get involved in a public battle, but I've analyzed everything that he provided, and he jumped to wrong conclusions for everything so far. I am sorry that I'm making this claim without data, but I ask that you consider that he has also made extraordinary claims without providing any data.

The entire audio channel theory is based on a simple twitter suggestion from a third party, and Dragos saying it must be correct because he has also been unable to remove audio interference from his home audio system.

He has yet to provide anyone else with anything but perfectly clean files, with signed and matching hashes from clean Windows 8 installations.

Although some of the methods he claims are rooted in things that have been demonstrated as a proof-of-concept in previous research, his claims represent added twists in ways that are very difficult to swallow. More importantly, it's based on assumptions, and not anything that has actually been analyzed.

(For what it's worth, I analyze malware professionally)


Yes, it's got all the hallmarks of self-deception.

My guess is that someone (in his lab or close to him) is/was pranking him. And now that it's got this big, doesn't want to admit it.


What triggers my skepticism is

* "Ruiu said he plans to get access to expensive USB analysis hardware" -- I'm not an expert on USB, but I do believe it should be trivial to tap the traffic between a machine and such an infected stick, and compare it to what should normally be happening.

* No effort seems to have been made to capture the sound waves made by this (supposedly reproduceable) high-frequency audio networking.

* The infected bios hasn't been dumped and compared to the bios the machine was supposed to have.

* For some reason, there's no mention of other researchers getting access to or investigating infected machines and usb sticks.

These are all extremely basic steps that could be taken to make the story go from vague conjecture to actual proof (or disproof). Why weren't they taken?


Yes, a hardware USB bus analyzer could record the entire usb session from when you plug it in to when you unplug. You'd think any researcher would have one of those considering they cost well below $2000 http://www.totalphase.com/products/beagle_usb480/ http://www.saelig.com/category/UA.htm

The other thing suspicious is the manner of troubleshooting: "Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped."

Hold on a second. What forensic tools were showing packets flowing? If he's saying that a software application on an infected machine showed "packets flowing"? That doesn't mean any data was actually going to and from the machine. That could even mean that the virus just simulates data transfer. Did he try putting tin foil around the machine to block any space signals that might be beaming down?

I'm not sure if it's the researcher or the ars writer who doesn't know what they are talking about.


What about this part:

> Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

When I read that, I had to check the date to make sure this wasn't posted on April 1st. That seems completely implausible, unless the author completely misunderstood some information relayed to him.

There's something (okay, several things) about this entire article that just screams April Fools.

Edit: The additional information others have posted here regarding malware in USB controllers seems far more likely and that the article itself was written as a ridiculously implausible story until the very end where it alludes to the notion that nearly the entire first 2/3rds is completely false. I guess I would've expected better of Ars.


Please disregard this comment and others I have made in this thread. Or at least read this interchange first:

https://news.ycombinator.com/item?id=6650186

TL;DR: My reading of the article incorrectly assumed the infection vector was via microphone. It wasn't; the ultrasoncis bit is apparently how the malware communicates (presumably). The tweet referenced in the above link clarifies this.

Please do not upvote my comment further. It is incorrect.


Thank you for this, too often people change their minds (or have their statements disproved) and don't say anything. Thank you for taking the time to "set the record straight" as it were.


It was explained the speakers were used. How is that implausible? The computers were laptops with batteries.


Because it doesn't explain that the system was a laptop until toward the end of the article:

> Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection.

To be fair, the Ars piece is poorly written IMO and makes some very outrageous claims throughout the first half. And I personally find the speaker-microphone route implausible given how difficult that would be. Even the article stakes a claim that it's very difficult to prove:

> It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines

Given the variable quality of speakers and microphones on laptops and other devices, it doesn't seem like a viable route to me, and this is resting far too much on speculation and conjecture to be of any use.

Worse, I haven't yet found anything in the article that suggests every infected machine had a speaker/microphone combination. There's just not that much useful information, hence why this sounds more like a scare piece.

I'm finding myself more and more in agreement with other comments here that have suggested it was probably a reckless use of an infected USB device that wasn't properly ruled out.

Edit: I should also note that if they're so suspicious that the systems are transmitting sound to other non-infected machines, it shouldn't be too difficult to prove/disprove this by recording sound in isolation. The problem is IMO given the variable manufacturers of sound devices, drivers, and so forth, the complexity of this would be such that it'd be nearly impossible. An infected USB device makes much more sense and is a simpler explanation.


Because it doesn't explain that the system was a laptop until toward the end of the article

So you are saying it is implausible because it doesn't make sense if you don't read the whole article? That isn't how implausibility generally works.

And I personally find the speaker-microphone route implausible given how difficult that would be.

Ever used a modem?


> So you are saying it is implausible because it doesn't make sense if you don't read the whole article?

That's a bit of a strawman, don't you think?

> Ever used a modem?

Yes. And I don't think that's applicable in this case. First, a modem is designed specifically for such a use case--second, we're talking about an exploit that would (in theory) somehow make use of a microphone to spread itself to a target host.

You would have to assume that there's some flaw in either the audio driver for the microphone, firmware, or whatever that can be exploited by sending some combination of sounds to it. While that's possible, it seems unlikely that would be the case and much more likely that the culprit is an infected USB device of some sort, which has been discussed at length in other threads here (and would take far less work). For the variable quality of consumer microphones in a laptop or other such device to pick up a signal in such a manner as to exploit firmware/driver software at range makes this theory questionable IMO.

My personal hunch isn't that Mr. Ruiu is wrong. I think he's found something interesting and potentially dangerous, new, and fascinating. What I DO think, however, is that the Ars writer may have misunderstood, misinterpreted, or is misrepresenting the information he received.


That's a bit of a strawman, don't you think?

No.

we're talking about an exploit that would (in theory) somehow make use of a microphone to spread itself to a target host.

No we are not, we are talking about communication between already infected machines. https://twitter.com/dragosr/status/395959517243928576

My personal hunch isn't that Mr. Ruiu is wrong.

He may or may not be, but whatever your hunch is, it doesn't appear to be based on the actual situation at hand, so I don't think it carries that much weight.

edit - sorry for being so harsh by the way, I went and re-read the article and I can see how you can read it as the transmission vector being audio rather than just communication between infected machines. I didn't read it myself that way but at the same time it is not particularly clear.


> No we are not, we are talking about communication between already infected machines.

I rather wish you had shared that tweet instead of engaging me in splitting hairs. I dismissed the article outright as stupid largely based on the initial claims it made, which seemed implausible and outlandish. Going back and re-reading the bit on microphone-speaker ultrasonic transmissions makes more sense in light of what you've shared. I don't think those two paragraphs were particularly well written and could have provided additional clarification.

That said, I was wrong and misinterpreted that particular part as being a mechanism for attack. I apologize for my glaring mistake. It renders my previous comments entirely incorrect and they should be ignored. To anyone else viewing this thread, please disregard my previous statements. They were based off of misinterpretations regarding an incorrect reading of the Ars piece.

Sadly, it's the fault of my unfortunately judgmental and inherently skeptical nature with regards to much of the news I read. Maybe it's the fault of politics and the likes, but in spite of the dangers of excessive skepticism, I think it's a better long term approach that can yield useful questions and discussion. Unless it gets out of hand, as is my case. :)

> He may or may not be, but whatever your hunch is, it doesn't appear to be based on the actual situation at hand, so I don't think it carries that much weight.

I still stand by what I have said. I think Mr. Ruiu has stumbled upon something quite fascinating. I was under the mistaken impression that ultrasonic communication was used as an attack vector. So let's not be too harsh over an honest mistake. :)

However, I do think the Ars piece isn't a particularly useful exhibit of Mr. Ruiu's work thusfar (particularly in light of the tweet you shared); it's a lengthy, rambling article that provides only fragments throughout its impressive word count, requiring careful reading and some liberal interpretation of the author's intent.

Then again, that's probably a matter of necessity, so I can't really fault Ars. A frightening-sounding article peppered with equally frightening lingo gets page views. "Boring" academic reports rich in data do not.

C'est la vie.


Sure, but that uses audible tones; the method described in the article employs ultrasonic tones, and I think (parent (parent)) is questioning the likelihood that cheap(ish) laptop audio hardware can be reliably depended upon to generate and detect such high frequencies.


There already exists browser based implementations of basic ultrasonic networking on github - https://github.com/borismus/sonicnet.js/tree/master/lib

Assuming decent error checking, the question isn't whether you could do it, it is just how fast would it be.


Or an acoustic coupler (seriously old school, that one)?


I understand your skepticism, but I would not discount things simply because they do not fit in your frame of mind and assumptions. For example, some may assume that sound based data transmission is implausible simply because of variation in speaker technology and quality and performance, but does that not assume some sort of analog transmission? You don't have to produce and listen to specific frequencies if you have a sequence of pulses that trigger something. Ever hear of number stations?

Also, we assume that things like data transmission by power cable and through power supplies is implausible, but only because we assume that there is not data link between power delivery and data transmission. Could there not be a gate somewhere that upon receiving a specific pulse of electricity opens for full data transmission or even just triggering a sequence of actions that are hard-coded into chip architecture through compromised specifications and standards?

I think we all have heard of the recent publications of NSA's involvement in compromising and deliberately implanting vulnerabilities for their own convenience. Right? If not, you should really read up on what is now public domain.

Although it might be scifi, if you look back on the disparity of technological capabilities in the civilian vs military and intelligence world of the past, you might get an extrapolated idea of how advanced technology developed under triple digit billions of dollars might be.


> For example, some may assume that sound based data transmission is implausible simply because of variation in speaker technology and quality and performance, but does that not assume some sort of analog transmission?

My personal beef with this theory is that you're assuming a consumer-grade microphone can pick up such frequencies in a manner that would be capable of inducing enough of a signal on a microphone to produce a sufficiently specific data pattern to somehow exploit underlying firmware, drivers, or whatever. Considering there's been speculation that an infected USB drive may have been shuttled between systems, it seems that the simplest explanation lends itself to the drive and not the microphone.

And yes, I have followed recent events with the NSA. I understand your suggestion that near-unlimited money can buy you almost anything, but there are many questions that this article doesn't answer. While I think Mr. Ruiu has stumbled upon something novel, I don't think it's nearly as magical or mysterious as some here have been making it out to be.

Besides, wouldn't it be relatively straightforward to demonstrate whether or not there is some capability of this malware to spread via a speaker-microphone route? Why not take a recording of known uninfected machines isolated in a room and then examine the sound signature later? The entirety of the experiment as related by Ars seems flawed (which I blame on the article, not on Mr. Ruiu, since he's been spending a great deal of time working on this), but the possibility that this may actually be tied to exploiting a vendor identifier in an infected USB device is in some ways much more sinister. Some other threads discuss that possibility in detail.

It would be magnificent if there were such an attack vector, but I can't shake the thought that it would have to be very specific to a certain subset of hardware or software.


The ShopKick app uses consumer grade microphones on iPhones to pick up ultrasound signals from in-store speakers so you can check-in automatically just by opening the app.



For what it's worth, he has dumped several files, including the ME firmware, which have all been found to be clean by experts.

https://twitter.com/esizkur/status/389226368514289664

https://twitter.com/0x0000EBFE/status/394216393282830336

He doesn't even have a way to test whether or not a machine is "infected". He claims that it's based on problems booting from a CD and/or hearing audio interference. Extremely dubious.


How were the dumps created? Is it true that if you control the firmware, then you control what those dumps look like? If so, then the virus could be sending a decoy image whenever it detects someone's trying to dump the firmware.


For those who think that possibility of using the speakers to transmit data from the air gap machine is too far fetched step back and look at ShopKick, they have been doing this for several years using iPhones and speakers mounted on the ceiling of stores.

http://teleautomaton.com/post/1478772622/ultrasound-whispers...


Apparently he did make a recording of the output (second last comment on this G+ publication https://plus.google.com/u/0/103470457057356043365/posts/3reW... )


Interesting. Let's hope it's more conclusive than the clean windows files he provided before.

[edit]: That comment is two days old, and the files were not provided publicly, he just says he is analyzing them himself. Again, needless obscurity.


From reading the facts in the article, it seems totally unrealistic. Post some dumps of executables, network packets or SOMETHING besides a story.

Honestly, this type of paranoia sounds more like someone on the brink of a breakdown. Can you imagine spending years working on this and still having no 'data' about it? If its infecting stuff from this USB drive, just post the contents of the drive for analysis.


He has posted files he said were infected. All of these files were clean files from a Windows 8/8.1 install, signed by MS, unmodified.

Of course, no recording of HF audio communication channels, no USB drive "ROM" dump, no hard drive controller ROM dump, no BIOS dump, no PCI card BIOS dump, no USB analyzer data, no really infected file. The excuse he uses is "the files become clean when I put them on a CD!".

Hard to take him seriously.

Also read https://news.ycombinator.com/item?id=6647467 for a second opinion.


Indeed, while not technically impossible (and given stuxnet is out there, not even highly improbable), this description sounds like the guy has paranoid and/or schizophrenic delusions.

Recurring themes among those are "they've replaced my possessions/tools/utensils/cloths with ones that look identical but allows them to control/monitor me, and they change them back when I try to show anyone". And to them, it all makes perfect sense.

Again, not saying such malware does not exist - I suspect something similar does (though maybe not as widely cross platform). However, I think that this is an account of a serious PEBKAC problem, rather than malware.


The confirmation of the USB vector also makes the title of the article redundant. Any malware spread by USB will "jump airgaps".

The possibility that compromised machines communicate via audio is interesting in its own right, but the wording of the title, combined with the opening few paragraphs, allows for the suspicion that the malware is spread to uncompromised hosts via audio, which is of course not happening.

The article as a whole is unsatisfying. It makes the research into this malware seem completely inadequate.


I think the point is that USB vectors allow the malware to jump the airgap but not reliably, maybe it puts some data on a USB stick and jumps it back but for the most part once it is behind the airgap it will only do what it's programmed to do.

Being able to communicate via ultrasound means that if you have an infection on two computers either side of an airgap in close proximity the theoretically isolated computer can be sent instructions from a C&C server and can send data back at-will.

I'm not commenting on the legitimacy of the story, but either technique in isolation is of limited use, combined however they can be a lot more effective.


Pretty sure it won't just be the mass storage device contents that are causing the problems. More like the USB driver supplied by the stick when plugged in does the infecting. And you don't see that when you download the stick's contents.


USB devices don't provide their own drivers. Your methods for infection are either filesystem exploits, or changing the firmware of the drive to send invalid/exploitative USB traffic.


Not so fast - many "exotic" devices (3G/LTE modems, some HID controllers, older U3 USB sticks, even some medical devices!) ship "virtual" USB CD-ROM drives with software and drivers.


... None of these auto install on macosx or Linux, and even not on windows since win7sp1 if I am not mistaken. So, no, this cannot be the reason for the symptoms listed by dragos


I don't think windows has ever automatically installed drivers. It would automatically run a program as the current user, but again that's only for CD drives, virtual or not, and nothing stops you from supplying your own drivers for the hardware.


But you can always additionally simulate a keyboard. I've heard unconfirmed statements about some devices actually going that route to install their driver and/or associated crapware.


Wow. And still worse, the device can, due to timing attacks or just plain characteristics in the device requests also determine the likely platform of the host (BIOS, Linux, Windows, Mac OS X,...) and thus react on the content.

And if you don't exactly hit the conditions the malware is supposed to expose itself, you have no way to read out the EEPROM inside the flash controller. The data chips maybe, but the controller chip of a USB stick is an entirely different thing.


The driver is not provided by the stick. That's just not how things work.


But the USB device gives a descriptor list stating the endpoints etc. to the host. Using buffer overflows in the USB stack was how the PlayStation got breached, after all.

And we all know that USB sticks (or, rather their flash chips) can be reprogrammed at will. USBest, I'm looking at you. (See also flashboot.ru, the stuff you can do with these tools is amazing.)


If this malware is actually real then exploiting a large variety of different USB stacks (whether it's done via the the BIOS or OS stack) seems implausible. Maybe the flashed usb stick either:

1) Hides a bootloader on the devive that runs at reboot (assuming the BIOS allows it).

2) Pretends to be some kind of device (that most OS's have stock drivers for) that allows it to access main memory. Maybe it pretends to be a USB to firewire bridge (or something similar that gives it DMA).


Oh, it's just three or four USB stacks you have to mess up: 1) Windows (hey, they've found bugs exploitable in every Windows from 95/98 up to 7!), 2) Linux, 3/4) Phoenix/Award BIOS.

Assuming a government is the adversary (and we ALL know that the NSA sits on a very comprehensive list of exploits!), then this part is actually the easiest.


It's not just four stacks (or more, because the article also mentions Apple Macs and BSD) that you have to "mess up". You also have to mess them up in such a way that you can exploit them without a disk even being mounted. That four/five/six stacks are all exploitable to this extent because of buffer overruns (or similar) seems implausible.


If that's the suspision, then use an exotic platform to dump whatever the drive is doing. I know a guy who got usb mass storage devices working from a Zilog z80 based calculator. I doubt an arbitrary usb malware is going to be clever enough to effectively subvert an arbitrary homemade USB stack on a (these days) obscure arch.


Compromised drivers and even chips and components that are triggered with rather simple code or sequences, i.e., secret knock.


There are similar claims here http://www.stopthespy.com/


The lack of low-level analysis is incredibly suspicious. If you think its moving at the BIOS-level on USB sticks, then you find someone with a high-frequency recording oscilloscope and capture every single electrical signal you see on that bus because it's certainly not going to be moving an encrypted version of its own infection code. Same thing you'd do to the microphone and speaker.

I mean I get a few months of nothing you don't do this, but 3 years? A USB bus is not high bandwidth - there's off-the-shelf hardware that will do this.

This story is just too fantastical to be true. We're talking about a ridiculously sophisticated piece of malware, which has been found nowhere else, and is absurdly high visibility (people don't keep using computers which are obviously infected with something).

If you had something as resistant as this in your pocket, you didn't write it on your own, and the absolute last thing you would do is give it high-visibility infection symptoms and toss it out into the wild.

EDIT: It's worth noting this would very much hardly be the first time a researcher suddenly went off the reservation. Happens to even Nobel Laureates.


>>>> This story is just too fantastical to be true. We're talking about a ridiculously sophisticated piece of malware, which has been found nowhere else, and is absurdly high visibility (people don't keep using computers which are obviously infected with something).

Unless you're a state sponsored agency looking to test a zero day exploit. What better way to test it then to attack one of the top infosec researchers in the industry?

Think about it. You get one of the top researchers to figure out your malware, bring in all his friends to figure out how it works and then publish the results - giving you exactly what you need to refactor it so it's completely untraceable, and non-responsive to efforts to try and stop it from propagating.

I'm not sayin, I'm just sayin. . .


That's not the problem I'm posing.

What I'm posing is, if you had malware this successful at spreading itself, the very last thing you would do is attach a high-visibility payload to it (disabling system devices like the CDROM drive - allegedly).

Your hypothesis isn't much better - hostile organizations don't give you a chance to figure out a defense strategy, especially when there's no risk of deployment. You don't need a test for a virus - you use it, and then you make another one.


The allegation of breaking boot-from-CD isn't that high visibility - you wouldn't notice it during normal operations.


But you would notice being unable to use regedit or the like.

There's no point hampering removal once you're detected if you have a good mechanism for hiding or repairing the infection.


The article is long and a bit rambling. It doesn't do a good job of explaining what steps Dragos took to eliminate different attack methods. It doesn't sound like a particularly clean fault finding / debugging session.

> For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

I don't want to sound mean, but what? This paragraph just reads like Hurp-Durp to me. I'm an idiot, but even I know that there are some very nasty things to do to USB drives.

EDIT: https://news.ycombinator.com/item?id=6534617 https://news.ycombinator.com/item?id=933210 https://news.ycombinator.com/item?id=1855936


The audio channel doesn't make any sense to me; when I heard it from Dragos on Facebook the first time, I was actually a little worried about him. It's not that I think it's impossible to create a covert channel over audio; it obviously isn't. It's that for the malware story to play out, the covert receiver needs to already exist; if it does, you're already infected, so what does "air gapping" matter?


I think it means that the infected airgapped computer can communicate with an infected non-airgapped computer over audio. The malicious code would already need to be there but once it's there it could (albeit slowly given the transmission rate) send data out from the air gapped machine.

I was going to add a line like "Who has a mic and speakers on their airgapped machine?!" but obviously every laptop does.


And next to every PC has at least a speaker for the BIOS beep. I'm not sure how good the DAC driver chip is (especially, how they perform at ultrasonic or subsonic frequencies).


The PC speaker does not have much of a DAC. Before the common use of ASIC chipsets, the PC speaker was connected to one of the channels of a clock divider chip. The other channel was used to drive the timer IRQ.

When a program wanted to produce a tone, the program took the input frequency of the clock divider divided by the desired frequency and programmed it into the clock divider. To control the duration of the tone, a DOS or BIOS call was available delay the program or the program could hook the timer interrupt vector. The program would then turn the speaker off or start the next tone.

Programs could also turn the output bit on and off manually. Some programs could turn the bit on and off rapidly to play arbitrary sounds. There was even a Windows driver to play sound through the PC speaker, but it disabled interrupts, causing the clock, keyboard, mouse, and network to stop while the sound was playing.


If the speaker is physically capable of that, the same technique can output ultrasound - with modern processor speeds, you probably could twiddle that output bit while still leaving room for normal system operation.


Now that's an interesting piece of history. Thanks!


I was thinking about this too. If it's possible to send out arbitrary frequencies with it you could have a one way channel even if the air gapped machine doesn't have a mic. Only the receiver would need one. The air gapped machine would just be transmitting 24/7 hoping another machine is in range.


Quite like a navigation beacon...


Schneier admitted his airgapped machine was laptop. But I supposed he has the good sense to physically damage the mic, speakers and wifi and Bluetooth.


Creating a network connection over audio allows an infected, but airgapped, computer to remain in contact with the malware controllers. This would enable the exfiltration of information, as well as the infiltration of updates to the malware.


Yeah, maybe. That isn't the sense I got from reading all this stuff, but I've been wrong about bigger things before.


From TA (emphasis added):

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.


With a staged payload, the ability to communicate across an airgap could allow successive stages to be delivered in the presence of counter-measures. It could also facilitate minimization of the spore's footprint during initial infection and thereby reduce the likelihood that the spore will be detected.

The conclusion that for communications across the air-gap to work, the receiver must already be infected is the only alternative to "No, it isn't happening."

Now I'm not in a position to say, that it is happening. But I'm not in a position to say that the supply chain for electronic devices is hardened against an attack by a state sponsored agency seeking to inject spores into devices at the time of manufacture. If an agency is interested in maximizing backdoor accesses, having infected devices roll off the assembly line and straight to end users certainly seems like an ideal outcome. It's map reduce.

Don't get me wrong, I know I'm furiously folding Reynolds Wrap. But I also know that there is a cognitive gap between the furniture of everyday experience and large scale phenomena - e.g. collecting meta data on all phone calls simultaneously and then storing and searching it doesn't fit with the MOS 6510 mental model of computing I habitually use.


>>>> If an agency is interested in maximizing backdoor accesses, having infected devices roll off the assembly line and straight to end users certainly seems like an ideal outcome.

And we already have proof that manufacturers in China have been doing this:

http://www.theguardian.com/technology/2012/sep/14/malware-in...

"Microsoft researchers in China investigating the sale of counterfeit software found malware pre-installed on four of 20 brand new desktop and laptop PCs they bought for testing. They found forged versions of Windows on all the machines."

This would be the easiest way to do this, and since it's already been demonstrated, I would hasten to say your tinfoil folding is certainly is not being done in vein.


This seems nonsensical to me. The microphone and speakers in a typical laptop(yes even a macbook air) are hardly quality enough to a) transmit any data at a high enough frequency to have any bandwidth and be "undetectable" and b) the microphone would be of even worse quality.

A typical laptop has a +- 3db audio frequency response of 200hz - 8khz if you are lucky, even if you wanted -10 or 20db I doubt you would get much above 12khz which is detectable by most people without significant hearing damage. I'm very skeptical about this article...


I just tested the built in speakers and mic on my 3 year old MacBook Pro using sine waves and a spectrum analyser.

It's perfectly capable of sending and picking up a 20kHz signal by itself. The frequency response starts dropping off drastically at around 14kHz. Around 21kHz seems to be the practical limit.

However, there seems to be a bit of distortion going on. I'm not sure it's possible to send a clean inaudible signal without introducing lower frequency components.


I've worked in computer music/audio for years. Most people and PCs can reach 20kHz. It's no coincidence, human hearing drops off around that point and thus the 44.1kHz sample rate was chosen to match that (you can transmit frequencies at max of 1/2 the sample rate, thus 22.05kHz). But modern sound cards can reach 96 or even 192kHz sample rate, able to transmit ~50-100kKHz tones (other factors aside). Further, modern sound cards can have amplitudes expressed as 24-bit numbers, providing very high fidelity/accuracy.

So, you may be able to hear higher than 20kHz. Even if you increase your sound card sample rate, best test would be to try something analog to eliminate other bottlenecks in the audio processing. But you can easily tweak your audio settings and generate sine waves with this program:

http://audacity.sourceforge.net/


Ok so maybe it's possible to send audio and receive it via a MacBook Pro. However, how much data could that low bandwidth signal carry? I'm even more curious how randomly transmitting "evil bits" this way could spontaneously infect a PC at the lowest levels. Something just doesn't add up here.


Absolutely no one is suggesting that audio is being used to spontaneously infect previously uninfected systems. No one has ever suggested that except for people who have failed to carefully and completely read the article. The claim is infected machines are using it to communicate, not that uninfected machines are being infected by it.


Quite a few people can hear 20kHz. I can still clearly hear 18.5kHz (or what my laptop's speakers emit when I feed a 18.5kHz sine) and 19-20kHz gives me headaches.


There are pressure sensitive pens that work with any Android/iOS cell phone via ultrasound. So I don't know about laptops, but all smartphones are capable of data transmission via ultrasound. I can't recall the last laptop I used that didn't work fine for Skype, so I don't think laptops are any worse, personally. Maybe 5 years ago one employer went cheap on a model without the built-in webcam on a laptop that usually had it, but even that had speakers and mic.


It was actually hearable but could be mistaken for crappy electronic noise

https://plus.google.com/u/0/103470457057356043365/posts/3reW...


There is no audio in the link you provided.


The article is awkwardly formulated, but gets clear later on: the attack happens over a USB flash drive, but air gap doesn’t remove communications from the infected machine until you remove the mike/speakers.


Yeah this really reads like quite paranoid delusions. Connecting events but ignoring the incredible leaps that have to be made.

I don't understand why he hasn't posted 'infected' USB sticks to a bunch of high profile security folk with "POTENTIAL BIOS MODIFYING TROJAN ONBOARD" written on it? It would be a matter of a day or two before someone monitored all communications with it passively and proved or disproved his theory.


@PaxNoxNomPox - @dragosr How can #badBIOS spread if rcvr doesn't know what to listen for? Something has to be listening and know what to listen for. Thnx.

@dragosr - @PaxNoxNomPox no evidence of "spreading" via audio. Just comms between infected machines.

https://twitter.com/dragosr/status/395959517243928576


Imagine a ton of laptops passing through Starbucks. The infection is being established via something on an unprotected (or compromised router) wifi network. That infection is dormant with only one function: listen on the microphone. You could create an army of laptops that receives its orders through proximity completely bypassing any firewall system you have. It's pretty insidious.


The audio system is not the attack vector. It is a means of staying in contact with command-and-control by communicating with other already-infected machines.


The question that came to my mind was, how is he capturing these "network packets" that are being transmitted over the audio channel?


Presumably the infection includes a driver to turn the audio system into an acoustic coupler, which would appear as a network device on the target machine. At that point any packet sniffer should be able to attach to it.

I'm guessing of course, there's not much real details to go on, and that would mean this infection is more then just a malicious BIOS.

EDIT: Or he's full of shit. Honestly I said that several times reading it, the story was clearly written for sensationalism and made many seemingly impossible claims. I'm no where near an expert but it still set off the bullshit meter too many times.


Beyond capturing it locally, if the goal was to actually forward messages out to the internet a simple sniffer at the gateway would see attempts to phone home. This is definitely an area where more information would be needed but it's entirely plausible that someone would choose to have a way for targeted air-gapped systems to smuggle data out slowly if no better option is available.


Exactly. From the article: "Forensic tools showed the packets continued to flow over the airgapped machine." How do they know? Where do they hook in to log these packets?


Probably by monitoring the hardware when the machines were supposed to be doing nothing. If you get activity with certain timing you can be pretty sure that the machines are sending packets to each other.


Not difficult. Wireshark running on either PC will tell you this.


Wireshark doesn't listen on audio devices though. You have to choose an interface. There is no obvious way to capture what he claims to be seeing, and if he used wireshark or tcpdump, he would have a log. Furthermore, if you had a covert audio channel, you wouldn't encapsulate it in TCP or IP. Under close examination, these claims don't make any sense.


Wireshark can also capture raw Ethernet and raw USB frames, but it still needs an interface from which to capture. Maybe it was the loopback interface?


The loopback interface is localhost only; it doesn't see any packets coming from or going to any other host.


Software infecting the running system could send packets received via audio to localhost. I'm not saying it's likely, but it's a remotely plausible explanation for the article's description of the attack and investigation.


Software infecting the running system could send packets received via audio to localhost.

Hm. I suppose this is theoretically possible, but I don't see why it would be done in a practical sense. If the malware needs to "phone home", it doesn't need to send packets via localhost; it just sends them out on whatever interface is connected to the Internet. (But how would you distinguish those packets from any others being sent out to the Internet?) If the malware is divided up into multiple processes that need to communicate with each other, why would they betray themselves by connecting via localhost? If they are on OS X or Linux, they can use Unix sockets, which don't need to go through any network interface. If they are on Windows, they can use any of several Windows IPC mechanisms that don't require a network interface.


On which interface do you have Wireshark listen? Not eth0, not wlan0. As far as anything outside the virus can tell, audio in and out is just sounds.


Would one not be able to read that energy was transmitted, but not know exactly what it was if you measured in a Faraday Cage?


The way I read this article, two infected computers can communicate via these means, but the means of initial infection of airgapped computers are still partially unknown. You may have more context, but that's how I understood the article on its own.


What could easily explain all of this is he's installing OSes using pirated media (which commonly bundles trojans). Plugging in the USB drive could just be triggering the trojan that came in the OS.

The most telling thing about the article is he hasn't been able to capture any of the malware code in three years. Either it's all in firmware and not being delivered to the OS, or it's already in the OS.

...And it could also be a series of unfortunate coincidences that just look like malware activity. CDROM doesn't boot? Probably a bad CDROM drive. Registry editor disabled? Probably a bug in Windows. Strange networking where it shouldn't be? Apps transmit random networking crap all the time, and you don't need OS support to send arbitrary raw packets. 'Modifying settings and deleting data' could be anything, like a log rotater, I don't know.

If it sounds impossible, it probably is.


But he doesn't need pirated media for, say MacOS on his MacBook Air, or Linux machines. Seeing as though he's a security researcher, I'm guessing he is capable of md5ing his FreeBSD ISOs...


It's just as possible he checked against the MD5s supplied in the torrent he got the ISO from, or never did the check, if he hadn't thought of it.

It's much less likely that he's experiencing the most advanced malware in the world, and much more likely that he just overlooked something simple.


He also mentions that data was deleted and configuration changes made. If all of these things happened to you in a short amount of time, on multiple machines, what would your conclusions be? Would you just shrug it off as coincidence?

Personally I'm skeptical about the registry search functionality being disabled on a wiped machine -- that could easily be a Windows bug. But the other stuff would certainly get my gears turning.


eball, your post is marked as dead. But yes, he need to get a Beagle USB analyzer on the thumbdrives to find the injection vector.


Is this a computer ghost story for halloween? Now I'm never going to be able to get my laptop to Sleep.


Considering the article goes so far as to claim that infected machines can still continue infecting others when they're unplugged from A/C, I'd argue that yes, you're absolutely right. This sounds like a "ghost story."

Edit: I should note that after about the first 2/3rds of the article, there is some effort made to explain this (and negates the entire first bit of the article), but there is much better information others have shared here regarding malware embedded in USB controllers. I still like jameshart's assertion that this is just an elaborate ghost story for Halloween.

Edit edit: The conveniently mention toward the latter part of the article that the machine unplugged from A/C was a laptop which was then running off battery. I'm growing more and more suspicious of the quality of this particular article.


I agree, that can't be right if the article is not well written. </s>


But wait, all of this has happened before, remember skynet's early days? oh...but that was a movie...


I hope so because this is just silly.


I wish that wasn't funny.


Interesting story. The use of audio is fascinating, even with 20khz carriers, using FSK[1] you're looking at maybe a 6666 baud which is 666 bytes per second. That is about 2 seconds per 1500 byte packet. So not exactly a "fast" way to communicate.

You might use QPSK (basically two FSK ranges using phase to indicate 00/01/10/11 states but that would still make for a pretty small pipe. Perhaps enough for a C&C channel be not really enough to exfiltrate data.

[1] Frequency Shift Keying - generally takes three complete cycles to of a 'tone' to reliably recognize the frequency. So 20,000 / 3 = 6666.666 bauds per second.


Okay, so because he could not remove the audio interface, is MUST was the only logical infection vector remaining? That is a very strong claim, particularly since I do not see any claims that he is also HEARING the requisit very long and loud screeching sounds that would imply. Audio data transmissions on consumer grade devices unavoidably involve sound, right?


Well that is the thing, if it were pitched high enough then no, you probably wouldn't hear it. (that is also beneficial for higher speed transfers).

What the article said was that he was seeing packets from the airgapped host (that means nothing but air around it, no wifi) which stopped when he disabled the speaker and microphone. That suggested that this was the 'wire' between the two.

One of the side effects of using peizo electric speakers (which are nice and flat so adored by mobile device makers and laptop makers alike) is that they often have frequency response ranges above 20khz. Many people cannot hear frequencies over 15Khz, although 15Hkz (which was the scan rate of CRT monitors) can be heard by some folks and poorly wound flyback transformers would drive them nuts.


> poorly wound flyback transformers would drive them nuts

Those and marginal capacitors do drive us nuts. And that's one reason such communication wouldn't have to be completely out of human hearing range. Those of us who can hear it aren't going to be shocked by yet another high-pitched whine in a room full of electronics.


I considered this before posting. If it was near ultrasonic it would have near zero chance of useful transmission unless the attacker and victim were very particularly aligned. The higher the sound frequency, the less sound curves around obstacles.


Sure, but how much data needs to be sent to deliver the first stage, and how long does the attacker have to deliver it?

Reminded of ELF communication with submerged submarines.

http://en.wikipedia.org/wiki/Extremely_low_frequency


I once did some work for a team that did ELF communication from a small autonomous sub to a surface ship for mapping. They had a 1200 bps channel up to the ship for the map data...

(I didn't get to do anything with the sub - I was just brought in for two weeks to give them a way of feeding that data from a Sun workstation on the tracking ship to another station via GSM data (mainly for demo and testing purposes); trivial in comparison to the software controlling the sub, but it was fun getting to go out on the tracking ship when they did test runs)


> Perhaps enough for a C&C channel be not really enough to exfiltrate data.

I really really really hate to say "APT," but if you had a gapped, infected PC sitting next to an internet PC; and both were powered up 24x7 for months with the infection undiscovered, you could grab a significant amount of data.


Would it matter what frequency if the signal is a sequence of digital pulses, i.e., a digital secret knock encoded in compromised hardware or software, i.e. audio components and or drivers?


666 bytes per second--this really is evil!


So wait, it's a BIOS virus that covers the platforms he tested (multiple BIOSs to exploit/patch)...

that can communicate via Sound (Requires DSP)...

that can defend itself against the registry editor (Deep integration to the OS, for at least windows, linux/OSX noted as well)...

that can alter data...

that can infect network cards (implied in the article)...

that can possibly use the power system to communicate (Ok, on a laptop, that might be possible. Otherwise, PSUs aren't completely isolated from the computing system's logic?)...

that all still fits within a BIOS chip? Either BIOSs are complex (read space-intensive) enough to stop being Basic, or they can fit this AND a functioning BIOS in to a payload that would be delivered by sound, USB, network cards...

Can it modulate the fans to transmit data too? Or change the screen brightness faster than the human eye can see, but can be detected with cameras? How about using the Wifi, HDD activity, sound mute, caps lock, numlock, scroll lock and power indicators to transmit?

How about opening and closing the HDD to transmit data?

I can't agree more with MacsHeadroom's assertion that this is a situation where the simplest explanation wins.

Not to mention I REALLY don't want this kind of thing to exist...

EDIT: Added fans paragraph


If these were all EFI/UEFI machines, there is a lot more code in these preboot EFI environments than one expects. Room enough to hide this kind of payload.


I could expect ONLY the DSP, ONLY the windows-individual portion, maybe 4 or 5 BIOS exploits and maybe 2 or 3 BIOS patches, about the same for Ethernet cards, maybe the CD controller, maybe 1 or two different USB firmware exploits and patches, maybe the entire PSU manipulation logic

but ALL of that? In the BIOS?

(I'd like to point out I am nowhere near the caliber of the man who's supposedly experiencing all of this. I do not know the true size of any of the aforementioned payload.)


With UEFI/EFI it's pretty plausible that you can load additional code at runtime from elsewhere even outside of the large space available for UEFI/EFI itself. Some versions even self contain quick booting minimal environments that contain web browsers and such.


I had a motherboard in the 90s that had a mouse-driven GUI for its BIOS configuration. "BIOS" hasn't been "basic" in decades.


Well, BIOSes these days are all the same anyway (Award/Phoenix), and no one gives a fk about BIOS code safety. Even the "anti-thievery" measure of permanent security codes (unlockable by manufacturer only) is moot, as you can reverse-engineer BIOS updates and get the code from them.

And I would not rely on BIOS code be security-audited in ANY way! Especially not the part of the code dealing with USB. Low-level as it may be, I bet there exist buffer overflow or other vulnerabilities in USB protocol stacks.


From TFA: "he suspects badBIOS is only the initial module of a multi-staged payload"


I understand, but from my reading of the article, it looks like all of this is the inital badBIOS module

But on the topic of modular malware, what would the initial discovery of Flame look like, if it were still in-progress after 3 years? Would it or would it not seem like this? It's got odd transmission methods, and the possibility of more to come. But if deleting data, self protection, and propogation aren't the attacks, then what are?


For anyone having trouble believing that their computer can network using sound, give this demo a try:

http://smus.com/ultrasonic-networking/


This sounds really fishy.

> Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed.

Observed how? If not a standard interface (i.e. disk, network, etc), using what? How could he know they were encrypted unless he intercepted a payload?

> With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

What would be the point of this communication? It's BIOS would already need to be infected in order to be able to communicate via sound. The situation I can see this being useful is using another infected machine's Internet connection to download an OS specific payload, which makes some sense.


From what I understand, an airgapped computer got infected back after having its disk erased, its BIOS flashed and its OS reinstalled. His guess now is that the malware would be inside the RealTek audio chip software. From there it could theorically download the bios malware back on the computer through the high frequency connection (that does sound crazy!)

See: https://plus.google.com/u/0/103470457057356043365/posts/3reW...


Phoning home, I'd guess. Spying with malware is hard when the infected machine can't communicate with its controller.


If, like Stuxnet, your goal is to infect specific machinery, then reporting back infection can be valuable. Once the right machinery is infected, others could wipe evidence of malware presence. You might object that uranium centrifuges probably don't have decent speakers to generate a signal... But they would instead generate unusual spin patterns, exactly what Stuxnet was designed to achieve, and those patterns would be audible to nearby equipment. Seems like a fine way for Stuxnet to report success back up the infection chain and then cover its tracks.


As I read the article I thought, "Gee, my phone has a USB port and a radio or two."

By the end I'd added, "And a speaker and a microphone."

If I was [metaphorically] a state sponsored espionage agency, that's the way I would go. I wouldn't be fooling around with USB sticks. That 1990's vector has been publicly outed and people can easily live without them.

And by writing this, I've just now tinfoil-hatted my way to the belief that pretty much every electronic device, if it isn't p'wned, it's just by the blessings of laziness or disinterest. After having read about the scale upon which the US pursued cryptography during the Second World War in Battle of Wits: The Complete Story of Codebreaking in World War II by Stephen Budiansky, I'm not betting on either.


Interesting that such a seemingly well-designed piece of malware would have such an obvious tell (refusing to boot from any other hard disk). Although I suppose that it is a rare thing to do. (Now's the time to check…)

Also fascinating that his infection is at least three years old. Was Dragos targeted? Or perhaps someone within the pwn2own contest was?

Such persistent malware that targets air gapped machines reminds me of other malware created by nation-states.


Also, if you've compromised BIOS what do you care if the user boots from CD?


Booting from a CD would [let you replace the infected BIOS](http://www.flashrom.org/Live_CD). Restricting the boot devices presumably helps preserve the BIOS infection.


Fair enough, presumably it's easier to simply prevent booting from CD than subvert every tool for flashing BIOSes.

In the end, it seems to me that blocking boot from CD is a net loss, since it alerts the user (who can undertake drastic measures including hooking up a different hard drive), whereas allowing boot from CD but reinstalling the BIOS malware from the (presumably thoroughly infected) hard disk would not.


Who knows. There's a lot of inconsistencies in this story.


I wonder if the Absolute Software Computrace BIOS integration has been compromised?

http://www.absolute.com/en/products/absolute-computrace/pers...

All of the major OEMs embed code from these guys into their BIOS. Once activated, it can brick the box, delete files, re-install their Windows/Mac agent that allows for location tracking, etc.


Worse, Computrace ends up in the management engine firmware, which is more powerful and less auditable than the BIOS/UEFI (and works with powered off main CPU, too).

See https://events.ccc.de/congress/2013/wiki/Projects:MEre


This is the type of article that we need less of in the world. It's full of conjecture and fear mongering. It serves only the anti-virus corporations and Ars Technica.

I'm convinced "encrypted" is the new scare word, similar to "terrorist." When you hear it, all rational thought and discussion just vanishes. This article mentions network traffic as being "encrypted." Yet apparently, no one knows how to analyze the traffic beyond that? Are you kidding me? Was it using TCP? UDP? Just IPv6? How big were the packets? How frequent? What interface were they coming from? (because, you know, the kernel has to have some entry point into its network stack)

It's "encrypted." Oh. I see. Well nevermind then.

> Things kept getting fixed automatically as soon as we tried to break them. It was weird.

"It was weird." What is this, Scooby fucking Doo?


Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

Anyone else having flashbacks of John Nash?

http://en.wikipedia.org/wiki/John_Forbes_Nash,_Jr.#Mental_il...


Yes, especially coupled with the "been going on for 3 years" and yet no actual analysis of the virus, no oscilloscopes, digital signal analyzers or spectrum analyzers put on the task, no third party researchers confirming this. Sounds very odd indeed.


The post announcing discovery of the HF audio was made October 15th, 2013. Remember you're reading a reporter's dumbed-down summary of what someone else has found.

https://plus.google.com/103470457057356043365/posts/3reWRqDM...


So 14 days and still "pending analysis". I don't know where he lives, but it can't be that difficult to find someone with an oscilloscope and the knowledge of how to use it?

Again, sounds very fishy. I would expect a more methodical approach from a security researcher.


Extraordinary claims require extraordinary evidence.

So far it sounds very conspiracy theory to me. I don't know his credentials, so it is hard figure out what to make of it.

Had this come from Schneier I would have taken it a lot more seriously.

Like others have mentioned, where is the evidence? Give us the audio recording at least.


>Extraordinary claims require extraordinary evidence.

What seems extraordinary to you might not be to someone else. Go be a pretentious pseudo-intellectual somewhere else.

>I don't know his credentials, so it is hard figure out what to make of it.

First of all, his credentials are irrelevant (see: appeal to authority fallacy). Secondly, they are listed in the article itself, which you obviously didn't even bother reading.


> What seems extraordinary to you might not be to someone else. Go be a pretentious pseudo-intellectual somewhere else.

It is not extra-ordinary to you that computer viruses travel through sound waves using computer speakers and microphones, yet when this supposed "expert" tries to uncover and provide samples of it, the evidence magically disappears.

> First of all, his credentials are irrelevant (see: appeal to authority fallacy). Secondly, they are listed in the article itself, which you obviously didn't even bother reading.

Oh I see you are an expert on fallacies. As an exercise try finding a few fallacies in your comment.


The credentials are relevant toward whether it's a prank, and also the amount of equipment he has available for diagnosis.

(Does this mean I can cite you for fallacy fallacy? This game is stupid.)


This is quite cool actually. It reminds you that if your device has a sensor, it can communicate.

It should be possible to communicate through a webcam and a screen when the airgapped devices are on the same room. It could be possible to communicate by accelerometer(macs has these) and inducing vibrations using the HDD when the devices sit on the same table.


> It should be possible to communicate through a webcam and a screen

Naturally.

http://en.wikipedia.org/wiki/Timex_Datalink#Wireless_data_tr...


webcam <-> screen: QR codes?

accelerometer: is very low bandwidth (think ~10-1000 measurements per second). The noise is ~100μg/√Hz - with 12 bits samples I'm not sure you'll pick up HDD vibrations (but rather easy to test).

Someone should lend the people researching this an oscilloscope.


No, not QR codes since it would require the webcam capturing the screen directly. The screen may be used as a light source for the transmission and the webcam can capture the light reflecting from the walls...


Certainly devices can "communicate" via sensory data, but that shouldn't cause your device to randomly execute code after receiving that data. Unless the programs that read from sensors are really poorly sandboxed...


Thank goodness for SSDs!


Transmitting over HF waves via mic and speaker? That is currently blowing my mind.

Looks like my laptop needs a tinfoil hat more so than myself!


Meet dog, your new security alert!

"ARF ARF" -"What is it, doggy? Someone's trying to hack the IRS dbase? Good dog!"


Chirp.io uses sound to transmit & receive links between nearby Android/iOS devices. IMO, interesting tech[1], thats more useful & less secure than bluetooth, for such use cases.

[1] http://chirp.io/tech/


Chirp is doing some really interesting work in this space, trying to improve the user experience of fast-forming short range communication.

My understanding is that Chirp uses audio to basically detect WHO you are standing near, but the actual data transfer happens over more typical links.

"An inherent limitation of the audio protocol is its highly limited transmission rate.

To send larger amounts of data, we have built a RESTful network infrastructure which allows arbitrary pieces of data to be associated with Chirp shortcodes. A sending device can thus upload a photo to the cloud, and obtain a shortcode representing it to be send over the air. A receiving device hears the shortcode over its microphone, and resolves it with a GET request."


> That is currently blowing my mind.

Not so much mine.

http://en.wikipedia.org/wiki/Acoustic_coupler


You could really hear the noise with these however. And there's the fact that the speaker was directly touching the microphone. It's cool that this works basically inaudibly across a room.


You could hear them because they were constrained to the voiceband. Frequencies outside 300-3400Hz were deliberately filtered out by the telephone system to maximize the number of calls that could be carried on a limited amount of copper.

"Across the room" isn't really interesting, either. I've decoded PSK31 across a room. Higher, near-inaudible frequencies would probably make the decode even cleaner.


Very unlikely. Laptops have crappy mics, they don't really have a response near 20 kHZ, as do crappy speakers. Also, this virus would have to analyze and deal with ambient noise. That's a pretty big level of sophistication for malware that can fit in flash memory.

So far, extraordinary claims, little data to back it.


So the oldest mention I did find, is from the 21st of October [0] and then more at the 23rd. [2,3] So until I see an actual zombie, my money is on a ghost story for Halloween.

[0] https://twitter.com/dragosr/status/392348130101829632 [1] https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa... [2] https://plus.google.com/103470457057356043365/posts/9fyh5R9v...


maybe, there are problems with the story.


Some of dragosr's claims/suspicions come off as next to impossible. I think he could use a healthy dose of Occam's razor.

Never the less, this does sound like a nasty piece of malware.


If not impossible, at least very strange that he has not done more research to verify this (would be easy to do with an oscilloscope attached to the speaker output).

Seems like trolling or some form of paranoia.


Dumping the BIOS also comes to mind.


How are you supposed to dump it? It's like hacking slot machines: you can always make a rootkit which returns exactly the data you're expecting...


Using any random quad-SPI programmer and soldering it to the chip that contains your BIOS. If dragosr is suspecting a BIOS malware, I can't understand that he hasn't done that yet. From what I've read on his Twitter and Facebook account, he would have spent 3 years investigating this malware and is just now thinking of dumping the ROM of his "infected" USB devices.

Smells fishy to me.


What if the BIOS code dynamically compresses/decompresses crypts/decrypts code and data?

You then put the code on another machine and you are in the same situation, it seems to me like a vicious circle if you don't know where to cut.


That sounds fairly unlikely (the BIOS does executes some code from PCI devices, but he says this happens on a machine without any weird PCI device, and PCI ROMs can be dumped too). We would not have to discuss whether this is the case if BIOS dumps turned out to be different. The issue is that 3 years after discovering the malware, he hasn't even tried to dump his BIOS.

Compression and encryption at this stage would be obfuscation more than anything else, and it's the job of malware researchers to break these kind of obfuscation layer. But again, we have no proof of this even being present.

The BIOS is not a black box that can't be analyzed.


Presumably that's atypical behavior for a BIOS, so an analysis of the dumped firmware should turn up where it's getting the location of and method to decode the data. That would give you enough to keep digging.


With many (most?) desktop motherboards, the flash chip is desolderable and can usually be taken out and read on a dedicated flash reader if you have the equipment. There would be no way for the rootkit to bypass that.


You can, you know, remove it and dump it with an eprom/flash programmer...


Yet, even these programmers are not directly wired to the transistors holding the individual bits and bytes. I would not be surprised if there's a way to manipulate the internal logic of an EEPROM chip, too.


If the BIOS (or some commonly used FPGA) already have builtin some kind of backdoor could be used for this. Now, if it was over a hardware backdoor in so many models it should be pretty widespread.

http://blog.erratasec.com/2012/05/bogus-story-no-chinese-bac... http://news.softpedia.com/news/Secret-3G-Radio-in-Every-Inte...


> Some of dragosr's claims/suspicions come off as next to impossible.

Which ones? The technical aspects are all known to be practical. The only thing odd is that a reasonably sophisticated and determined attacker is seemingly targeting him specifically and no one else.


Or else he simply picked up the malware simply by borrowing a usb key from someone else who'd been infected. I bet the majority of security researchers are only a couple of hops on their network of acquaintances from people who are pretty much guaranteed to be targets of <pick your state security agency of choice> and they would certainly have the resources to develop something like this if they chose to.

We know that Stuxnet spread beyond it's intended target - that's how it was discovered by the wider security community in the first place. Malware this pernicious could spread fairly stealthily through a large number of people without being noticed I'd imagine.

(If it really is using high frequency audio to leak data then that would be strong evidence that it was originally designed to target some group using air gapped computer networks to protect their high grade information. If your top secret & merely secret grade computers are laptops in the same room & they can communicate over a back channel like this then suddenly your air gapped computer network isn't cut off from the internet any more!)


> The technical aspects are all known to be practical.

No, they aren't. Not by a long shot. They sound vaguely similar to some that are however, so people are overlooking the details that would take this from advanced malware to hollywood fantasy.


Unless you care to explain which parts are not practical, and which details are being overlooked, what you have here is literally the opposite of credibility. You have deliberately made yourself non-credible through your anonymous cowardice.


Please explain this one:

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed


It is explained. HF audio via speakers and microphones. In other words, a modem. Your username is highly ironic.


[deleted]


> Are you just assuming these are laptops with a battery?

Did you even read the article? It's a laptop. That would be the safe assumption, anyway. Laptops far out-stripped desktop sales years ago, they're what most work happens on now.

> And saying that computers are communicating by speakers and microphones over long distances (i.e. > a few inches) is patently ridiculous.

It's not. I've done it myself. Go grab a couple laptops and some PSK31 software and you can do it, too.


My main question was regarding the power cords not being plugged in but apparently these are laptops.

As for communications via speakers and microphones, that makes as much sense as any other outrageously insane theory I've ever heard.


> power cables

Keep in mind he's talking about laptops that have batteries.


I'm also struggling to find any reference to this 3 year struggle prior to two weeks ago. Sounds like a nice little Halloween hoax, the "Editor's Pick" comment stating how its definitely not a hoax only makes me more inclined to believe it is.

In fact, after a quick browse it seems to me the Editor is only "picking" comments that support the concept, not those that offer plausible explanations or interesting discussion.


Reading this, I think back to CRYPTO, Usenix Security, and other conferences in the field where participants are handed thumb drives with the proceedings -- and people thought I was crazy to refuse to plug them into my computer.


Reminds me of a demo at PyCon-AU this year - JKM (a Django Core-Contrib) showed a pip install (or perhaps an apt-get, I forget) on screen for a minute or so. I don't think he explicitly said "run this" but of course people did anyway.

Cut to a live display of computer-name/.passwd hash pairs.


Going out on a limb for a moment and assuming that Dragos Ruiu's story is legit, then it seems likely that someone at a gov't agency decided to leak the existence of this malware by intentionally infecting a security researcher.

In that scenario, can this be related to Stuxnet? Would the audio signaling be used to report back successful infection of non-networked machinery?


How could a machine that is not infected, thus not listening to HF packets, get infected? Or are they listening by default?


The machines are being initially infected via USB[0]. The HF audio is a means to maintain communication, not a vector of initial infection.

[0] https://plus.google.com/app/basic/stream/z13tzhpzvpqyuzv1n23...


Audio is not the infection mechanism, drives are.


Did you read the article? USB drives.


I got that, but this part here didn't mention any USB drive...

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."

Air-gapped and no mention of USB... Magic or just inaccurate description?


One of those "keep reading" things to keep your interest, I suppose. A journalism thing?

"For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa."


I think they mean to say it was a computer that was previously infected and then airgapped, wiped and reinstalled. But because the executable load is in the bios, it persisted and reestablished communication with its peer via HF audio.


From what I understood, audio cannot serve as a first infection vector, but it could serve as a reinfection vector even when the BIOS was flashed, as the malware apparently also infects the RealTek audio chip software (according to what he reports on G+).

That would explain this scenario: the malware has been erased from the disk and the bios, but still lives in the audio chip, download a new payload through the high frequency connection, and boum, the computer is infected again.

See https://plus.google.com/u/0/103470457057356043365/posts/3reW...


If all of this pans out to be true and verifiable then this has to be the most sophisticated Malware that I have ever heard of, even beating Flame, Stuxnet and what not - really fascinating.

- Self-healing (of sorts).

- Able to spread via multiple vectors

- Falling back to increasingly stealthy and unlikely vectors

- Actively hampering efforts at eradication

However (and I am trying to phrase this delicately) A few other notable security researchers need to cross-verify that the infection agent exists and behaves in the fantastical manner described. I am somewhat worried that this seems

1) Either like a gigantic hoax that is trying to see how much people will believe or

2) The security researcher in question has other issues unrelated to security or

3) Some kind of viral marketing campaign for a book/movie/game something else


I admit the journalism is sensationalistic and the datafiles uncompelling, but so is the response here on HNN.

Literally the DAY AFTER we learn about MUSCULAR, which far exceeds PRISM in its scope, extralegality and generalized dastardality, and half the comments here are, "nope, I didn't think of that before, hence impossible." Well, you didn't think that Linda and John at the station were enjoying your girlfriend's selfies in your inbox, did you? And yet they are.

Bakane. I want to hire all of you as shills, as the best shill is the one who just knows they're right. And I don't even have anything for you to shill! Expect calls from headhunters with federal ties soon.


I deal with malware day in and day out at my job and have never seen any of what this story is talking about.

Like everyone else, I'm highly skeptical and a little annoyed at what seems to be a total lack of fact-checking in this story.


Don't speakers/mics tend to have a built-in cutoff? I've played with generating higher and higher frequencies before, and I was able to hear it up to 18kHz. That's probably hitting the high range of my own hearing, but there was an audible pop when the speakers started playing that frequency. The sound card seemed to simply refuse to play that high.

I suppose the malware could be working at a low enough level to override a cutoff in the sound card's firmware. But then wouldn't it have to implement drivers for almost every kind of sound card in existence?


[deleted]


It's a giant leap to go from this to what his claims are. Technically, and logically. Once you've solved the technical leap, logic handily defeats this as a possibility.


This is bullshit. The article is highly sensationalistic and light in facts. Sounds more like the product of a sci fi writer than a article for a tech site.


Explain to me how a non-infected machine would receive and process data from an audio channel so that it ends up interpreted as code and executed.

Yes, back in the day of computers with rubber keyboards, software was recorded on audio tapes, and you could listen to a program loading (sounded basically like a prolonged modem handshake). But even on devices specifically designed to receive data this way, you still had to initiate the procedure. There was code already on that machine that processed the audio stream, loaded it into memory and called the initial JMP.

If I put my tinfoil hat on, I could speculate that yes all the hardware has been made in China for decades, and yes nefarious forces could have very well implemented an always-on listening layer, which by the power of copypasta has now spread to every BIOS-having device, and now it lay in wait waiting for D-day when all your base are belong to us.

TL;DR: the audio attack vector would be like causing a buffer overflow by whistling the right tune into a microphone. This seems impossible without the machine already being compromised.


That's not what the article claims at all. He's claiming the audio is used to maintain a network connection for command-and-control continuity using other already-infected machines:

"Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped."


Thanks, I missed that!


Admittedly, the article isn't very well written, but it says that Dragos believes the malware to be installed through USB firmwares. Only after that does it communicate with other compromised systems via audio. Supposedly.

    The malware, Ruiu believes, is transmitted though USB drives to 
    infect the lowest levels of computer hardware


He posted some files that were "created" by it on a Windows 8.1 machine on Google+:

https://plus.google.com/103470457057356043365/posts/K7WeA1gq...

Anyone want to try and download it?

Edit: Really odd. Closing on a 1GB archive on Mega -- it seems unlikely that the network equipment can store that much anywhere.


When I read this it sounded like a weaponized version of Chirp.. http://chirp.io


Happy Halloween. Gee can't you guys get a joke!

It's clearly obvious on the second paragraph " Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed"


I don't think it's real, but I certainly have computers that still function when their A/C cord is removed. They're called laptops.


Couldn't one verify that this malware is present with some kind of listening device...or a dog ;-)? The article didn't mention that the sound theory was verified with some kind of external measurement, but I assume it must have been at some point? I'd like to see what that would look like.


Or clip out the speaker and replace it with an oscilloscope.


Good call! Didn't think of that.


This had me suspicious. The methods of propagation ranged from the difficult-but-plausible all the way into Stieg Larsson territory. And all the Google results pointed to Dragos Ruiu. There was no other researcher who had encountered or studied this malware; all the major ones were just saying "check out Dragos Ruiu's research, this is serious" or similar.

For now the signs point to the very first case of computer Morgellons. I suspected at first that this was an elaborate troll in order to convince the netsec community to get serious about fact-checking and research-doing before propagating BS, but the theory that he is paranoid is beginning to sound increasingly likely the more I find out.


Would it be possible to infect device firmware? If this guy's airgapped computers keep getting infected, assuming he's smart enough to not plug a USB drive into the computer, perhaps a hard disk's or CD drive's firmware was infected.


According to the article, he plugged a (presumably) infected USB drive into the fresh computer, providing the most likely means of infection.


>"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."

I read this as the computer being infected without a USB plugged into it. "Air-gapped" would mean no USB, right?


> "Air-gapped" would mean no USB, right?

No, it means air-gapped. Traditionally this just meant no wires to other computers (and an autonomous power source if you're extra paranoid). Today of course it more broadly means no direct communication with another computer, including things like WiFi or Bluetooth.

External media has always been used to transfer data between air-gapped systems, and it's always been a weakness. USB drives are just smarter than older forms of external media, posing a greater potential threat.


Can they share the MD5 hashes of the malware samples? or it didn't happen...


I saw this on TV (circa spring 2008)!

http://terminator.wikia.com/wiki/Episode_108:_Vick%27s_Chip

During further hacking of the T-888 chip, John accidentally applies too much voltage and the T-888 brain starts up, takes over the computer it's attached to, then connects to John's phone (via bluetooth) to reach the internet. John and Cameron realize what is happening and yank the batteries and cables, eventually unplugging the chip itself.


Bravo arstechnica, you got us.

IMHO this is a purposefully written scare piece to be released on Halloween.

Who says computer scientists don't like scary stories?


Is this Ars Technica's 2013 version of the "War of the Worlds" radio broadcast scare in 1938?


« Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. »

How is that possible ?


Did you read the article?


Hard for me to buy the sound transmission stuff. Keeping in mind the noise, sound diffusion etc. I suppose the packet correction takes an error limit before dropping out the entire packet.


Interesting how you put a news item onto a bigger media portal how much more serious it appears to be taken.

Previously article week ago :

https://news.ycombinator.com/item?id=6614458


In keeping with the theme of paranoia, many of the comments attacking the veracity of the article are posted by NSA agents masquerading as benign HN users to discredit someone breaking out one of their best kept secrets.


Shouldn't the speaker/mic communication theory be easy to test? If computer microphones are being used by the malware a simple computer mic should be enough to detect if there is any communication going on...


According to the last few comments on his G+ post, he was able to isolate the communication to the mic/speaker and disable it. He also took some recordings.

https://plus.google.com/103470457057356043365/posts/3reWRqDM...


A number of investigative tools come to mind: Faraday cage, anechoic chamber, Amiga 500 with Ethernet, Conway's Game of Life, and ummmm.... arp -a


Allow me to summarize:

Guy who knows nothing about computers probably has unstable power, or EM radiation causing computer problems.

He imagines a vast conspiracy instead of the obviou.


A well respected security researcher who runs multiple conferences and Pwn2Own is hardly a "guy who knows nothing about computers"

hard to summarize when you don't read the article.



Is it just the article author thats shit then? Because the story is full of weirdness.


This article is #1 on the front page. The news that Intel is going to fab ARM chips is totally missing from the front page.

Has HN officially jumped the shark?


It's fun to use psk31 or hellschreiber to communicate between two PCs over speakers. Install "fldigi" to try it..


Wow. A bit scarier than CryptoLocker...


In theory, nothing would prevent CryptoLocker from using the same attack vector.


For some strange reason, it seems to me that arstechnica decided to treat Halloween like 1st of April.


This is incredible...it makes me wonder who wrote it...


I was waiting for the last line to be something like "If you listen very closely, you can hear the virus spreading OoooOOoooOOOoooOOOoooh!"


should've called it lazarus


It sounds like a hoax to me. Even the "Dragos Ruiu" name is odd enough to be an anagram of something.


"Radios Guru", coincidentally. (Or "A drug is our".)

http://wordsmith.org/anagram/anagram.cgi?anagram=Dragosruiu&...


I worked with him many years ago at Myrias in Alberta, Canada, his name (pronounced 'Ruru') is of Ukranian extraction I believe. For what it's worth, he was extremely able then, if he says this is going on, I'd take it seriously.


This guy was one of the main founders of pwn2own. Not a fictitious person.


This is an entirely plausible name. Ruiu is an Italian surname. Dragos is name common in Romania, Serbia, and Slavic countries.


Bullshit


  has the ability to use high-frequency transmissions 
  passed between computer speakers and microphones to 
  bridge airgaps.
FUCK. FUUUUCK ME.

God fucking damn it. That shit right there just blows the fucking lid off damn near everything. It's worse than fucking laser interferometers as far as I'm concerned.

That, combined with a nasty firmware hack, pretty much fucks everything. Like, in addition to BIOS, consider the ramifications of hard drive firmware...

https://news.ycombinator.com/item?id=6148347

And now I have to think twice about that whole microphones inside random domestic appliances business:

https://news.ycombinator.com/item?id=6628627

I guess the audio attack vector isn't so outlandish after all, considering fax machines have piggybacked on audio channels for decades, but the whole bug-inside-the-iron thing is still pretty random.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: