The entire audio channel theory is based on a simple twitter suggestion from a third party, and Dragos saying it must be correct because he has also been unable to remove audio interference from his home audio system.
He has yet to provide anyone else with anything but perfectly clean files, with signed and matching hashes from clean Windows 8 installations.
Although some of the methods he claims are rooted in things that have been demonstrated as a proof-of-concept in previous research, his claims represent added twists in ways that are very difficult to swallow. More importantly, it's based on assumptions, and not anything that has actually been analyzed.
(For what it's worth, I analyze malware professionally)
My guess is that someone (in his lab or close to him) is/was pranking him. And now that it's got this big, doesn't want to admit it.
* "Ruiu said he plans to get access to expensive USB analysis hardware" -- I'm not an expert on USB, but I do believe it should be trivial to tap the traffic between a machine and such an infected stick, and compare it to what should normally be happening.
* No effort seems to have been made to capture the sound waves made by this (supposedly reproduceable) high-frequency audio networking.
* The infected bios hasn't been dumped and compared to the bios the machine was supposed to have.
* For some reason, there's no mention of other researchers getting access to or investigating infected machines and usb sticks.
These are all extremely basic steps that could be taken to make the story go from vague conjecture to actual proof (or disproof). Why weren't they taken?
The other thing suspicious is the manner of troubleshooting:
"Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped."
Hold on a second. What forensic tools were showing packets flowing? If he's saying that a software application on an infected machine showed "packets flowing"? That doesn't mean any data was actually going to and from the machine. That could even mean that the virus just simulates data transfer. Did he try putting tin foil around the machine to block any space signals that might be beaming down?
I'm not sure if it's the researcher or the ars writer who doesn't know what they are talking about.
> Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.
When I read that, I had to check the date to make sure this wasn't posted on April 1st. That seems completely implausible, unless the author completely misunderstood some information relayed to him.
There's something (okay, several things) about this entire article that just screams April Fools.
Edit: The additional information others have posted here regarding malware in USB controllers seems far more likely and that the article itself was written as a ridiculously implausible story until the very end where it alludes to the notion that nearly the entire first 2/3rds is completely false. I guess I would've expected better of Ars.
TL;DR: My reading of the article incorrectly assumed the infection vector was via microphone. It wasn't; the ultrasoncis bit is apparently how the malware communicates (presumably). The tweet referenced in the above link clarifies this.
Please do not upvote my comment further. It is incorrect.
> Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection.
To be fair, the Ars piece is poorly written IMO and makes some very outrageous claims throughout the first half. And I personally find the speaker-microphone route implausible given how difficult that would be. Even the article stakes a claim that it's very difficult to prove:
> It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines
Given the variable quality of speakers and microphones on laptops and other devices, it doesn't seem like a viable route to me, and this is resting far too much on speculation and conjecture to be of any use.
Worse, I haven't yet found anything in the article that suggests every infected machine had a speaker/microphone combination. There's just not that much useful information, hence why this sounds more like a scare piece.
I'm finding myself more and more in agreement with other comments here that have suggested it was probably a reckless use of an infected USB device that wasn't properly ruled out.
Edit: I should also note that if they're so suspicious that the systems are transmitting sound to other non-infected machines, it shouldn't be too difficult to prove/disprove this by recording sound in isolation. The problem is IMO given the variable manufacturers of sound devices, drivers, and so forth, the complexity of this would be such that it'd be nearly impossible. An infected USB device makes much more sense and is a simpler explanation.
So you are saying it is implausible because it doesn't make sense if you don't read the whole article? That isn't how implausibility generally works.
And I personally find the speaker-microphone route implausible given how difficult that would be.
Ever used a modem?
That's a bit of a strawman, don't you think?
> Ever used a modem?
Yes. And I don't think that's applicable in this case. First, a modem is designed specifically for such a use case--second, we're talking about an exploit that would (in theory) somehow make use of a microphone to spread itself to a target host.
You would have to assume that there's some flaw in either the audio driver for the microphone, firmware, or whatever that can be exploited by sending some combination of sounds to it. While that's possible, it seems unlikely that would be the case and much more likely that the culprit is an infected USB device of some sort, which has been discussed at length in other threads here (and would take far less work). For the variable quality of consumer microphones in a laptop or other such device to pick up a signal in such a manner as to exploit firmware/driver software at range makes this theory questionable IMO.
My personal hunch isn't that Mr. Ruiu is wrong. I think he's found something interesting and potentially dangerous, new, and fascinating. What I DO think, however, is that the Ars writer may have misunderstood, misinterpreted, or is misrepresenting the information he received.
we're talking about an exploit that would (in theory) somehow make use of a microphone to spread itself to a target host.
No we are not, we are talking about communication between already infected machines. https://twitter.com/dragosr/status/395959517243928576
My personal hunch isn't that Mr. Ruiu is wrong.
He may or may not be, but whatever your hunch is, it doesn't appear to be based on the actual situation at hand, so I don't think it carries that much weight.
edit - sorry for being so harsh by the way, I went and re-read the article and I can see how you can read it as the transmission vector being audio rather than just communication between infected machines. I didn't read it myself that way but at the same time it is not particularly clear.
I rather wish you had shared that tweet instead of engaging me in splitting hairs. I dismissed the article outright as stupid largely based on the initial claims it made, which seemed implausible and outlandish. Going back and re-reading the bit on microphone-speaker ultrasonic transmissions makes more sense in light of what you've shared. I don't think those two paragraphs were particularly well written and could have provided additional clarification.
That said, I was wrong and misinterpreted that particular part as being a mechanism for attack. I apologize for my glaring mistake. It renders my previous comments entirely incorrect and they should be ignored. To anyone else viewing this thread, please disregard my previous statements. They were based off of misinterpretations regarding an incorrect reading of the Ars piece.
Sadly, it's the fault of my unfortunately judgmental and inherently skeptical nature with regards to much of the news I read. Maybe it's the fault of politics and the likes, but in spite of the dangers of excessive skepticism, I think it's a better long term approach that can yield useful questions and discussion. Unless it gets out of hand, as is my case. :)
> He may or may not be, but whatever your hunch is, it doesn't appear to be based on the actual situation at hand, so I don't think it carries that much weight.
I still stand by what I have said. I think Mr. Ruiu has stumbled upon something quite fascinating. I was under the mistaken impression that ultrasonic communication was used as an attack vector. So let's not be too harsh over an honest mistake. :)
However, I do think the Ars piece isn't a particularly useful exhibit of Mr. Ruiu's work thusfar (particularly in light of the tweet you shared); it's a lengthy, rambling article that provides only fragments throughout its impressive word count, requiring careful reading and some liberal interpretation of the author's intent.
Then again, that's probably a matter of necessity, so I can't really fault Ars. A frightening-sounding article peppered with equally frightening lingo gets page views. "Boring" academic reports rich in data do not.
C'est la vie.
Assuming decent error checking, the question isn't whether you could do it, it is just how fast would it be.
Also, we assume that things like data transmission by power cable and through power supplies is implausible, but only because we assume that there is not data link between power delivery and data transmission. Could there not be a gate somewhere that upon receiving a specific pulse of electricity opens for full data transmission or even just triggering a sequence of actions that are hard-coded into chip architecture through compromised specifications and standards?
I think we all have heard of the recent publications of NSA's involvement in compromising and deliberately implanting vulnerabilities for their own convenience. Right? If not, you should really read up on what is now public domain.
Although it might be scifi, if you look back on the disparity of technological capabilities in the civilian vs military and intelligence world of the past, you might get an extrapolated idea of how advanced technology developed under triple digit billions of dollars might be.
My personal beef with this theory is that you're assuming a consumer-grade microphone can pick up such frequencies in a manner that would be capable of inducing enough of a signal on a microphone to produce a sufficiently specific data pattern to somehow exploit underlying firmware, drivers, or whatever. Considering there's been speculation that an infected USB drive may have been shuttled between systems, it seems that the simplest explanation lends itself to the drive and not the microphone.
And yes, I have followed recent events with the NSA. I understand your suggestion that near-unlimited money can buy you almost anything, but there are many questions that this article doesn't answer. While I think Mr. Ruiu has stumbled upon something novel, I don't think it's nearly as magical or mysterious as some here have been making it out to be.
Besides, wouldn't it be relatively straightforward to demonstrate whether or not there is some capability of this malware to spread via a speaker-microphone route? Why not take a recording of known uninfected machines isolated in a room and then examine the sound signature later? The entirety of the experiment as related by Ars seems flawed (which I blame on the article, not on Mr. Ruiu, since he's been spending a great deal of time working on this), but the possibility that this may actually be tied to exploiting a vendor identifier in an infected USB device is in some ways much more sinister. Some other threads discuss that possibility in detail.
It would be magnificent if there were such an attack vector, but I can't shake the thought that it would have to be very specific to a certain subset of hardware or software.
He doesn't even have a way to test whether or not a machine is "infected". He claims that it's based on problems booting from a CD and/or hearing audio interference. Extremely dubious.
: That comment is two days old, and the files were not provided publicly, he just says he is analyzing them himself. Again, needless obscurity.
Honestly, this type of paranoia sounds more like someone on the brink of a breakdown. Can you imagine spending years working on this and still having no 'data' about it? If its infecting stuff from this USB drive, just post the contents of the drive for analysis.
Of course, no recording of HF audio communication channels, no USB drive "ROM" dump, no hard drive controller ROM dump, no BIOS dump, no PCI card BIOS dump, no USB analyzer data, no really infected file. The excuse he uses is "the files become clean when I put them on a CD!".
Hard to take him seriously.
Also read https://news.ycombinator.com/item?id=6647467 for a second opinion.
Recurring themes among those are "they've replaced my possessions/tools/utensils/cloths with ones that look identical but allows them to control/monitor me, and they change them back when I try to show anyone". And to them, it all makes perfect sense.
Again, not saying such malware does not exist - I suspect something similar does (though maybe not as widely cross platform). However, I think that this is an account of a serious PEBKAC problem, rather than malware.
The possibility that compromised machines communicate via audio is interesting in its own right, but the wording of the title, combined with the opening few paragraphs, allows for the suspicion that the malware is spread to uncompromised hosts via audio, which is of course not happening.
The article as a whole is unsatisfying. It makes the research into this malware seem completely inadequate.
Being able to communicate via ultrasound means that if you have an infection on two computers either side of an airgap in close proximity the theoretically isolated computer can be sent instructions from a C&C server and can send data back at-will.
I'm not commenting on the legitimacy of the story, but either technique in isolation is of limited use, combined however they can be a lot more effective.
And if you don't exactly hit the conditions the malware is supposed to expose itself, you have no way to read out the EEPROM inside the flash controller. The data chips maybe, but the controller chip of a USB stick is an entirely different thing.
And we all know that USB sticks (or, rather their flash chips) can be reprogrammed at will. USBest, I'm looking at you. (See also flashboot.ru, the stuff you can do with these tools is amazing.)
1) Hides a bootloader on the devive that runs at reboot (assuming the BIOS allows it).
2) Pretends to be some kind of device (that most OS's have stock drivers for) that allows it to access main memory. Maybe it pretends to be a USB to firewire bridge (or something similar that gives it DMA).
Assuming a government is the adversary (and we ALL know that the NSA sits on a very comprehensive list of exploits!), then this part is actually the easiest.
I mean I get a few months of nothing you don't do this, but 3 years? A USB bus is not high bandwidth - there's off-the-shelf hardware that will do this.
This story is just too fantastical to be true. We're talking about a ridiculously sophisticated piece of malware, which has been found nowhere else, and is absurdly high visibility (people don't keep using computers which are obviously infected with something).
If you had something as resistant as this in your pocket, you didn't write it on your own, and the absolute last thing you would do is give it high-visibility infection symptoms and toss it out into the wild.
EDIT: It's worth noting this would very much hardly be the first time a researcher suddenly went off the reservation. Happens to even Nobel Laureates.
Unless you're a state sponsored agency looking to test a zero day exploit. What better way to test it then to attack one of the top infosec researchers in the industry?
Think about it. You get one of the top researchers to figure out your malware, bring in all his friends to figure out how it works and then publish the results - giving you exactly what you need to refactor it so it's completely untraceable, and non-responsive to efforts to try and stop it from propagating.
I'm not sayin, I'm just sayin. . .
What I'm posing is, if you had malware this successful at spreading itself, the very last thing you would do is attach a high-visibility payload to it (disabling system devices like the CDROM drive - allegedly).
Your hypothesis isn't much better - hostile organizations don't give you a chance to figure out a defense strategy, especially when there's no risk of deployment. You don't need a test for a virus - you use it, and then you make another one.
There's no point hampering removal once you're detected if you have a good mechanism for hiding or repairing the infection.
> For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.
I don't want to sound mean, but what? This paragraph just reads like Hurp-Durp to me. I'm an idiot, but even I know that there are some very nasty things to do to USB drives.
EDIT: https://news.ycombinator.com/item?id=6534617 https://news.ycombinator.com/item?id=933210 https://news.ycombinator.com/item?id=1855936
I was going to add a line like "Who has a mic and speakers on their airgapped machine?!" but obviously every laptop does.
When a program wanted to produce a tone, the program took the input frequency of the clock divider divided by the desired frequency and programmed it into the clock divider. To control the duration of the tone, a DOS or BIOS call was available delay the program or the program could hook the timer interrupt vector. The program would then turn the speaker off or start the next tone.
Programs could also turn the output bit on and off manually. Some programs could turn the bit on and off rapidly to play arbitrary sounds. There was even a Windows driver to play sound through the PC speaker, but it disabled interrupts, causing the clock, keyboard, mouse, and network to stop while the sound was playing.
Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.
The conclusion that for communications across the air-gap to work, the receiver must already be infected is the only alternative to "No, it isn't happening."
Now I'm not in a position to say, that it is happening. But I'm not in a position to say that the supply chain for electronic devices is hardened against an attack by a state sponsored agency seeking to inject spores into devices at the time of manufacture. If an agency is interested in maximizing backdoor accesses, having infected devices roll off the assembly line and straight to end users certainly seems like an ideal outcome. It's map reduce.
Don't get me wrong, I know I'm furiously folding Reynolds Wrap. But I also know that there is a cognitive gap between the furniture of everyday experience and large scale phenomena - e.g. collecting meta data on all phone calls simultaneously and then storing and searching it doesn't fit with the MOS 6510 mental model of computing I habitually use.
And we already have proof that manufacturers in China have been doing this:
"Microsoft researchers in China investigating the sale of counterfeit software found malware pre-installed on four of 20 brand new desktop and laptop PCs they bought for testing. They found forged versions of Windows on all the machines."
This would be the easiest way to do this, and since it's already been demonstrated, I would hasten to say your tinfoil folding is certainly is not being done in vein.
A typical laptop has a +- 3db audio frequency response of 200hz - 8khz if you are lucky, even if you wanted -10 or 20db I doubt you would get much above 12khz which is detectable by most people without significant hearing damage. I'm very skeptical about this article...
It's perfectly capable of sending and picking up a 20kHz signal by itself. The frequency response starts dropping off drastically at around 14kHz. Around 21kHz seems to be the practical limit.
However, there seems to be a bit of distortion going on. I'm not sure it's possible to send a clean inaudible signal without introducing lower frequency components.
So, you may be able to hear higher than 20kHz. Even if you increase your sound card sample rate, best test would be to try something analog to eliminate other bottlenecks in the audio processing. But you can easily tweak your audio settings and generate sine waves with this program:
I don't understand why he hasn't posted 'infected' USB sticks to a bunch of high profile security folk with "POTENTIAL BIOS MODIFYING TROJAN ONBOARD" written on it? It would be a matter of a day or two before someone monitored all communications with it passively and proved or disproved his theory.
@dragosr - @PaxNoxNomPox no evidence of "spreading" via audio. Just comms between infected machines.
I'm guessing of course, there's not much real details to go on, and that would mean this infection is more then just a malicious BIOS.
EDIT: Or he's full of shit. Honestly I said that several times reading it, the story was clearly written for sensationalism and made many seemingly impossible claims. I'm no where near an expert but it still set off the bullshit meter too many times.
Hm. I suppose this is theoretically possible, but I don't see why it would be done in a practical sense. If the malware needs to "phone home", it doesn't need to send packets via localhost; it just sends them out on whatever interface is connected to the Internet. (But how would you distinguish those packets from any others being sent out to the Internet?) If the malware is divided up into multiple processes that need to communicate with each other, why would they betray themselves by connecting via localhost? If they are on OS X or Linux, they can use Unix sockets, which don't need to go through any network interface. If they are on Windows, they can use any of several Windows IPC mechanisms that don't require a network interface.
The most telling thing about the article is he hasn't been able to capture any of the malware code in three years. Either it's all in firmware and not being delivered to the OS, or it's already in the OS.
...And it could also be a series of unfortunate coincidences that just look like malware activity. CDROM doesn't boot? Probably a bad CDROM drive. Registry editor disabled? Probably a bug in Windows. Strange networking where it shouldn't be? Apps transmit random networking crap all the time, and you don't need OS support to send arbitrary raw packets. 'Modifying settings and deleting data' could be anything, like a log rotater, I don't know.
If it sounds impossible, it probably is.
It's much less likely that he's experiencing the most advanced malware in the world, and much more likely that he just overlooked something simple.
Personally I'm skeptical about the registry search functionality being disabled on a wiped machine -- that could easily be a Windows bug. But the other stuff would certainly get my gears turning.
Edit: I should note that after about the first 2/3rds of the article, there is some effort made to explain this (and negates the entire first bit of the article), but there is much better information others have shared here regarding malware embedded in USB controllers. I still like jameshart's assertion that this is just an elaborate ghost story for Halloween.
Edit edit: The conveniently mention toward the latter part of the article that the machine unplugged from A/C was a laptop which was then running off battery. I'm growing more and more suspicious of the quality of this particular article.
You might use QPSK (basically two FSK ranges using phase to indicate 00/01/10/11 states but that would still make for a pretty small pipe. Perhaps enough for a C&C channel be not really enough to exfiltrate data.
 Frequency Shift Keying - generally takes three complete cycles to of a 'tone' to reliably recognize the frequency. So 20,000 / 3 = 6666.666 bauds per second.
What the article said was that he was seeing packets from the airgapped host (that means nothing but air around it, no wifi) which stopped when he disabled the speaker and microphone. That suggested that this was the 'wire' between the two.
One of the side effects of using peizo electric speakers (which are nice and flat so adored by mobile device makers and laptop makers alike) is that they often have frequency response ranges above 20khz. Many people cannot hear frequencies over 15Khz, although 15Hkz (which was the scan rate of CRT monitors) can be heard by some folks and poorly wound flyback transformers would drive them nuts.
Those and marginal capacitors do drive us nuts. And that's one reason such communication wouldn't have to be completely out of human hearing range. Those of us who can hear it aren't going to be shocked by yet another high-pitched whine in a room full of electronics.
Reminded of ELF communication with submerged submarines.
(I didn't get to do anything with the sub - I was just brought in for two weeks to give them a way of feeding that data from a Sun workstation on the tracking ship to another station via GSM data (mainly for demo and testing purposes); trivial in comparison to the software controlling the sub, but it was fun getting to go out on the tracking ship when they did test runs)
I really really really hate to say "APT," but if you had a gapped, infected PC sitting next to an internet PC; and both were powered up 24x7 for months with the infection undiscovered, you could grab a significant amount of data.
that can communicate via Sound (Requires DSP)...
that can defend itself against the registry editor (Deep integration to the OS, for at least windows, linux/OSX noted as well)...
that can alter data...
that can infect network cards (implied in the article)...
that can possibly use the power system to communicate (Ok, on a laptop, that might be possible. Otherwise, PSUs aren't completely isolated from the computing system's logic?)...
that all still fits within a BIOS chip?
Either BIOSs are complex (read space-intensive) enough to stop being Basic, or they can fit this AND a functioning BIOS in to a payload that would be delivered by sound, USB, network cards...
Can it modulate the fans to transmit data too? Or change the screen brightness faster than the human eye can see, but can be detected with cameras? How about using the Wifi, HDD activity, sound mute, caps lock, numlock, scroll lock and power indicators to transmit?
How about opening and closing the HDD to transmit data?
I can't agree more with MacsHeadroom's assertion that this is a situation where the simplest explanation wins.
Not to mention I REALLY don't want this kind of thing to exist...
EDIT: Added fans paragraph
but ALL of that? In the BIOS?
(I'd like to point out I am nowhere near the caliber of the man who's supposedly experiencing all of this. I do not know the true size of any of the aforementioned payload.)
And I would not rely on BIOS code be security-audited in ANY way! Especially not the part of the code dealing with USB. Low-level as it may be, I bet there exist buffer overflow or other vulnerabilities in USB protocol stacks.
But on the topic of modular malware, what would the initial discovery of Flame look like, if it were still in-progress after 3 years? Would it or would it not seem like this? It's got odd transmission methods, and the possibility of more to come. But if deleting data, self protection, and propogation aren't the attacks, then what are?
> Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed.
Observed how? If not a standard interface (i.e. disk, network, etc), using what? How could he know they were encrypted unless he intercepted a payload?
> With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.
What would be the point of this communication? It's BIOS would already need to be infected in order to be able to communicate via sound. The situation I can see this being useful is using another infected machine's Internet connection to download an OS specific payload, which makes some sense.
By the end I'd added, "And a speaker and a microphone."
If I was [metaphorically] a state sponsored espionage agency, that's the way I would go. I wouldn't be fooling around with USB sticks. That 1990's vector has been publicly outed and people can easily live without them.
And by writing this, I've just now tinfoil-hatted my way to the belief that pretty much every electronic device, if it isn't p'wned, it's just by the blessings of laziness or disinterest. After having read about the scale upon which the US pursued cryptography during the Second World War in Battle of Wits: The Complete Story of Codebreaking in World War II by Stephen Budiansky, I'm not betting on either.
Also fascinating that his infection is at least three years old. Was Dragos targeted? Or perhaps someone within the pwn2own contest was?
Such persistent malware that targets air gapped machines reminds me of other malware created by nation-states.
In the end, it seems to me that blocking boot from CD is a net loss, since it alerts the user (who can undertake drastic measures including hooking up a different hard drive), whereas allowing boot from CD but reinstalling the BIOS malware from the (presumably thoroughly infected) hard disk would not.
All of the major OEMs embed code from these guys into their BIOS. Once activated, it can brick the box, delete files, re-install their Windows/Mac agent that allows for location tracking, etc.
I'm convinced "encrypted" is the new scare word, similar to "terrorist." When you hear it, all rational thought and discussion just vanishes. This article mentions network traffic as being "encrypted." Yet apparently, no one knows how to analyze the traffic beyond that? Are you kidding me? Was it using TCP? UDP? Just IPv6? How big were the packets? How frequent? What interface were they coming from? (because, you know, the kernel has to have some entry point into its network stack)
It's "encrypted." Oh. I see. Well nevermind then.
> Things kept getting fixed automatically as soon as we tried to break them. It was weird.
"It was weird." What is this, Scooby fucking Doo?
Anyone else having flashbacks of John Nash?
Again, sounds very fishy. I would expect a more methodical approach from a security researcher.
So far it sounds very conspiracy theory to me. I don't know his credentials, so it is hard figure out what to make of it.
Had this come from Schneier I would have taken it a lot more seriously.
Like others have mentioned, where is the evidence? Give us the audio recording at least.
What seems extraordinary to you might not be to someone else. Go be a pretentious pseudo-intellectual somewhere else.
>I don't know his credentials, so it is hard figure out what to make of it.
First of all, his credentials are irrelevant (see: appeal to authority fallacy). Secondly, they are listed in the article itself, which you obviously didn't even bother reading.
It is not extra-ordinary to you that computer viruses travel through sound waves using computer speakers and microphones, yet when this supposed "expert" tries to uncover and provide samples of it, the evidence magically disappears.
> First of all, his credentials are irrelevant (see: appeal to authority fallacy). Secondly, they are listed in the article itself, which you obviously didn't even bother reading.
Oh I see you are an expert on fallacies. As an exercise try finding a few fallacies in your comment.
(Does this mean I can cite you for fallacy fallacy? This game is stupid.)
It should be possible to communicate through a webcam and a screen when the airgapped devices are on the same room. It could be possible to communicate by accelerometer(macs has these) and inducing vibrations using the HDD when the devices sit on the same table.
accelerometer: is very low bandwidth (think ~10-1000 measurements per second). The noise is ~100μg/√Hz - with 12 bits samples I'm not sure you'll pick up HDD vibrations (but rather easy to test).
Someone should lend the people researching this an oscilloscope.
Looks like my laptop needs a tinfoil hat more so than myself!
-"What is it, doggy? Someone's trying to hack the IRS dbase? Good dog!"
My understanding is that Chirp uses audio to basically detect WHO you are standing near, but the actual data transfer happens over more typical links.
"An inherent limitation of the audio protocol is its highly limited transmission rate.
To send larger amounts of data, we have built a RESTful network infrastructure which allows arbitrary pieces of data to be associated with Chirp shortcodes. A sending device can thus upload a photo to the cloud, and obtain a shortcode representing it to be send over the air. A receiving device hears the shortcode over its microphone, and resolves it with a GET request."
Not so much mine.
"Across the room" isn't really interesting, either. I've decoded PSK31 across a room. Higher, near-inaudible frequencies would probably make the decode even cleaner.
So far, extraordinary claims, little data to back it.
Never the less, this does sound like a nasty piece of malware.
Seems like trolling or some form of paranoia.
Smells fishy to me.
You then put the code on another machine and you are in the same situation, it seems to me like a vicious circle if you don't know where to cut.
Compression and encryption at this stage would be obfuscation more than anything else, and it's the job of malware researchers to break these kind of obfuscation layer. But again, we have no proof of this even being present.
The BIOS is not a black box that can't be analyzed.
Which ones? The technical aspects are all known to be practical. The only thing odd is that a reasonably sophisticated and determined attacker is seemingly targeting him specifically and no one else.
We know that Stuxnet spread beyond it's intended target - that's how it was discovered by the wider security community in the first place. Malware this pernicious could spread fairly stealthily through a large number of people without being noticed I'd imagine.
(If it really is using high frequency audio to leak data then that would be strong evidence that it was originally designed to target some group using air gapped computer networks to protect their high grade information. If your top secret & merely secret grade computers are laptops in the same room & they can communicate over a back channel like this then suddenly your air gapped computer network isn't cut off from the internet any more!)
No, they aren't. Not by a long shot. They sound vaguely similar to some that are however, so people are overlooking the details that would take this from advanced malware to hollywood fantasy.
Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed
Did you even read the article? It's a laptop. That would be the safe assumption, anyway. Laptops far out-stripped desktop sales years ago, they're what most work happens on now.
> And saying that computers are communicating by speakers and microphones over long distances (i.e. > a few inches) is patently ridiculous.
It's not. I've done it myself. Go grab a couple laptops and some PSK31 software and you can do it, too.
As for communications via speakers and microphones, that makes as much sense as any other outrageously insane theory I've ever heard.
Keep in mind he's talking about laptops that have batteries.
In fact, after a quick browse it seems to me the Editor is only "picking" comments that support the concept, not those that offer plausible explanations or interesting discussion.
Cut to a live display of computer-name/.passwd hash pairs.
In that scenario, can this be related to Stuxnet? Would the audio signaling be used to report back successful infection of non-networked machinery?
"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."
Air-gapped and no mention of USB...
Magic or just inaccurate description?
"For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa."
That would explain this scenario: the malware has been erased from the disk and the bios, but still lives in the audio chip, download a new payload through the high frequency connection, and boum, the computer is infected again.
- Self-healing (of sorts).
- Able to spread via multiple vectors
- Falling back to increasingly stealthy and unlikely vectors
- Actively hampering efforts at eradication
However (and I am trying to phrase this delicately) A few other notable security researchers need to cross-verify that the infection agent exists and behaves in the fantastical manner described.
I am somewhat worried that this seems
1) Either like a gigantic hoax that is trying to see how much people will believe or
2) The security researcher in question has other issues unrelated to security or
3) Some kind of viral marketing campaign for a book/movie/game something else
Literally the DAY AFTER we learn about MUSCULAR, which far exceeds PRISM in its scope, extralegality and generalized dastardality, and half the comments here are, "nope, I didn't think of that before, hence impossible." Well, you didn't think that Linda and John at the station were enjoying your girlfriend's selfies in your inbox, did you? And yet they are.
Bakane. I want to hire all of you as shills, as the best shill is the one who just knows they're right. And I don't even have anything for you to shill! Expect calls from headhunters with federal ties soon.
Like everyone else, I'm highly skeptical and a little annoyed at what seems to be a total lack of fact-checking in this story.
I suppose the malware could be working at a low enough level to override a cutoff in the sound card's firmware. But then wouldn't it have to implement drivers for almost every kind of sound card in existence?
Yes, back in the day of computers with rubber keyboards, software was recorded on audio tapes, and you could listen to a program loading (sounded basically like a prolonged modem handshake). But even on devices specifically designed to receive data this way, you still had to initiate the procedure. There was code already on that machine that processed the audio stream, loaded it into memory and called the initial JMP.
If I put my tinfoil hat on, I could speculate that yes all the hardware has been made in China for decades, and yes nefarious forces could have very well implemented an always-on listening layer, which by the power of copypasta has now spread to every BIOS-having device, and now it lay in wait waiting for D-day when all your base are belong to us.
TL;DR: the audio attack vector would be like causing a buffer overflow by whistling the right tune into a microphone. This seems impossible without the machine already being compromised.
"Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped."
The malware, Ruiu believes, is transmitted though USB drives to
infect the lowest levels of computer hardware
Anyone want to try and download it?
Edit: Really odd. Closing on a 1GB archive on Mega -- it seems unlikely that the network equipment can store that much anywhere.
It's clearly obvious on the second paragraph " Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed"
For now the signs point to the very first case of computer Morgellons. I suspected at first that this was an elaborate troll in order to convince the netsec community to get serious about fact-checking and research-doing before propagating BS, but the theory that he is paranoid is beginning to sound increasingly likely the more I find out.
I read this as the computer being infected without a USB plugged into it. "Air-gapped" would mean no USB, right?
No, it means air-gapped. Traditionally this just meant no wires to other computers (and an autonomous power source if you're extra paranoid). Today of course it more broadly means no direct communication with another computer, including things like WiFi or Bluetooth.
External media has always been used to transfer data between air-gapped systems, and it's always been a weakness. USB drives are just smarter than older forms of external media, posing a greater potential threat.
During further hacking of the T-888 chip, John accidentally applies too much voltage and the T-888 brain starts up, takes over the computer it's attached to, then connects to John's phone (via bluetooth) to reach the internet. John and Cameron realize what is happening and yank the batteries and cables, eventually unplugging the chip itself.
IMHO this is a purposefully written scare piece to be released on Halloween.
Who says computer scientists don't like scary stories?
How is that possible ?
Previously article week ago :
Guy who knows nothing about computers probably has unstable power, or EM radiation causing computer problems.
He imagines a vast conspiracy instead of the obviou.
hard to summarize when you don't read the article.
Has HN officially jumped the shark?
has the ability to use high-frequency transmissions
passed between computer speakers and microphones to
God fucking damn it. That shit right there just blows the fucking lid off damn near everything. It's worse than fucking laser interferometers as far as I'm concerned.
That, combined with a nasty firmware hack, pretty much fucks everything. Like, in addition to BIOS, consider the ramifications of hard drive firmware...
And now I have to think twice about that whole microphones inside random domestic appliances business:
I guess the audio attack vector isn't so outlandish after all, considering fax machines have piggybacked on audio channels for decades, but the whole bug-inside-the-iron thing is still pretty random.