Skynet says 'Hello, World'

[MahrinSkel]

Okay, maybe not, but if badBIOS isn't Skynet reaching back in time to bootstrap itself, then it's something even scarier. 

If it isn't a hoax, it's a Swiss Army knife of zero-day exploits, capable of writing itself into the BIOS of many different kinds of computers, compromising all major operating systems, and communicating with other infected computers across an 'air gap' (by using the speaker and microphone as an ultrasonic modem).

--Dave

[Mrbloodworth]

I'm not clicking that. 

[schild]

Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

[Ingmar]

I'm very skeptical of this, at least the high frequency audio networking part of it. Built-in speakers and mics are absolute shit and there's no error-correction on the destination box to clean up a bad signal like there is with any kind of normal network protocol.

[Ghambit]

I'm very skeptical of this, at least the high frequency audio networking part of it. Built-in speakers and mics are absolute shit and there's no error-correction on the destination box to clean up a bad signal like there is with any kind of normal network protocol.

You can't stop the signal. 

Also, saying there's "no" error correction is a bit strong.  It's not that simple.

[Samwise]

Like Ingmar, I'm getting the smell of hoax from this.  Super cool science fiction sounding shit you see on the internet is always either greatly exaggerated or outright fabricated.

[Mithas]

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

I could almost buy it but the power cord removed really makes it seem like a hoax.

Edit: After reading it closer it was probably laptop running on a battery. I'm not sure why they even mentioned the power cord then.

[Ghambit]

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

I could almost buy it but the power cord removed really makes it seem like a hoax.

Edit: After reading it closer it was probably laptop running on a battery. I'm not sure why they even mentioned the power cord then.

Because w/o built-in standby power to the mobo, you wouldn't have a computer.  You don't need to be plugged in to effect ICs at the CMOS/BIOS level no?  They're on their own small battery, which is what I think they're positing.  But yah, still sounds like a hoax.

[MahrinSkel]

Everything described is technically possible, but to package them into an actual hardware-level rootkit system is technical sophistication at 'A Wizard Did It' level.  If it's real and not Skynet, somebody out there is at godlike levels of skill (it makes Stuxnet look primitive and crude).

--Dave

[Venkman]

Now THIS is a horror story I can get behind 

Wouldn't surprise me at all if this thread eventually moves to Politics because it turned out it was another NSA-funded DARPA project...

[Mithas]

If my computer starts acting like that I am smashing it to tiny bits.

[Ghambit]

Everything described is technically possible, but to package them into an actual hardware-level rootkit system is technical sophistication at 'A Wizard Did It' level.  If it's real and not Skynet, somebody out there is at godlike levels of skill (it makes Stuxnet look primitive and crude).

--Dave

I wouldn't call it wizard-like (definitely innovative), but it's obviously a damned good Systems Engineer behind something like this (and likely an old-school one) rather then a simple codemonkey. 

[MahrinSkel]

Everything described is technically possible, but to package them into an actual hardware-level rootkit system is technical sophistication at 'A Wizard Did It' level.  If it's real and not Skynet, somebody out there is at godlike levels of skill (it makes Stuxnet look primitive and crude).

--Dave

I wouldn't call it wizard-like (definitely innovative), but it's obviously a damned good Systems Engineer behind something like this (and likely an old-school one) rather then a simple codemonkey. 

The breadth of knowledge to pull it off is what is wizard-like.  We're talking about a modular or polymorphic trojan that bootstraps from hidden portions of USB drives into multiple forms of BIOS/EFI, possibly into the other mobo component firmware like the PCI/NIC, and gets in under any possible security at the OS level.  Making compromised systems whistle IPv6 packets at each other to get around an air-gap is novel, but almost trivial compared to the rest of it.

If Stuxnet was weapons-grade hacking compared to what we had seen before, this is Manhattan Project level.

--Dave

[Ghambit]

Agreed.  Though breadth is what's required to be a skilled systems engineer.  In my dabblings, there's likely no harder form of engineering on the planet if you want to be called "good."  You need signal expertise, logic mastery, submicro electronics knowledge, coding expertise, semi-conductor mastery, and on and on (before even considering circuit miniaturization).  Basically a high-level theoretical electrical engineer that has "wizard-like" machine-code skills and a firm grasp of signal.   (and I'm sure a lot more that I have yet to learn at school)

If true, I highly doubt it's a solo act.  Probably a team.  Will be interesting to watch the grognards pull this apart - may learn something even if fake.

[ezrast]

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

I could almost buy it but the power cord removed really makes it seem like a hoax.

Edit: After reading it closer it was probably laptop running on a battery. I'm not sure why they even mentioned the power cord then.

Because transmitting data via existing power infrastructure is a thing: http://en.wikipedia.org/wiki/Power_line_communication

[Sir T]

Semi Related!

http://www.bbc.co.uk/news/blogs-news-from-elsewhere-24707337

Russia: Hidden chips 'launch spam attacks from irons'



Screengrab from Rossiya 24, with inset of the "hidden chip" How Russian TV covered the story about the chips, shown inset

Cyber criminals are planting chips in electric irons and kettles to launch spam attacks, reports in Russia suggest.

State-owned channel Rossiya 24 even showed footage of a technician opening up an iron included in a batch of Chinese imports to find a "spy chip" with what he called "a little microphone". Its correspondent said the hidden devices were mostly being used to spread viruses, by connecting to any computer within a 200m (656ft) radius which were using unprotected Wi-Fi networks. Other products found to have rogue components reportedly included mobile phones and car dashboard cameras.

The report quoted one customs brokerage professional as saying the hidden chips had been used to infiltrate company networks, sending out spam without administrators' knowledge. News agency Rosbalt reports that while the latest delivery of appliances was rejected by officials, more than 30 devices had already been sent to retailers in St Petersburg.

Who knew that having all your manufacturing done dirt cheap from China would become a security risk. 

[Venkman]

Because transmitting data via existing power infrastructure is a thing: http://en.wikipedia.org/wiki/Power_line_communication

Yes but to go from the wall outlet to the computer or router is through an ethernet cable to a computer port designed to accept that kind of traffic. The power adapter port doesn't normally do that

[Khaldun]

Interesting analysis of the story and its plausibility or lack thereof.

http://blog.erratasec.com/2013/10/badbios-features-explained.html

[Ingmar]

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

I could almost buy it but the power cord removed really makes it seem like a hoax.

Edit: After reading it closer it was probably laptop running on a battery. I'm not sure why they even mentioned the power cord then.

Because powerline networking is a thing, not that you could really run it without a PLNA.

EDIT: Oops, ezrast beat me.

[Zetor]

Yeah, this is kinda like... 'whatever' territory. Either this is a hoax (very possible), or this is some ultra-specialized sort of malware that'll serve as fuel for a few security conferences, then peter out. I don't think it's in the same weight class as the big-profile APT stuff like stuxnet/duqu/flame/etc, but we'll see, I guess.

If you want to be paranoid, worry about transparent/undetectable hardware backdoors in your PC instead -- it's not exactly a new concept, either.

[Khaldun]

Man, I never even noticed two things when I read this before until I read the comments at Schneier's blog today. First, the Ars Technica story says that he first saw this three years ago. Three years? And he's been, what, testing it all this time? And in three years hasn't produced more evidence than this? I took it for granted when I read through the first time that he just saw this a month or two back.

Second, the allegation here is that it's two infected machines communicating via an air gap, not that it's one machine transmitting the infection wholesale via ultrasound. It's fairly unclear in the Ars Technica piece but has been clarified since then.

[SurfD]

Was kind of confused about that as well.   The Blog post linked a few posts up seemed to indndicate that the guy had only been tinkering with the thing for several months, as opposed to the Ars article with 3 years.  3 years of this thing possibly being in the wild (given that Dragos has no idea where the initial infection came from) is a scary scary prospect.  A few months, not so much so.

[Khaldun]

Skepticism is growing.

http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/