badBIOS

Good story of badBIOS, a really nasty piece of malware. The weirdest part is how it uses ultrasonic sound to jump air gaps.

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with -- but was in close proximity to -- another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

"The airgapped machine is acting like it's connected to the Internet," he said. "Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird."

I'm not sure what to make of this. When I first read it, I thought it was a hoax. But enough others are taking it seriously that I think it's a real story. I don't know whether the facts are real, and I haven't seen anything about what this malware actually does.

Other discussions.

EDITED TO ADD: More discussions.

EDITED TO ADD (11/14): A claimed debunking

Posted on November 4, 2013 at 6:15 AM • 213 Comments

Comments

kashmarekNovember 4, 2013 6:32 AM

If for real (BIG IF), this smacks of an effort to make PCs/laptops behave much the same as SmartPhones...that is, tracking devices and data recorders for the massive business & government programs to know everything (Total Information Awareness reprised).

AspieNovember 4, 2013 6:43 AM

It's unnerving but these days who needs a machine with a loudspeaker?

Would this technique be able to us the upper register from quality earphones to do the same thing?

The day I got my netbook I covered over the inbuilt camera (gimmicky waste of electronics anyway) and bunged the mic-hole up with blu-tack. I've since removed the wireless module (it never worked very well and had a nasty habit of switching itself on under debian even when it was supposedly disabled and my wi-fi hub was off) and use wired links only.

Now with gentoo-hardened on it the memory usage has dropped by 80% and the thing runs like the devil. It was hard work to install and strip down and rebuild the kernel though.

ISCNovember 4, 2013 6:52 AM

@kashmarek "If for real (BIG IF)"

This IF is no more so big:

an archive with some suspicious files is available, see https://isc.sans.edu/forums/diary/Happy+Halloween+The+Ghost+Really+May+Be+In+The+Machine/16934 :
"I've uploaded one set of data _deleted_ from a burned forensic cd image here http://goo.gl/3pQbeZ ; md5 checksum of kit.tgz 7a64f35c2db85cc1f5cc1f5eefebb924e081b - thanks in advance for any analysis shared back - filelen 949437030"
http://goo.gl/3pQbeZ is https://mega.co.nz/#!5Rpn3JyC!SEb5vB_KofcMl-vBKMS_j3RBdFlj0ROmFmKt8huNdNk

LNovember 4, 2013 7:03 AM

I don't know, sound card drivers are pretty complex, I really can't imagine a bios malware that can support many audio cards, and sound transmission is very low bandwidth and highly error prone...

I still think it's a hoax...

EricNovember 4, 2013 7:09 AM

"It's also possible to use high-frequency sounds broadcast over speakers to send network packets. ". Highly doubtful as a standard audio speaker, especially a 50 cent PC speaker, has an frequency role off around 10-15Khz. At and above these frequencies the DB level drops like a rock, so these things are not sending (human) inaudible high frequencies that a 50 cent PC mic could pick up. To send at a DB level high enough for a cheap PC mic to pick up, it would be in the audible frequency range and one would hear it. More likely some source has been infected (CD, USB, etc.). What MIT might do with ultrasonic and highly specialized transducers is not the same thing as what a 50 cent consumer PC speaker and 1/4 watt PC amplifier can do. Period. A $10 mic, a PC sound card and shareware audio analyzer software is all that is need to prove this one way or another.

Steinar H. GundersonNovember 4, 2013 7:20 AM

Based on my own practical testing (and, well, a master's degree in DSP :-) ), I find the ultrasonic claims a bit hard to believe. It is possible, but if so, it's a very, very limited channel. Think kilobits/second, probably less in practice.

ISCNovember 4, 2013 7:22 AM

@L: "I really can't imagine a bios malware that can support many audio cards"

The bios malware may just have been used to hide specific files on the USB key, containing the real malware.

@L: "sound transmission is very low bandwidth and highly error prone..."

You seems to have missed previous comment on this blog about it:
https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_398.html#c2151406
https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_398.html#c2147603

In short: there is a program transmitting at 500 baud with a simple protocol which is audible.

Hence 50 baud shoud be easy to do in audible frequency but at the level of fan noise of the computer, with better spread-spectrum protocols, for NSA with big money.

@Steinar H. Gunderson: "Think kilobits/second, probably less in practice."

It basically means you can transfer one megabyte in one or two hours.

Carl 'SAI' MitchellNovember 4, 2013 7:28 AM

Really, to me I don't think the sound thing is likely. For one, normal laptop audio components don't work at any significant volume in the ultrasonic. The -3dB cutoff frequency for most laptop speakers is 18-20kHz, and for most mics is somewhere in the 10-15kHz range. So he should test with the laptops on opposite sides of the room, since the inverse square law would ensure any output from one would be undetectable by the other.
For another, he has no data, just speculation. It's not that hard to get an ultrasonic mic and an oscilloscope to check. A used analog scope would be fine, those can be found for under $50, and the mics aren't that much either.

I'd bet it's something infecting a disk controller. He seems to be using Apple gear, there aren't that many drives used by Apple laptops. The disk controllers often have rather good computing capability of their own.

Andrew WallaceNovember 4, 2013 7:50 AM

Even if a hoax it is technically possible to achieve and the idea is now 'out there' for people to copy.

FlatPepsiNovember 4, 2013 8:01 AM

If I'm reading the article right, he's claiming an uninfected laptop can be infected via sound, when it's air-gapped.

If that's what he's claiming, then I call shenanigans.

More likely he's run into a rather well written root-kit- and his wipe & rebuild process isn't clearing the original infection.

Now, can 2 laptop communicate via sound? Sure, most of us old timers call that dial-up access. Can a typical laptop speaker put out enough volume just off the edge of hearing range to be useful? Possibly. Desktops would have a better shot.

Does sound like something NSA would look into. Without the mal-ware "drivers" to receive the sounds, it's just noise to uninfected computers.

UhuNovember 4, 2013 8:04 AM

From what I read so far I have to assume it is a hoax. In particular, I don't like how he simply states that he has seen data transmission without explaining how he has seen that. Does the OS report a network device in spite of him removing all network devices? If so, what kind of network device is shown? If not, how would he see that data is exchanged? Simply saying that "I removed all network devices and it sill transmits data" is lacking too much technical details. We also need an independent review (somebody who is able to reproduce the problems).

Here are the key points as I see them:

* Ultrasound communication:
Seem to be theoretically possible but probably extremely low bandwidth, could be done in audible sound hidden as noise. Nobody claims the infection happens through sound, only that infected machines can communicate. It is unclear how he saw data being exchanged. Wouldn't he need to see some network device? And if so, what kind of network device was shown? Or how else does he know data was exchanged? What is the observed bandwidth?

* BIOS reflashed
The BIOS will check hardware extensions (e.g. PCI cards) for additional drivers to load. So it's possible the malware hides in other places and still gets loaded on system start-up.

* Drivers for diverse hardware
The malware could download custom modules for a specific infected machine. So while the module installed in the BIOS (or some BIOS extension) might not have enough space to hold a multitude of different soundcard drivers, it is possible that the malware downloads a specific module for the given infected system.

* 404 from infected machines on web sites discussion reflashing of flash disk controllers
If this is indeed the case, it should be possible to compare the exact request sent by the infected machine and compare it to a similar but clean machine to see the differences to find out how the server could identify infected machines (would be extremely useful). Or is it the infected OS that intercepts access to these sites? And if so, how does it identify hosts to censor?

Steve SzmidtNovember 4, 2013 8:09 AM

Here's why I don't buy into it. It's one thing to make a piezo element be a speaker and a microphone. Pretty much as to as normal speaker drivers don't do too well exceeding the audible range of our hearing.

It is a completely different story to have a computer that actually does anything hearing it. In other words what computer do you know of which is modified to pick up on not just ultra sound, but any sound, and do something based on what it hears? (True, some of our cell phones are able to listen to certain instructions and perform exact actions based on it. But that is not even what these multiple computers with different O/S's have.)

Then not only doing something but actually taking action following arbitrary instruction that is the makeup of a computer program.

On top of that it is also supposed to work across different manufacturers hardware, BIOS and finally different O/S's.

Not a chance, not one iota.

Sure, one could create the condition where one computer listens to sound and then not only do predetermined actions but actually be programmable meaning knowing a language, however crude... How far off base are we by now? With that I mean what general use computers can do any of that?

Sorry but as far as I'm concerned this is simply another "chain mail" that apparently some are buying into.

Mario VilasNovember 4, 2013 8:12 AM

"If I'm reading the article right, he's claiming an uninfected laptop can be infected via sound, when it's air-gapped."

I don't see where that claim is made... what I read was that two infected machines were connected to each other even when airgapped, while the infection occurs via a USB key.

Mario VilasNovember 4, 2013 8:19 AM

"In other words what computer do you know of which is modified to pick up on not just ultra sound, but any sound, and do something based on what it hears?"

A colleague (capi_x) and I tried transmitting ultrasound between two Apple notebook computers as a proof of concept and it worked - the speakers were able to send ultrasounds and the mic was able to receive it.

However in our tests the actual frequency range we could use was rather limited (the speakers could emit sound in higher frequencies than the mic was able to hear), and for some reason when we tried it on Windows the sound card kept giving us some weird audible clicks (same hardware - seemed to be an issue with the Windows sound system).

Note that we didn't implement a protocol on top of that, we just tested sound emission and reception. I've no idea how much bandwidth you'd get. But given the huge amount of radio and modem protocols out there, it may just be a matter of being clever enough...

g0nNovember 4, 2013 8:26 AM

To reiterate the last poster (I think his most crucial point gets lost):

"Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer."

Observed where? If there's an interface to monitor packets on, you've pretty much figured out what's going on.

wumpusNovember 4, 2013 8:28 AM

@Steinar H. Gunderson: "Think kilobits/second, probably less in practice."

There are only a few reasons to build an air-gapped system, and less reasons to specifically attack them (stuxnet leaps to mind). One issue is that the virus is unlikely to determine which data is "the good stuff". My guess is that it could very well be designed to simply steal key data and nothing else: this goes deep into the issue of just how bad audio communications over PCs can be (ignoring the obvious fact that many new computers are laptops with built-in microphones. Badbios may be banking on this). Key theft could reasonably use .01bps rates and still do its job (and grabbing the ciphertext is typically assumed to be a piece of cake).

Andrew WallaceNovember 4, 2013 8:32 AM

FlatPepsi,

The ultrasonic high-frequency is a covert command and control channel after infection has taken place via USB.

Erik V. OlsonNovember 4, 2013 8:46 AM

"Highly doubtful as a standard audio speaker, especially a 50 cent PC speaker, has an frequency role off around 10-15Khz."

Modern day laptops have much better speakers and mics. Most people can't hear much above 12Khz, and a really smart implementation would listen, wait for a very quite period, then transmit. Heck, rattle the hard drive hard at the same time, or spin up the fans to add some background noise. You could probably use 15Khz up to cutoff without very many people noticing anything. Of course, if there's an old-school CRT in the room, that'll wipe that out, you'll have to shift to above the flyback transformer's frequency.

I'll bet this is a lot easier on Apple gear. Since Apple gear is so popular with musicians, there's been a lot of encouragement from the user base for clean audio through the system. Plus, you have fewer hardware/OS combinations to worry about. But I'd think any modern (say, 3 years or newer) laptop or desktop would have good enough speakers and microphones built in. The all-in-ones would be better, because the speakers-mics would be up on the desk.

Of course, anybody doing video chats who has better speakers and mics installed has made things easier for this.

I don't think you'd get fast -- but if you could maintain, say, a 300-1200 baud link, you could move sensitive info in/out, if you could get to the 19200bps level, using phase shift keying, then you have a workable link for TCP.

An ideal implementation would have some means of exploring the audio space, much like modems do, to find what part of the band a give pair of speakers/mics can use, and just how clever a modulation scheme you can get away with. But having seen some of the stuff that amateur radio has come up with in the slow signal through noise* and signal through extremely constrained bandwidth**, there's no doubt in my mind that it's theoretical possibly.

The practical implementation issues are legion, though.

Part of me wonders, though, if a better implementation would be a burst mode -- listen for very quiet, then burst data, listen, repeat until background comes up. Risky, but higher bandwidth. The story here implies that isn't the case here -- they were actively present, seeing data move.

* http://en.wikipedia.org/wiki/WSJT_(Amateur_radio_software), esp JT65

** http://en.wikipedia.org/wiki/PSK31, 31 baud in 31.5hz bandwidth, with good frequency control, you can carry out 20 conversations in 2.5Khz, easy. There are variations that move more data more bandwidth, but something like Q15X25, which uses 15 QPSK carriers at 125Hz bandwidth, each giving 83.32Hz, and the system testing to see how many carriers it can support, is probably the fastest way to implement packets over a system like this.

http://en.wikipedia.org/wiki/Q15X25

VinzentNovember 4, 2013 8:49 AM

Each one of the claims made are theoretically possible, yes. If it came from any other guy I'd call bullshit, but he's a well-known researcher in the field, not just some crackpot who tries to get a name for himself, so honestly -- I don't know what to make of it.

Currently, I still don't buy it. Then again, maybe my personal paranoia level is just not high enough.

jayNovember 4, 2013 8:52 AM

No one seems to have commented that this article is dated October 31, 2013. ...

Fascinating but extremely unlikely as a general attack.

Nicholas WeaverNovember 4, 2013 8:52 AM

Repost from the air gap discussion, seems relevant to this article:


patricia • October 12, 2013 12:59 AM

The properties of my airgap system:

1. It is inexpensive.
2. It is not require much technical know how (not reverse engineering your BIOS to verify its integrity or trying to debug rootkits).
3. The overhead involved is scalable to the amount of security required. That is, many shortcuts can be taken without weakening the overall system.
4. It is an unambiguous set of steps that don't require judgment to be performed.
5. It is fault tolerant (many components can get pwned, and it still is very secure).
6. It is effective against a variety of threat models, up to and including a nation-state which has full knowledge of your setup, a team of hackers working to pwn you individually, and a black bag team that can enter your home without your knowledge.

Let's call our adversary Eve. I believe unless Eve can bring to bear the resources described in item 6, your setup is perfectly secure. Any feedback on the protocol I describe would be appreciated.

The threat models we will consider:

1. A targeted attack in which the Eve has perfect knowledge of your setup and unlimited resources to craft an attack over the internet.

2. Same as 1, but they will attack using malware which infects your hardware (BIOS, NIC, etc.) before you purchase it (the supply chain attack).

3. Side channel attacks

4. Black bag/ physical access to your home and computers.

5. Untargeted attacks

I assume the reader can acquired uninfected software. One method for doing this is documented on the TOR website. The basic idea is to download from multiple sources, from multiple internet connects, compare the hashes, and verify downloads with PGP signatures.

Here's the setup:

The first computer (which I'll call CannonFodder) connects to the internet via TOR, ideally with PORTAL between the computer and the internet. PORTAL is the grugq's open source project which installs on Raspberry Pi and acts like a proxy forwarding all your traffic to TOR. Recently a hidden service was discovered on TOR which hacks the browser and phones home through the user's non-TOR internet connection the actual IP address and MAC address of the user. PORTAL prevents this attack by only allowing traffic to route through TOR, and blocking any other traffic.

The purpose of CannonFodder is to receive PGP encrypted messages and send PGP encrypted messages. It's what connects to the internet so the rest of the equipment doesn't have to. While it will be assumed to be hacked into and rootkit'ed, it is not going to be an easy target.

On CannonFodder install whatever personal security products you can get your hands on. Anti-virus, anti-persistence software, software that whitelists good processes and blacklists bad processes, EMIT... anything and everything possible. Make sure the OS and all software on it is patched regularly. What OS runs on the host is up to you. The host will run a VM and nothing else. What virtualization software you use is up to you, but the OS you run in the VM should be different from the host. So if the host is windows, the VM should be some flavor of linux or BSD.

The VM is going to run another VM. That VM will be a third OS, different from the other two. It's only job is to run a browser that can connect to TOR. Whether that means the TOR browser bundle, or Chrome connecting through PORTAL, it is up to you. Chrome is a good choice, since it auto-updates itself, making patching mindless. Once the VMs are set up, snapshot them. After every use, revert to the most recent snapshot. When new patches become available, revert the VMs, apply the patches, and take a new snapshot.

Make sure the browser has NoScript installed (meaning no javascript). Do not whitelist any websites in NoScript. Make sure the browser has no plugins installed besides NoScript. That means no Java, no silverlight, and certainly no flash.

The idea of all of this is if someone tries to exploit your browser, they might not get a rootkit on your host, because Eve may not have realized you are in a VM, and therefore might not be prepared to escape your VM. She may not even have a VM escape. If she does, she will still need to have a variety of exploits and be willing to use them against you. She may be unwilling because you are not a noob, a complicated setup like your's could trip up her exploits, and maybe expose them in a way that you can steal them. Think about it: Eve needs VM escapes for two different pieces of software, code that can run in all flavors of Linux, Windows, and BSD, possibly privilege escalations for each of those OS's, and most likely the ability to navigate PORTAL before phoning home. You are a complicated target relative to most people on the internet. Patched software ensures Eve must throw 0day at you. Personal security products can trip up her exploits or mean she'll have to invest even more individual attention in crafting exploits that sidestep your protections.

If CannonFodder is running on Sparc or MIPS or ARM, even more bonus points, because now even fewer people have the expertise required exploit and rootkit you.

CannonFodder is only used for visiting email, saving email, sending email, and burning CDs. No other browsing is allowed. A different email account is used for every different pen pal. In between logging into each email account, a new TOR identity is generated-- in the TOR browser bundle just click the generate new identity, using PORTAL it is a little more complicated. Messages should move from public email addresses tied to real identities to burner email accounts as quickly as possible. You should register a new email address for each new pen pal you correspond with. The email address should have no information that ties your real identity or your pen pal's real identity to the address.

CannonFodder can either be a laptop (which has had the camera removed, the mic destroyed, etc.) or a desktop. A laptop has the advantage that you can take it to different restaurants and connect to a different wifi access points every time CannonFodder connects to the internet. A desktop has the advantage of convenience (driving to a new access point every time you want to send an email eats up a lot of time). The downside to the laptop is other users of the wifi access point can attack your laptop. The downside to the desktop is your IP address is easy to obtain from your internet company, and with your IP address it is not far fetched that Eve can hack your router, and then your desktop.

Every day (or every other day, or every week) check the email accounts. Each email account gets its own CD. Any messages received from Alice are burned to CD A, any messages received from Bob are burned to a separate CD B, and so on.

By using TOR, not browsing the internet, and using random email accounts the hope is that you will be harder identify as someone to target and harder to locate once you are targeted. The VMs and other mitigations will ideally tip you off once you are targeted since your unusual setup could cause their attack to fail in a loud way. Even if it doesn't tip you off, it may be effective in preventing your computer from being rootkit'ed indefinitely, since Eve may not have the techniques readily available to breakout of your VMs.

Even given all these precautions, we will always assume CannonFodder is owned and has a rootkit which is recording every keystroke, the MAC addresses of all wifi access points in proximity, and whatever other information your computer might be privy to.

Now for the airgap. The second computer, which I'll call IvoryTower, is air gapped. If the only secrets you are trying to hide are your private PGP keys, the cleartext of your messages, and the cleartext of your pen pals'' messages, IvoryTower should be a raspberry Pi with a USB CD (read-write) drive. If you also want to read PDFs, I'm unsure if a raspberry pi can handle this, so you might have to use a desktop. The raspberry pi has several advantages when it comes to side channel attacks and black bag attacks. We'll discuss these later. It also has the advantage of being ARM architecture instead of x86 and x64. The architecture matters because in depth knowledge of x86 and x64 are much more abundant than knowledge of ARM. You increase the cost of attacking you by using a more unusual architecture.

IvoryTower is our most privileged machine, because private keys are used to decrypt messages on it. If we can prevent it from being rootkit'ed, our secrets are safe (except from black bags, more on this later). However, we should always assume IvoryTower is pwned and take steps to guarantee none of the secrets it protects leak onto CannonFodder and from there onto the internet.

Backing up for a moment, IvoryTower is where the PGP keys you use to correspond with your pen pals' are generated. The first day IvoryTower is set up, when it has the lowest likelihood of being rootkit'ed, generate a ton of PGP key pairs and burn them to CDs. If you are very security conscious, IvoryTower should be shutdown in between each key you generate. This is to clear the RAM of the device (always use an OS which overwrites RAM at shutdown). Many rootkits can't survive a reboot. A shutdown could clean the machine. If a rootkit does infect the computer, and private key material from other pen pals is still in memory, the malware can compromise more of your private keys than it would have been able to otherwise.

If IvoryTower is a desktop, it should have no hard drive, and it should boot from a live CD in a CD-ROM (no write) drive. The CD containing the new messages from Alice can be put in a separate CD drive. When the encrypted messages are copied to the desktop, they will be put in RAM on the device. Insert the CD containing the private key corresponding to the public key you gave to Alice, and decrypt the messages. Read then, then reboot. Write a new message to Alice, encrypt it with her public key. You can retrieve her public key either from the same CD that holds the private key you use to communicate with her, or by requesting she append it to the messages she sends. Burn your encrypted message to a new CD, and destroy the CD that transfered Alice's messages from CannonFodder to IvoryTower.

Part of Alice's message should be a new email address she created just to receive your next message. Similarly, your new message to her should contain the email address you've registered to receive her next reply. In the message you are sending should be an email address that they can send their next message to. This protocol, of always sending to a new email address, means Eve has fewer selectors to key in on when she taps the internet backbone, and she can't use your old email address as a selector to serve an exploit to you when you visit the old email account. If she gets your key, the messages are not all aggregated in one place for her to decrypt. Since the next email address is encrypted in each message, she will not know the next place a message is being sent.

Now for a trick. Write down the exact size (in bytes) of the encrypted message that is destined for Alice. Open the encrypted message in a hex editor (still on IvoryTower). Write down the first 5 bytes of the file. Write down the last 5 bytes. Pick a random offset (or 2 or 10) and write down 5 bytes there along with the offset. Reboot.

Repeat the procedure on IvoryTower for every correspondence that sent you a new message.

Now another trick. Using a public-key/private-key pair you've kept reserved for testing purposes, encrypt a fake message. If can say anything, just make sure you'll recognize your fake message when you decrypt it (more about this later).

You have destroyed the CDs with the messages your pen pals' sent you, you have a bunch of CDs with messages you'd like to send on CannonFodder, and you recorded some metadata about each of the encrypted messages (i.e., filesize, the first five bytes).

We have now reached the most dangerous part of the process, because if IvoryTower is rootkit'ed, any of the CDs could contain information about your secret key, information about the cleartext of your message or your pen pals'' messages. For example, if GPG on IvoryTower has been subverted by malware, the malware could have used the Eve's key to encrypt your message instead of Alice's public key. Then, when you transfer the message to CannonFodder, malware on that system could use Eve's private key to decrypt the message, send it to Eve, and re-encrypt the message with Alice's public key. You would have not idea you were compromised, because from your perspective Alice got the message OK.

To guard against this, we have a third computer, which I'll call DoubtingThomas. This is the one computer who's integrity is important. Luckily, it too can get rootkit'ed, as long as it is rootkit'ed by an untargeted attack. If Eve and her minions target yo and get on DoubtingThomas, you're in trouble.

DoubtingThomas is a raspberry pi. This is a nice choice because it can be physically hidden, making physical tampering by a black bag team more difficult. It also uses much less power than a desktop, meaning many side channel attacks don't apply. Also, electronic devices (bugs) that could be hidden on a desktop computer's motherboard or PCI peripherals stand out much more on a raspberry pi.

The most important thing about DoubtingThomas is simplicity. We want very little surface area on DoubtingThomas. IvoryTower runs a full fledged OS with lots of code and lots of surface area, making it easier to own. DoubtingThomas, however, just needs to have a hex editor, GPG, and the ability to read from a CD. Ideally the CD has filesystem, since a filesystem is more surface area for an exploit, so a raw filesystem that can be read with would work well, especially if that meant 'dd /dev/[cdrom]' would have identical output to the encrypted blob IvoryTower produced.

DT has a CD-ROM (no write) drive connected by usb so it needs a USB driver as well. The OS on DoubtingThomas would be custom coded to be minimal and only have what is needed for this task. On DT we open the encrypted messages from IT in a hex editor so you can visually inspect the file is unchanged since being on IT. It is important also verify that the file size is the same, and that the rest of the disk is empty.

What does this buy you? If the hex editor on DoubtingThomas shows the same values as the hex editor on IvoryTower, you know you can trust IvoryTower's hex editor and burner. However, you cannot know for sure what key actually encrypted the message. Eve could easily have encrypted the payload if she was on IT and subverted GPG. Basically, you can trust the burning software and the hex editor, but you still don't know if you can trust the install of GPG on IT.

This is where the message you encrypted with a public key for which you have the private key comes in. Decrypt it on IvoryTower, and if it decrypts correctly, you know you can trust GPG on IvoryTower. Why? Because if malware has subverted GPG on IvoryTower the fake message won't decrypt correctly. If your message is encrypted with the Eve's key, there's no way to tell just by looking at the encrypted file.

After the test on DoubtingThomas, you know you can safely put the CDs in CannonFodder, and email your messages to your pen pals'.


That's the procedure, now how does it stand up to our threats, and are there any other things we can do to make it even more secure?

1) Attack from the internet.

If CannonFodder is pwned, when you burn a CD of messages addressed to you, an filesystem exploit or an exploit that targets any of the other code that is required to read from a CD could be burned to the CD too. This is the only way IvoryTower can be rootkit'ed if Eve limits herself to attacking over the internet. If IvoryTower is rootkit'ed, you can't trust the output of any of the software on that system. IvoryTower could:

a) encrypt with the Eve's public key when it says it's encrypting with Alice's public key (they get cleartext of your message to Alice)
b) append your private key, encrypt with the Eve's public key (they get your private key for corresponding with Alice, and your message to Alice).
c) Write your private key and any cleartext left in RAM to slack space on the CD.

DoubtingThomas verifies the work of IvoryTower as described earlier. However, there are ways malware could get around this. The first that comes to mind is maintaining a whitelist of keys that it will subvert and your fake key is not on the list. But that would be so targeted, and require such perfect knowledge it's not believable.

Make sure to generate plenty of private keys as soon as you get IvoryTower setup. Once it's subverted it could be generating weak keys. Also register lots of email accounts on CannonFodder.

2 and 3) Your equipment was pre-pwned with BIOS malware before you bought it and side channel attacks

This would have to be general purpose malware that didn't target you specifically (because you were careful enough to buy hardware in person from a big store and not online with your credit card, where it could be messed with in a targeted way). There are a couple threats here. The first is that IvoryTower's key generation is weakened. This is a serious flaw that I don't know a good way around. The second is the computer is modified to transmit data through side channels. So, for example, it flickers the screen at a frequency imperceptible to the human eye, and it just scans through RAM constantly doing this, so that a sensor picking up the flickers would have a dump of RAM. Or it scans through RAM and modifies the power unit to transmit data (using the power cord to create an antenna, or to communicate with another device on the same power circuit, perhaps CannonFodder). Or it blinks an LED faster than humanly perceptible. Or it uses the wire that wraps around the perimeter of the monitor that connects to the LED and forms an antenna to ex-filtrate data. Or it produces auditory signals by the making the processor hum. It can control the frequency of the hum with the type of operation it has it do. Or Eve uses Van Eck Phreaking to reconstruct your monitor display by the radiation it gives off.

Side channel attacks are real. They are very hard to defend against. On the positive side, I assume they are expensive to deploy. But since our assumption is we must be resistant to expensive attacks, we must consider side channel attacks.

First I'll point out that the only computer in our setup that must be resistant to a side channel attack is IvoryTower. If IvoryTower is a raspberry pi, it draws such little power that the power cord attack is not feasible. Any form of radiation attack (the antennas, Van Eck phreaking) can be mitigated by only running IvoryTower in a local restaurant's walk-in freezer (the poor man's faraday cage). A Raspberry Pi is portable enough to take to a walking freezer. For Eve to pull off the visual and auditory based attacks she presumably requires a black bag team to place sensors in your workspace (more on this in a minute), but a raspberry pi based system could be set up in a different location every time you use it (meaning it's much harder to 'bug' in this way).

Note that the cords for keyboards and mice should have shielded cabling. Every cord in your setup for IvoryTower should. Peripherals should never be shared amongst computers since they could be infected with malware.

All LEDs should be disabled in all your computers/ monitors/ peripherals by digging out the LED.

4) Blackbag team visits your house while you aren't there

You are going to have to have a good place to stash the CDs containing your private keys as well are your raspberry pi(s). They are the prize you are trying to defend.

One threat is Eve's henchmen break into your house and replace your keyboard with a duplicate that has a key logger, or that infects your device with malware when you plug it in. For this reason, put distinctive scratches into all your peripherals, take a photo, and regularly check that the scratches are identical to the photo. This is how weapons inspectors ensure the seals protecting weapons caches have not been tampered with. The seals are scratched in a distinctive way that can't be forged, then check periodically. Use tamper evident tape on your devices to slow down a burglar that wants to plant a keylogger in your keyboard.

If IvoryTower is infected in its BIOS and it is capable of stashing private keys (in the BIOS or in the firmware of PCI peripherals on the system), then a black bag team could get your keys this way. This is another argument for IvoryTower being a raspberry pi and being stashed somewhere. If IvoryTower is hidden and the burglar can't find it, they can pull the private keys from the BIOS. On a desktop, the fewer PCI peripherals, the less space the malware has to stash keys if it is in fact using this strategy. So make sure you have no PCI peripherals. If you have a desktop, put super glue in all the USB interfaces so they aren't functional. Do the same to any interface on the mother boards that could attach removable media. Try to make the case impossible to open (bonus points for encasing it in cement except for the fan, CD tray, cables for keyboard/mouse, power cable and power button). Your attack surface for a burglar becomes what they can modify with a liveCD and maybe the drivers that handle input from your monitor (minimal).

5) Other threats
Most other threats won't get past your browser, because it's fully patched, and it they do, they'll be destroyed by reverting your VM.


Questions:

Is it easier to verify raspberry pi's embedded code than a desktop's BIOS?

What if IvoryTower is pwned before you buy it and produces weak PGP keys?

What to put for full name, email address in PGP key?

How long should keys stay valid for?

SimonNovember 4, 2013 8:54 AM

For the people messing around with recreating this method of communication, the ham radio guys have developed software that implements low bandwidth modulation schemes specifically optimized for work with for very weak signals (link -> WSJT)

TSNovember 4, 2013 8:55 AM

I'd presume the hack is driving the hardware directly, not going through the OS. Thus there might not be any tell with Windows audio.

The audio doesn't need to be reliable enough to send data... the presence of the audio itself could be the data, ie Morse Code. Low bandwidth for sure, but if the malware is sitting for weeks without being detected, it could still be transmitting a lot of data.

As for "diverse hardware", yeah, you'll have problems trying to infect the US public, with dozens of hardware vendors. On the other hand, the devices used in the places this malware was (most likely) written to infect (Iranian nuclear facilities?) are limited and probably well known to the authors and thus you wouldn't need a huge library of driver hacks.

I'd guess accidental release, maybe a programmer made a mistake and ended up carrying the malware out on a USB stick.

Muddy RoadNovember 4, 2013 8:57 AM

Sounds like a plot from a Halloween movie. Put the 'puter in the freezer. Freezing cold does in quite a few zombies.

jacksonNovember 4, 2013 9:11 AM

“Outrageous,” is how Google’s Executive Chairman and former CEO Eric Schmidt described allegations about NSA spying on its data centers.

HA HA HA - Hey, if you're doing something you need to hide it's probably illegal. Right???

IT'S A HOAX! You can't use the speaker and mic on a computer as a side-channel! I took some classes at the SANS Institute and they never told me about this so it can't be true. And all this nonsense about the Earth spinning in space is ludicrous. Everyone knows this is impossible. People and things would just go flying off into space, and the wind would be so terrific you couldn't even stand up. What a preposterous idea.

Oh, wait ... they said this was impossible, too... until it wasn't.
http://www.cs.berkeley.edu/~tygar/papers/Keyboard_Acoustic_Emanations_Revisited/tiss.preprint.pdf

AlanNovember 4, 2013 9:16 AM

Maybe badBIOS installs something so that two INFECTED computers are able to communicate via their sound cards. I would be very surprised if an uninfected computer could be infected only via its sound card, but stranger things have happened.

jonesNovember 4, 2013 9:17 AM

56k modems worked over a landline with a bandwidth of about 4 khz.

High frequency sound transmitted over a computer speaker may not be ultrasonic, but with the much wider bandwidth a soundcard provides (relative to a phone line), I imagine a decent throughput could be achieved through intermittent (and thus, less noticeable) transmissions.

jonesNovember 4, 2013 9:22 AM

P.S.

Assuming a computer speaker can reproduce CD-quality sound, that gives a bandwidth of 22 khz (for a CD's Nyquist frequency of 44.1 khz) -- quite a lot compared to the 4 khz channel of a landline.

MirarNovember 4, 2013 9:33 AM

Isn't it written: There is much going on that we don't know about.

I find the techniques visited plausible, but some of the sign implausible. It might be possible to use hardware with it's own flashrom for firmware to hide the malware, for instance audio- or network cards. (I don't know.) It might be possible to control the audio circuits from another hardware/firmware on the PCI bus than the CPU. (I don't know.) Out-of-band audio at 20kHz might not be filtered enough and still be useful to send and receive. (Implausible, but maybe not impossible.)

But:

Why would you disable "search" in "regedit" rather than just hiding things?

Why would data transmitted over audio go into the normal network stack and be visible?

I find this malware both too visible and too invisible at the same time.

WinterNovember 4, 2013 9:37 AM

@Nicholas Weaver
A black bag team will install cameras and microphones. That will handle the secret hiding places.

I suspect that if you really are targeted by a big-budget antagonist, you are borked. You will have to model limitations for your opponents.

FYI, there was story by Isaac Asimov, in his a rather lame "Tales of the Black Widowers" series, where exactly such a situation was brought up in a pre-network situation.

The target in question was under the most heavy surveillance but still able to communicate across borders with steganography. He used broken off matches in matchbooks corresponding with matchbook collectors. Very low bandwidth, but still.

ZeroCoolNovember 4, 2013 9:43 AM

My biggest nagging problems with this guy's research:

He sat on this for 3years. No word if he has tried custom FOSS BIOS. Unclear if this affects multiple hardware models because zero details.

He should be contacting Kaspersky

JoeNotCharlesNovember 4, 2013 9:54 AM

At every place I've ever seen this story posted, somebody has posted to say that the computers are being INFECTED by sound, rather than two ALREADY INFECTED computers communicating by sound.

I'd suggest that Bruce (and anyone who re-posts this) add a big disclaimer along with the excerpt clarifying that. Apparently it's incredibly easy to misinterpret.

Some_Guy_In_A_DinerNovember 4, 2013 9:54 AM

Need the data. If we do not have a full analysis and data dump of this exploit we have no proof that it exists.

Brian M.November 4, 2013 9:56 AM

From the Ars Technica article:

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot.

(emphasis added) Yeah, Mr. Ruiu has been at this one for three years. And in that time, he hasn't shared any data with anyone else. According to the Ars Technica article, this infects OS-X, Windows, and Linux. It communicates, not infects, over an audio channel.

  • It's absolutely possible that there is a rootkit that can communicate via an audio network.
  • It's absolutely possible that a rootkit can hide in the various writable spots of flash memory in a system.
  • It's absolutely possible that a rootkit can infect USB drives.
  • It's absolutely possible that a malware payload can have code to infect multiple OS targets.

This rootkit is supposed to be three years old, and only Mr. Ruiu has seen it. He claims that he has been analyzing it all this time, and this is only as far as he's gotten with it.

Why hasn't Mr. Ruiu shared any data before this? Why hasn't he sent copies to various antivirus vendors?

Here's where I don't buy the story:
#1, remember the Chernobyl virus? It overwrote BIOS memory, corrupting it. It's possible to infect one version of a BIOS, but not multiple versions, and certainly not versions from different companies, i.e., Apple, Award, Phoenix, AMI, etc. When new versions are compiled, everything in the BIOS changes. The positions of the jump tables, etc. The flash chip is packed, and there isn't any room for a rootkit to just jump in and hide.

#2, As I, and others have noted, how is Mr. Ruiu tracing the communications of this rootkit? Did it load its own virtual NIC driver?

#3, How can a security researcher be clueless that a rootkit is infecting via USB/sneakernet? That's the oldest form of infection, and should be a #1 suspicion.

#4, Again, three years??? This thing has been on his systems for three years and all he has to show for it is that he's infected? This guy only has x86 systems, and if he's dealing with stuff that is that "dangerous" why doesn't he have something that isn't an x86-type processor and OS to take a look at what could be on that stick?

ICHNovember 4, 2013 9:57 AM

So there are definitely a lot of details missing from the original article. But lets assume a couple of things.

1. This is not a propagation mechanism. Both computers are already infected.

2. Airgapped networks with good OpSec can be infected.

3. Getting data out of airgapped networks is a lot harder to do undetected than getting data in.

4. Many operators of airgapped systems need network access to do their jobs, i.e. there is likely going to be a network connected computer next to a non networked computer.

This seems like a fairly novel attack designed to retrieve data from airgapped networks. Nobody seems to argue that this can't be done in theory. Complaints seem to say this is unlikely because of the following.
A. Transmission frequencies.
B. Distance between computers.
C. Sound would likely be audible by people nearby.

Why do we continue to think of virus writers as script kiddies targeting as many computers as possible? If the target were valuable enough this might be an effective attack, you could rewrite the basic code for the type of computers you are attacking. Many comments have used the language of unlikely. I think this demonstrates the assumptions that are made, because we don't know much about the networks. I suspect that if this article were talking about how the NSA stole Iranian nuclear secrets, we would be talking about the Gee Whiz factor of the novel attack, instead of calling it unlikely.

What if I told you that you had two computers ten feet apart in a room, you needed to get data off the airgapped computer to the non airgapped computer. There was intensive virus scanning on both machines, both machines were tightly controlled, i.e. don't have many apps on them, are at least hardened by disabling unnecessary services.

How many organizations put the effort into keeping an airgapped computer on the latest patches. disabling unnecessary network services on a computer that doesn't have network cards?

This seems like a very novel attack for specific environments. this isn't a large scale type of virus attack. Seems like the sort of thing a government might keep in their bag of tricks. In fact I think it is a statement that the private security community spends so much time worried about checking off boxes for PCI and SOX, that we have lost site, of data value. Were busy patching things on computers that don't have much real data, because the threat we are worried about isn't a compromise of the most sensitive data, but increased rates on our credit card transactions.

AliceNovember 4, 2013 10:00 AM

I call shenanigans. The data rate over an airspace connection eking out the highest frequencies from a sound card (presumably to remain undetected audibly) would run you around 300 baud. High-frequency signal input in audio cards is stupidly noisy and usually physically restricted to a sane, and audible range of sensitivity.

Even if you go for DVD-quality audio (48kHz sampling rate) the highest frequency you can reproduce just from the DAC (digital to analog converter) of the sound card would be 24kHz -- and a lot of people can hear that high. Then there are the physical limitations and distortions introduced by the speakers; most speakers can't come close to producing a full-frequency square wave of any power; and hideously low sensitivity (and high noise floor) of the average cheap computer microphone.

Brandioch ConnerNovember 4, 2013 10:23 AM

@ICH

How many organizations put the effort into keeping an airgapped computer on the latest patches. disabling unnecessary network services on a computer that doesn't have network cards?
Wouldn't that depend upon why the organization in question had an airgap in the first place?

The patches may be an issue. I'd expect a LOT more testing and evaluation before deciding which patches must be deployed on an airgapped machine.

But cutting off all other means of communication (wifi, bluetooth, etc) and shutting down non-essential services should be part of basic security at that point. Along with auditing the machine(s) on a regular schedule.

Uncle_AlNovember 4, 2013 10:35 AM

Mr. Schneirer, if this is factual, computer efficiency begins at the wall socket. Hardware issues of this nature occur before software. I have experienced several similar issues since about 1986, when beginning computer repairing for real. If it was a desktop, I would suggest the individual should look at the internal power supply. In this event, since it has not been excluded by fact, I suspect something similar. The power connections for notebooks are notorious for failure because engineers do not design them, they accept what is available for a price. UNC

phred14November 4, 2013 10:42 AM

After perusing the topic, I'll have to agree that audio as a secret communications channel may be theoretically possible, but I'd guess that in practical terms it's awfully rough. To get decent modulation you're now talking not just frequency response, but phase response as well. (That's part of how you cram those 56kb over a phone line, the other part is eliminating one A/D conversion at the far (ISP) end.)

In practice, it make me think more of "Press Enter", by John Varley. (science fiction)

Brandioch ConnerNovember 4, 2013 10:51 AM

@Mario Vilas

I don't see where that claim is made... what I read was that two infected machines were connected to each other even when airgapped, while the infection occurs via a USB key.
I also had the understanding that an airgapped machine was infected via speaker/microphone.

This is the statement that suggested that:

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."
It is possible that that machine had been infected before. But that wasn't really stated.

NastyHackerNovember 4, 2013 10:56 AM

IF the audio card thing is real, then I am sure we do not witness data being transmitted over air gaps by audio but then we found the clipper chip which then is present in all audio cards thanks to some nice letters written by the FISA-NSA-FBI-CIA complex to audio card manufacturers...

Rick AuricchioNovember 4, 2013 10:58 AM

Slightly off-topic, but it just occurred to me. What if Symantec or a similar company was simply an NSA project---and not a for-profit software company?

Increasing paranoia would encourage users to freely install more and newer anti-malware software---just what the doctor ordered for the spy network.

NastyHackerNovember 4, 2013 11:01 AM

IF computers actually communicate via audio cards, then I am sure, we do not see them talking to each other by sound but then we found a wifi clipper chip which then is implanted into every audio card since the NSA-CIA-FBI-FISA crew wrote a nice letter to audio card manufacturers... Question: How many percent of audio cards are made in the USA? OK, maybe I am wrong....

David HendersonNovember 4, 2013 11:12 AM

Ham radio operators experiment with HF packet radio with (relatively) low bit rates. One way to do this is with a packet radio interface using sound by actually using radio mic to PC speaker and radio speaker to PC mic interfaces across the air gap. It doesnt work very fast or very well, but it does illustrate the principle. Once tried, people quickly learn to use a copper wire interface rather than the air gap.

It took a lot of software to enable this communications mode. Its robust enough to tolerate very noisy channels.

SparkNovember 4, 2013 11:19 AM

Extraordinary claims require extraordinary evidence. Or at least some evidence at all. In three years time, it never occurred to him to connect an oscilloscope to the PC speaker?

If this extraordinary worm got into the BIOS EEPROM, it should be fairly easy to isolate; as far as I know, most mainboards still have a separate chip for the EEPROM, although they are SMD devices now, instead of the socketed DIP devices they used many years ago. There isn't a lot of space on one of these things, and (most of) the original code should still be there.

Larger EEPROMs are more expensive than smaller ones, and manufacturers don't use devices much larger than the space they need for the code.

Mike AnthisNovember 4, 2013 11:41 AM

"Non-sequitur, your facts do not coordinate."

Yes, you can spin this fantastic story into a plausible scenario, IFF you add your own facts.

Mike the goatNovember 4, 2013 12:06 PM

Brian M: good post, agreed.. Will add a few things for everyone else....

Have been following this guy for a while (well before this story broke) and he is a pretty reliable character so I can vouch that whatever he is reporting is what he believes is occurring. The three year quote in the AT article probably relates to a claim he made on Twitter and G+ that one of the machines he had started acting weird (not booting off CD, strange pips from speaker) almost three years ago it and wasn't until the Copernicus tool came out from MITRE that he suspected foul play. By the way the BIOS dump he thought was suspicious as it was "modified" and put up for others to look at was actually clean.

As you've already noted using audio to network is possible. I spoke of "blurt" a while back, which is a bit of code someone is working on that is optimized to make low speed links between PCs using built in audio hardware.

The whole "ultrasonic" thing that has been spoken of is a bit misleading as Dragos himself reported hearing the bursts. Most likely they are spaced below 20khz to avoid being clipped by the audio hardware and are just high pitched but not necessarily "ultrasonic". There is nothing impossible about all this - look at some of the ham radio modes for inspiration.

If there is a BIOS component it is likely there for persistence (think Computrace copying itself back into the filesystem when deleted) and this communication behavior occurs in userland. USB flash drives are obviously a vector - he claims that they may somehow elevate privileges using a buffer overrun during enumeration (ie by flashing the USB flash drive controller firmware with an "evil" one). The latter has been done before by the Russians who pioneered threBay scam of reflashing thumb drives with firmware that revealed a high capacity but really dropped any data above the physical capacity into the bit bucket in the sky. Who knows what else can be done but this does sound odd...

Anyway I doubt badBIOS works in the way Dragos thinks it does however I don't doubt that he believes everything he has spoken of so far to be true and accurate. I think we need some better evidence before we go too strongly either in the affirmative or the negative. He mentioned on Twitter he is going to drop off a sample to sophos in Vancouver. Perhaps this will accelerate the process of elucidation.

His comment regarding "auctioning off" infected hardware for profit annoyed me a little but I have already mentioned my thoughts on that in another thread.

In summary: each individual claim on its own is plausible. The sum of the parts seems outlandish but nonetheless he could be right. Perhaps not 100% right but even if half of what he says is correct (let's say it is just a win32 malware that combines a bootkit with a audio data transfer stack and spreads via two vectors - an 0day in IE for the initial infection and then infects flash drives once on a machine to try and breach an airgap. By being smart in its behavior by paying attention to the local clock time (only tx after 12am) and also sampling the mic to ensure the room is dead quiet for at least an hour it could reduce the chance of detection. After negotiation the least effective amplitude would be used to remain as covert as possible. Perhaps it would be spread spectrum rather than say FSK so it sounds more like interference or white noise than data. By stealing some functionality from, say AX25 or just rolling your own you could even have a situation where a series of airgapped but infected machines in hearing distance of a peer could work together, relaying the data until it reached a connected node where it could be sent off to the C&C server.)

Thierry ZollerNovember 4, 2013 12:37 PM

"The weirdest part is how it uses ultrasonic sound to jump air gaps"
vs.
"The weirdest part is how it _supposedly_ uses ultrasonic sound to jump air gaps"

WaelNovember 4, 2013 1:47 PM

Unlikely, and I don't buy it, even though it's theoretically possible to have two or computers communicate and exchange files over this medium. Not possible to infect a computer through sound, simply because the target computer doesn't have the functionality to accept the transferred information. It's like saying a transmitter can send information to a device that doesn't have a receiver and the capability to decode the packets and install the malware in the right place. But just in case your tin hat foil is the heavy duty type, then forget "Air-gapped" and use "Vacuum-gapped" instead -- That'll stop 'em...

George William HerbertNovember 4, 2013 1:56 PM

I described an audio network as a joke in the late 80s; it was implemented shortly thereafter. It's now widely available as a hobbyist toy.

The 20 khz hardware limits are not that unusual but not a block to effective sidechannel use. Most people won't hear 18-20 khz, and those of us who do don't usually ascribe it to anything malicious. I have USB power/charger devices that humm above 15 khz when no load is applied, and many TVs, computer power supplies, ...

DilbertNovember 4, 2013 2:01 PM

For those of you that are saying HOAX, please think back... a few months or years ago the thought of the Government spying on us was just another conspiracy theory. I've known about this level of spying since the late 90s at least, but everyone told me to put on my tinfoil hat. Search the archives here for "echelon" and you'll see a report from Bruce in 1999. The current situation is just the outgrowth of that old work (IMHO).

So now we KNOW the government is actively involved in spying on us, infiltrating our systems covertly, and gathering information on "everyone". What makes you think this isn't technically feasible? Does anyone here think a "State Actor" can't marshal the resources to make this happen?

The badBIOS report may not have it all right. Maybe some of it is not correctly understood, or its misinterpreted, or it's misdirection at some level. I'm just saying, with everything we know, and everything we keep learning - this is certainly POSSIBLE.

WaelNovember 4, 2013 2:03 PM

@ George William Herbert

Most people won't hear 18-20 kHz
Dogs won't be amused. Then again, you may train some dogs to guard your air-gapped devices. One ear down, two eye brows up, and a small woof --> Malware.

SpyVsSpyVsSpyVs...November 4, 2013 2:08 PM

Nah, go with "hydrogen-gapped". The flames are a built-in early warning system.

Or "peanut butter-gapped". THAT oughta slow 'em down.

WaelNovember 4, 2013 2:20 PM

@ SpyVsSpyVsSpyVs...

"peanut butter-gapped". THAT oughta slow 'em down.
The expression goes: "Slow as molasses" and not "Slow as peanut butter" ;)

WaelNovember 4, 2013 2:26 PM

@ Dilbert

this is certainly POSSIBLE
Only if the functionality is in the stock BIOS, or the pristine OS, and that means the OS supplier and/or the BIOS developer is in on it. Otherwise, I need to see a proposed proof of concept that tells me exactly how an uninfected computer can accept the sound packets, decode them, save them, install them, and then run them. Until then, its a hoax to me.

WaelNovember 4, 2013 2:36 PM

After some more thinking...

Only if the functionality is in the stock BIOS, or the pristine OS
There maybe other ways: Sound card option ROM + Device driver that knows how to handle reception of sound packets. This means BIOS and OS subversion is not needed. Seems doable ;)

Matthew X. EconomouNovember 4, 2013 2:51 PM

I'm surprised no one's mentioned Facedancer or Travis Goodspeed's 29c3 talk yet. Dunno if badBIOS is real but I definitely think it's plausible. At the very least this is a computer ghost story worthy of the fall season!

http://travisgoodspeed.blogspot.com/2012/07/emulating-usb-devices-with-python.html

http://travisgoodspeed.blogspot.com/2012/10/emulating-usb-dfu-to-capture-firmware.html

http://www.cs.dartmouth.edu/~sergey/langsec//papers/wess2012.pdf

HMNovember 4, 2013 3:31 PM

Where are people getting the idea that Dragos is a "well respected researcher"? As far as I can tell, he's just an event organizer. Based on his G+ posts, he is also clearly out of his mind and out of his depth, technically. He says they are "learning" from him. This appears to be some mental paranoia issue he is having.

Let's just poke holes in one claim. He removed all physical network devices and was still seeing network traffic. How he sees it, he never explains. He then says he disabled the speakers/mic/whatever and suddenly packets stopped appearing.

Okay. There is a lot going on here. First up, in order for two computers to talk via audio (let's not get into the ultrasound tarpit) they both have to be infected. Next, in order to see traffic on the network there has to be a network interface that the OS can "see". Otherwise, tools like wireshark have no place to attach and watch.

Simple? Okay. Now think about that for a minute. It implies that the virus on two infected machines is communicating directly to one another. Why the hell would it need a network? The virus is already communicating to itself!!

So now you may think: well, perhaps the virus is trying to communicate to some machine across the Internet. Maybe its mothership. Or the NSA. Or aliens. That's a valid concern. But it doesn't make $#!$ing sense. The packets vanish when the speaker/mic/whatever is disabled. It doesn't add up. Not to mention the simple fact that you can tell where packets are going. They all have an IP address. "Encrypted" or not.

And how did he know things were "encrypted"? Unless you know the binary protocol, you're not going to know encrypted data from random communication. It's such a steaming load of crap. I shouldn't have to mention it.

Hopefully Dragos is no longer "respected" by the whoever that respects him. Just by the lack of sophistication he is bringing to debugging this problem, he should forever be regarded as a crackpot.

SvenNovember 4, 2013 3:48 PM

What I gather mostly from reading the comments is that it would be good for everyone to be infected, so we can all look at it ourselves.

WaelNovember 4, 2013 3:52 PM

First up, in order for two computers to talk via audio (let's not get into the ultrasound tarpit) they both have to be infected.
Or subverted. Either OS, BIOS, or device drivers and or ROM code on the sound HW. The functionality has to be in the "subverted" system before it gets "infected". No subversion implies no possibility of infection, unless he knows something and not sharing it
So now you may think: well, perhaps the virus is trying to communicate to some machine across the Internet. Maybe its mothership. Or the NSA. Or aliens. That's a valid concern. But it doesn't make $#!$ing sense.
Think of an air-gapped system in the same room as a connected computer. The mothership wants to collect information on the air-gapped computer, so it uses the non-air-gapped other one as a hub to the air-gapped one.
Just by the lack of sophistication he is bringing to debugging this problem, he should forever be regarded as a crackpot.
That is evident!

HMNovember 4, 2013 5:01 PM

@ Wael,

Think of an air-gapped system in the same room as a connected computer. The mothership wants to collect information on the air-gapped computer, so it uses the non-air-gapped other one as a hub to the air-gapped one.

I considered this. But I don't believe it's very plausible. Using inaudible frequencies to command/control a remote PC is one thing. But transmitting larger data? I don't know the potential bandwidth in whatever inaudible range a consumer laptop can do, or the infrequent "chirps" or whatever other method of hiding the signal is. But add in error correction, and I can't imagine the networked computer would get that much data in any reasonable time frame. It would be an interesting experiment though.

I'm just bewildered there is nothing more than "packets were seen." Until we see protocols, IP addresses, interfaces, how it was noticed... you know, something to go on, I just don't believe any of it. This should all be incredibly basic stuff for someone in the security industry.

glovesakeNovember 4, 2013 5:23 PM

This is obviously stupid, there's no way the government would install hardware/software malware on millions of consumer devices to get at data behind high security installations. Why that would require a mass surveillance network monitoring us 24/7, billions of dollars and a gigantic conspiracy between dozens of vendors!

CraaaaayzzzzZ! I suppose you guys think they're listening to our phonecalls and monitoring comments on this blog too.

Oh wait. They are totally doing all of that.

Brian M.November 4, 2013 5:31 PM

Here's a thought: just how malevolent is badBIOS, really? Mr. Ruiu has had this going on for three years.

La la la ... la la la la la ... la de dah ...

"Oh, like hey, do I have a rootkit running around here? Oh, yeah, it's talking to everything! Even though it's off! OK, like you know, it's talking in dog whistles and mouse squeaks!" (Is there a canuck translator, something like jive? I suppose it could be modeled on Bob and Doug McKenzie.)

I'm not making fun of Mr. Ruiu, but just questioning how dangerous this malware really is. I would have thought that if this thing were dangerous and obnoxious, then it would be doing more than imitating Flipper.

WaelNovember 4, 2013 5:35 PM

@ HM,

I'm just bewildered there is nothing more than "packets were seen." Until we see protocols, IP addresses, interfaces, how it was noticed... you know, something to go on, I just don't believe any of it. This should all be incredibly basic stuff for someone in the security industry.
Yup! I still don't buy it. But if it were doable, it would have to be something like I mentioned below. Sometimes these people just publish data and discoveries without any supporting evidence. Joanna did that previously Reminds me of a joke...
There was this scientist (choose the nationality of your choice, preferably the same nationality as the person you are talking to) who conducted an experiment on frogs. He cut one of the frog's legs and asked it to jump, It jumped. He cut the second leg, it still jumped, same for the first hand. When he cut her last hand and asked her to jump, it didn't. In his report, he wrote: After cutting the frogs last hand, it lost its sense of hearing.
So there was this guy, that cut the wires to the speakers, and... Oh, well...

glovesakeNovember 4, 2013 5:35 PM

@HM

If you have a really valuable channel or exploit to hide, then you shall obfuscate its existence using every trick in the book. You wouldn't do anything so obvious as sending information in the clear with ip addresses. Long before you're hiding the stream of data across the network or visiting any port or interface you would be using side channels to communicate on the data/power buses so it shows up as random noise. Encrypted signaling should look like random noise anyway. Observing the copper directly and expecting to extract ip addresses is not likely.

Neither I nor you have any idea whether this is factual or not. So let's hold our horses until all the facts are in.

glovesakeNovember 4, 2013 5:39 PM

I am also tired of these flippant remarks about Flipper. Dolphins have long been our allies in the war against Terra.

SparklefaceNovember 4, 2013 5:43 PM

HM makes an excellent point; if machines were somehow improbably communicating using pc speakers and microphones that were capable of writing directly to a BIOS that didn't need to be specifically coded to the chipsets and hardware onboard the motherboard (which needs to pass a read only checksum), how was he detecting 'packets' using never before seen protocols on completely novel network devices?

Furthermore, why make it obvious a compromised machine was infected? If I engineered a nearly impossible feat of computer science, I would want to covertly gather information rather than disable the CD ROM drive for no apparent reason.

As Schneier says though, it is a great story.

WaelNovember 4, 2013 5:45 PM

As Schneier says though, it is a great story.
And if you believe it, I have a Rolex to sell you :)

Aldus GustaveNovember 4, 2013 5:56 PM

Your not going to get ultrasonic, reliable (meaning low to no errors), long distance (over 6 inches), digital communication from ANY laptop sized speaker or microphone. Anybody who has worked Pro Audio and used things like ATC monitors, DPA mics, Waves software and various audio high end tools will tell you how hard, and how costly it is, to get precise, audible sound from even expensive gear. The story is complete FUD presented as a way to monitor discussion boards and comment sections to judge social awareness and future attack vectors.

Now using speakers and mics as a sensor array, to tell when someone is at the computer, tied to bad firmware and using an RFID embedded in a chip to transmit P2P encrypted info, such as system meta-data, like what files are in /home for all users, and hopping around until it finds an exit (wifi,eth0,gsm via cellphone sync) is possible. Go over to InvisibleThings blog and look at the coverage of upcoming Intel chip features as well as current features & exploits and it's pretty scary. Let alone that RFID has been readable from space from it's inception. Lots of ways to read, mask and spread data in the 2.4GHZ and 5.8GHZ spectrum. It's also the same bands for wireless energy transmission. And when you figure that a handful of companies control most all market share and production (Intel, AMD, Broadcom (evil), ATI, Nvidia, etc.) it becomes trivial. What holding companies own those companies? What banks/hedge funds give them capital? Let alone the whole Chinese subcontractor factor (Europe too).

The whole dilemma is not one of technology that has failed. There is no shortage of technology. The problem is people. Human beings have failed. Over and over again. By being "The Crowd" even as it destroys them. By accepting ideology that is infectious and corrodes the ability of one to be an individual and human. By accepting the principle " of having one half of humanity paid to kill the other half". By having zero morals. By not taking any responsibility for one's actions or lack there of. By avoiding the saddle and being led/fed like cattle.

Forget about encryption, the chips, the apps, the warez, the attack vectors, the modelling, the social "nudging", the iron fist wearing kitty mittens... It's time to stop looking at the symptoms and look at the cause. It's time to put direct blame on the people who cause problems for humanity. It's time to take direct action. Stop evading. Stop trying to get around the train. The train is you.

" The weakest link in a security environment is the human element."

Bruce ClementNovember 4, 2013 5:58 PM

@HM "First up, in order for two computers to talk via audio (let's not get into the ultrasound tarpit) they both have to be infected."

But what if they started ex-factory with the communication software pre-installed in the BIOS? The malware might only need to send a special activation code to use it.

Crazy as it seems that this would be built in at source, once it became obvious that OBL was off the radar, the thought must have occurred to someone that he may have been using airgapped computers and building a mechanism for bugging him by communicating with those computers makes sense.

<TinfoilHatMode>Recent revelations make me wonder about any equipment designed or manufactured north of the equator.</TinfoilHatMode>

GweihirNovember 4, 2013 6:11 PM

It is staggering how most of the "analyses" get fundamental, well-known stuff wrong.

For example, the last link claims that audio today has 96kHz at 24 bit. That is complete BS, unless you get some expensive audio card. Standard PC audio has 16 bit at 48kHz max, which, by Nyquist, readily explains why he could not drive his experimental transmission above 24kHz. He then claims that "vendors lie about sampling rates". No, they do not, but he cannot read! (Or rather he could not be bothered to look up this fundamental part to the puzzle and just confidentially stated his misconception as true and accused vendors of lying without even checking what they say.) Many of the other "analyses" floating around have a similar level of incompetence displayed in them.

I have seen a few statements by people that actually have signal transmission experience, and they say that due to the very low bandwidth available, low sampling rate and very bad transmission and reception equipment, this will not work in most environments, and where it works, it will have extremely low transmission rates. This also fails if people use headphones, which is the standard in crowded offices.

My take is that this audio stuff is nonsense. Sure, it could be made to work with good equipment, but that is just not in place. If also does not fit the non-stealth level of sending IPv6 packets or preventing CD-booting. The cross-platform capabilities are also not credible. And the complete lack of posted evidence (recording the audio signal, for example, would be trivial as other PCs must be able to receive it for it to be any good, and attaching a cheap digital oscilloscope or other soundcard to the speakers is also easy) is telling.

Extraordinary claims require extraordinary proof. Here, we have no proof at all, even if proof would be easy to provide, i.e. BIOS dump, audio-recording, the malware itself. This makes it much more likely that there is no proof because this whole thing is a fabrication.

I think this guy has gone of the deep end, no matter how long he was a well respected member of the community. Psychological problems, drug use, a sudden perception he does not get enough attention, etc. all possible explanations.

What I find truly astonishing though, is that this gets repeated anywhere with zero proof despite the extraordinary claims. I think this thing illustrates very well how gullible people are.

BryanNovember 4, 2013 6:29 PM

Is it easier to verify raspberry pi's embedded code than a desktop's BIOS?
JTAG port. You could make a microprocessor that can read and write JTAG commands and have it verify the BIOS against a copy stored in it's memory. Give it a power connector, 2 JTAG Connectors to connect to P2 and P3 so it can verify both the Broadcom SoC chip's and the LAN9512 LAN/USB-HUB chip's programming. Both headers are next to each other. Give it an 8x8 LED array for output. Have it display a verification code hash on the display. For the JTAG ports and LED display, choose IO pins to use on your microcontroller that aren't used for programming it's memory. Pot the whole microcontroller circuit in a potting compound so it can't be accessed. Wrap it up with your verification tape.
What if IvoryTower is pwned before you buy it and produces weak PGP keys?
Always use random numbers generated on dice or with something like LavaRand. Always use your own code and executables for generating the keys. Possibly generate the software beforehand on a different system, burn it to the CDROM, and then hand verify it. For random numbers. Generate a set and burn them to CDROM. You could then use the same random numbers on two different architecture systems to make keys and see if they match.
My biggest nagging problems with this guy's research:

He sat on this for 3years. No word if he has tried custom FOSS BIOS. Unclear if this affects multiple hardware models because zero details.


Please note the time frames when he had breakthroughs. This was an ongoing infection that they didn't know was there, then didn't understand how it was working for ages, then some breakthroughs happened recently.

Hugo BotasNovember 4, 2013 6:31 PM

are a microphone and a speaker the same things? i mean, same connection, both operations?

GweihirNovember 4, 2013 6:33 PM

@Spark: Yes, getting an EEPROM image is pretty easy. I recently needed to duplicate a MAC address and because I felt like doing a bit of electronics work, I removed the EEPROM from an Intel network card, read it, reprogrammed it with modifications, and put it in again (with a socket added in between). This EEPROM is a 4MBit SPI EEPROM also used by many BIOSes, really cheap and really easy to read. The whole thing took me less than a weekend, with the only special equipment a $30 bus pirate, and some python scripts I wrote around its binary interface.

So, no, getting an authentic BIOS image is really not hard at all and even easier if you are not trying to put the chip back in undamaged.

Dirk PraetNovember 4, 2013 6:33 PM

Although it sounds theoretically and practically feasible, I doesn't look like a very efficient method to me. If I were a resourceful spying agency interested in bridging the air gap, I'd probably look into covert powerline communications instead of messing about with sound.

GweihirNovember 4, 2013 6:39 PM

@Hugo Botas: In principle, that would be doable. An ordinary speaker is also a microphone and some microphones could be used as speaker. But the optimal shapes and sizes are very different and separating the two signals would be prohibitively expensive. So, no, microphone and speaker are usually separate and they use separate connections and interfaces. (In really old phones, mic and speaker use the same line, with the effect that you have to speak loud and get a not very loud signal in the ear-piece. And you get to hear yourself.)

0xdeadbeefNovember 4, 2013 6:42 PM

People, it's not audio, it's RF. Audio equipment - both microphones and speakers - cuts off around the top of the human hearing range. This leaves precious little bandwidth to work with "inaudibly" (as someone estimated above, maybe 300 bps) - and unreliable at that. It would be easily detectable with any kind of ultrasonic equipment. And although the ultrasonic sounds themselves are not audible, the frequency response of the speakers being operated out-of-band means that there will be very audible clicks whenever the ultrasonic signaling is turned on or off.

Anyone who's watched the movie Heat may remember this beautiful little exchange between Neil and Kelso:

YT clip where Kelso explains to Neil how he obtained sensitive blueprints of a bank

The US/UK intelligence establishment is all about RF, and always has been. Steve Blank explains it all in his lecture titled "The Secret History of Silicon Valley". Look it up, it's available online for free.

FigureitoutNovember 4, 2013 6:50 PM

What I find truly astonishing though, is that this gets repeated anywhere with zero proof despite the extraordinary claims. I think this thing illustrates very well how gullible people are.
Gweihir
--What I find truly astonishing is no one out of all the comp. scientists/engineers can definitively put it to rest. What does that say about us as engineers? The programmers don't know radio and the RF guys can't program. There's always the "possibility". For instance, just today I almost said something (and laughed) but I didn't...I heard someone's laptop w/ a high pitch sound putting out what almost sounded like morse code.

If anything, this is a glaring sign of too much complexity.

WaelNovember 4, 2013 7:04 PM

If you get two speakers and connect them with a 25 meter wire you'll be able to hold a conversation with another person at the other end. You'll have to put the speaker on your ear to hear, though. I used to play with that when I was a kid. I sat in one room, and the other person sat in a different room with both doors shut.

GweihirNovember 4, 2013 7:18 PM

@Figureitout: There are enough hoaxes and successful fraudsters out there that can convince the public and even the lesser capable members of the scientific and engineering community. Occasionally some of the more capable members fall for it too. The problem is that too many people "want to believe". The great James Randi, for example, has written a lot on how "psychics" fool scientists successfully, time and again.

So,

extraordinary claim, zero evidence => fraud

by Occam's razor. The "extraordinary" is really not needed in this implication, however it is clearly true, so actually extraordinary evidence is required. Instead we have none at all.

BTW, the "morse like sound" you heard is likely a high-pitch modulated by CPU power consumption, likely from some mechanically not quite stable components in the power circuit. (The switching frequencies are supposed to be too high to hear, but on low loads these regulators can go into a "hiccup mode" where they skip cycles. This can be audible. Just last week had an USB PSU here that was audible because of this problem.) The brain then tries to find structure and ends up with "morse-like".

BryanNovember 4, 2013 7:27 PM

" The weakest link in a security environment is the human element."
Yep, and considering how infallible we are, we need hardened technology to help protect us.

@Brandioch Conner

I also had the understanding that an airgapped machine was infected via speaker/microphone.
{snip}

I took that paragraph to mean the air-gapped computer wasn't fully cleaned of infection. There is possibly more FLASH code on a system than just the BIOS. USB controllers can have their own internal CPUs with their own flash code. They could have a small tailored reinfection kit stowed on it. Same goes for the sound subsystem. Often there is a DSP in it for handling sound processing. I also remember some Intel IO controller chips having CPUs in them. I'd bet some still do. They too could have code. One or more could be using 0 day's on the BIOS code that interacts with them. Then there are the BIOS blobs for various peripherals. Any of them could be changed to host the re-attack code, and store other blobs of code. Yes, it takes allot of planning to make a persistent infection like this, but it is doable. All the code that stays behind needs to do is call out on the audio net link for modules to reinfect the system and the code that inserts the persistent kit can be large as it doesn't need to persist. In fact it is best if it never gets written to disk. Only have it stick around for the initial infection, then it gets wiped so it doesn't get discovered. Also any near by nodes could provide the modules for reinfection. That may be what that store of odd image files are part of. They could also be stored in the spare blocks on USB FLASH drives. They have more memory blocks than needed to allow for fab mistakes and bit wear. Modern hard disks also have spare blocks that can be mapped in place of bad ones. That's another great spot to hide code that can't be scanned by normal means.

To all the doubters, one thing I've found out over the years is if I have the will to do something. I just have to stay motivated and focused on the task and I'll learn enough and come up with a solution sooner or later. Have a 100 people doing that and the possible solutions will come allot faster. Personally I look at each of the described possible functions of this persistent infection plus air-gap spanning malware and see a few possible solutions to each of them in just the knowledge I already have. Yeah, I may not have the details, but once a possible solution is seen, then it is only a matter of reading up on how others solved it and figuring out the specific implementation details. Yeah, so the air-gap bridge is only capable of 150bps. That's a good megabyte+ a day which is enough to send all keyboard and mouse data plus allot more. Over a few days it would have plenty of time to send lots of compressed source files and directory listings for a project. Now, mind you I'd bet the data rate is at least in the kbs. The code needed is in every modern high speed modem, just change the frequencies used. For transferring the files, use a simplified xmodem protocol. That will get rid of the packet overhead of TCP/IP. BTW: modern CPUs are now fast enough to run the modem sound processing code. Also, computers are infinitely patient. They can spend all month sending data if they need to. Remember, any data they get out is more than they had before.

Mike the goatNovember 4, 2013 8:49 PM

Dirk: I agree. It also seems a lot of work just for the vague hope that someone is going to have an airgapped machine /with connected mic and speaker/ next to, say someone's laptop, not to mention the precondition that both machines would need to be infected via the USB vector anyway and you'd probably have more success if you wanted to exfiltrate data and had found some 0day in Windows (let's say Windows, the multiplatform BIOS thing sound improbable) that could cause execution in much the same fashion as autorun (which should not be disabled by default. Bye such a 0day isn't totally unexpected, let's say in the chkdsk code. Make the fs unclean and va-voom) then I expect that you would just use the USB thumb drive itself as your side channel. Eventually that thumb drive will get inserted into an internet connected machine where your intelligence can get uploaded, no hassle at all.

That said re Ruiu - I think either he has found something he is unable to explain and has perhaps jumped to a few conclusions or he has truly gone nuts. I sincerely hope for his own sake that it is at least partially validated as something like this would end a career.

NickNovember 4, 2013 9:07 PM

So far, it seems that those who are calling bullshit have either misread or not read what is actually being claimed. And are ignorant of others who are now corroborating what he's seeing.

It seems it has been demonstrated by many people that communicating at around 20KHz is possible using laptop speakers and mics, so there's nothing fantastical about that side of it.

It has not been claimed that it infects via high-frequency sound, so there's nothing to debunk there.

He hasn't been sitting on it for 3 years - it's only around a month ago that he's begun to work out that there really is something going on. Others have stated that they have had similar issues for around the same time.

Oh, and I'd guess that there are some highly motivated people out there who'd like you all to believe that it's just a hoax or a figment of someone's imagination. So unless you want to tar yourself with that brush, sit down, think, read, understand, and prepare a real argument, based on facts. *Before* you start making handwavy claims that it's all BS.

WaelNovember 4, 2013 9:27 PM

@ Nick,

It seems it has been demonstrated by many people that communicating at around 20KHz is possible using laptop speakers and mics, so there's nothing fantastical about that side of it.

You can communicate at 0.5 Hz. The question is how can a non infected computer accept the transmission? That question needs to be answered.

Mike the goatNovember 4, 2013 9:34 PM

Nick: I think it is certainly possible and have spoken about this culture of "it can't be, it must be a hoax" in the netsec community on my blog last week. It seems that whenever someone comes up with something a bit unusual they are derided.

Sure, it's an unlikely story... But again I don't believe someone would risk their cred and potentially future employment prospects by making a bogus claim. I have no reason to doubt that Mr Ruiu has been honest and has called things the way he sees them.

There have been numerous proof of concepts that show that near inaudible (18khz+) data communications using commodity sound card and laptop mike and (ceramic) speaker. If you look at "blurt" you'll see that with a small modification you could make such an implementation in minutes. I said on the other thread that if I were to do such a thing I would burst to minimize detection and linked to an example of a 2.4kbps burst TX (an ACARS transmission) to show just how much data could be encoded in a short period of time even with a relatively slow rate.

With some negotiation code to adjust the maximum kHz (as it will be speaker and sound card dependent as to just how high you could go) and amplitude (you don't want to be unnecessarily noisy if the target device is only a foot away) you could have something workable. If you did something spread spectrum you'd have something reasonably high bandwidth - perhaps up to 14kbps but at the risk of losing stealthiness. That said you could make such a transmission sound like interference.

So I absolutely think the crux of his claim - that communications via audio is a way to breach an air gap - is coherent.

I am holding out my judgement until we see a full analysis.

Mike the goatNovember 4, 2013 9:46 PM

Wael: I don't think the guy has claimed that infection can occur via audio, only that two already infected machines can communicate via audio in the absence of a traditional network.

Clive RobinsonNovember 4, 2013 9:51 PM

@ Hugo Botas,

    Are a microphone and a speaker the same things?

They are both transducers that convert one type of energy into another.

As a general rule there are two types of transducers the first are bi-directional. That is they are like a DC motor which turns electrical energy into mechanical movment, but it also acts at the same time as a generator producing a back EMF (which generaly prevents the DC motor destroying it's self or the power supply).

Many speakers are "moving coil" as are quite a few microphones. Basicaly sound is detected/produced by a diaphram which is mechanicaly connected to a coil of wire mounted in the gap between two poles of a magnet. If the coil is moved it creates an AC current, if a current is applied to the coil it moves in sympathy. In this respect it is similar to a DC motor/generator.

The second type of transducers are uni-directional, this is often because they are not "generators" but "modulators" and don't directly produce energy out, they simply change some charecteristic --like resistance-- that modulates a supplied energy source.

An example of this was the old "carbon grannual" microphone, the movment of the diaphram with sound caused the granuals to be pushed together more/less tightly causing a consiquent decreas/increase in the resistance of the grannual container. This change in resistance would cause the current flowing through it from a high impedence source to be modulated which could be seen in the change of voltage across the microphones contacts.

George William HerbertNovember 4, 2013 10:02 PM

The question of the day -

Regardless of this specific claim, this method has been available for exfil for some time. And this method of infection.

Blocking the exfil is easy - deaf/mute computers.

How does one bring data into an airgap system without excess risk of compromise?

USB is not safe.

CD-ROM / DVD-ROM may be, but I am not convinced.

Printer + OCR? Fine for an encrypted email, less so for any software.

Suggestions?

WaelNovember 4, 2013 10:24 PM

@ Mike the goat
I think he claimed that at more than place. He said machines that were wiped clean and flashed got infected within hours. He also implies that machines that started at t=0 being air gaped got infected.

David Dyer-BennetNovember 4, 2013 10:41 PM

Sd memory cards have a "write lock" physical switch on them. Does anybody know "for sure" if that switch really physically prevents writes? Or if it just presents a bit that device drivers conventionally check before writing?

There are "USB drives" that actually are just an adapter that takes SD memory cards; if the write lock switch is a reliable physical block to writing, this provides an obvious way to make read-only USB drives (in fact, easily switched), which makes keeping an air-gapped system clean somewhat easier.

Zachary SmithNovember 4, 2013 10:48 PM

This is a fascinating discussion, though I'll freely admit most of it is over my head. That said, during a quick examination of the posts I found no mention of information transmission through the power line. This is old technology - for a time there was consideration of connecting to the internet via the electric lines. Could this be another arrow in Big Security's quiver? If I were in charge it darned well would be!

Specs for the computer parts are written by somebody. Trivial modifications could introduce entire new capabilities to the machines those parts will get installed into. Domestic spy agencies, foreign spy agencies, and nosy Big Business - any or all of them might be doing this. And the EM spectrum is very wide. Innocent-looking emanations could communicate with other devices in the area, ones which ARE connected to the internet without any security concerns.

http://abcnews.go.com/Business/household-products-spying/story?id=19974898

The badbios story speaks of high frequencies. Is anybody looking at the low ones? Elephants use the low range for long-distance communications.

IMO a secure machine couldn't be trusted with a RW optical drive, no more than it could be connected to an ink-jet printer. The idea of antique machines is a good one; my problem is that I don't own any. Given the recent disclosures, the old boat anchors are probably going to get mighty pricy.

AnonymouseNovember 4, 2013 11:57 PM

Discussion of badBIOS equates to propagation of this "malware". Consider yourselves infected.

FigureitoutNovember 5, 2013 12:08 AM

Gweihir
--Yeah, no need to look further than the lies being pushed on us by the intel community; leading this country to a bankrupt police state. And I wasn't saying the supposed like 15wpm morse (think I caught a 'b' but was trying to do something else too) was anything, shit I heard a car horn beep out morse once, I hear it everywhere lol; but all one can say is it's "likely this or that", not it WAS this or that definitively. Having zero doubt to the cause on something as complex as a modern motherboard is a lot of work. The most irritating instance of this to me is the hidden memory on chips today, are you kidding me? Why is this even a problem still? There's too much doubt, I just really need some baseline level of pure trust.

Not like this problem is going to go away anytime soon, and it's just very frustrating to me.

Mike the goatNovember 5, 2013 1:12 AM

Wael: he has issued numerous clarifications on twitter yet people keep suggesting that he is adamant that audio is an infection vector rather than a comms post-infection. E.g. here.

others: I am not saying whether he is right or wrong. I too have my doubts but believe we should hold out judgement until all evidence is in.

George: I use RS232 with a custom made "data diode/analyzer" that I brewed up with an 8bit microcontroller with two UARTs. It strips everything except printable ASCII. If I must transfer high bit I uuencode on one side but most of the time I am just bringing ASCII armored pgp backwards and forwards. Not foolproof but at least I can control data direction and have some idea what is traversing the link in near real time.

BryanNovember 5, 2013 1:33 AM

For communication over a power line you need a hardware interface that just isn't there on most computers. On the other hand most computers have a microphone and speakers. To move the data, you have to use what you got. Otherwise you need to risk getting caught installing the power line communication hardware. There are other issues with power line communications like the two computers being on different legs of the supply. That can happen within the same room.

The idea of antique machines is a good one; my problem is that I don't own any. Given the recent disclosures, the old boat anchors are probably going to get mighty pricy.
Good thing I still have my old Compaq lugable portable. LOL I wonder if I can find a copy of Minux to put on it? I wonder how long it would take to check an 8k bit signature? :O

VanceNovember 5, 2013 1:52 AM

Hmm, other than Anonymouse above, everyone seems to be looking at the technological aspect of the story. Perhaps instead, it is psychological. Think of the various reactions we've seen.

  • OMG, this is the apocalypse! It infects machines by sound!
  • You idiot, it doesn't infect by sound, but OMG it's a serious threat!
  • While on the whole this sounds implausible, many of the techniques are possible. Further details are needed.
  • This is utter crap, based on [some half-remembered statement about sampling theory or unsupported assertion about hardware limitations].
  • These claims are extraordinary, and here is my 1,500 word analysis of the technical details.

Wouldn't there be value in seeing which way people respond to the story, and how those people are associated with one another? We have the credulous, the knee-jerk skeptics, the over-analyzers. Does membership in these categories depend on Ruiu being the source? How do things change if additional details drip out? This need not even be some Machiavellian government psyops mission; it's well within the range of amateur trolling.

WaelNovember 5, 2013 2:07 AM

@ Mike the goat
Link still doesn't answer my question. It also implies the following: what good is it to air gap an already infected computer? His Twitter statements negate what the article Bruce posted... To me, it's not science fiction. Just an incomplete unsubstantiated claim.

VinzentNovember 5, 2013 2:52 AM

@Alice:

Even if you go for DVD-quality audio (48kHz sampling rate) the highest frequency you can reproduce just from the DAC (digital to analog converter) of the sound card would be 24kHz -- and a lot of people can hear that high.

No, they can't, not even a few. (A lot of people's cats can, though.)

First: Even the 20 kHz is a bit of a stretch and only applies to young, undamaged human ears under perfect laboratory conditions (so the 22 kHz a CD could theoretically deliver is already quite a safety-margin even for the occasional genetic freak).

Second: The drop-off for the hearing curve in the upper frequency range is quite sharp, so even for one being able to hear the 20 kHz sound this also requires a sound intensity very close to the threshold of pain. (Most speakers installed in any home or office couldn't even deliver that).

So, to conclude: Actually hearing 24 kHz would quite literally blow your ears. (It also would amount to the same claim as "a lot of people can see ultra-violet light". With comparable consequences.)

The only reason why 48 kHz is used in DVDs is that it makes (analog) filtering of aliasing effects easier (read: cheaper) than the 44.1 kHz used by CD-Audio.

Bastian AngersteinNovember 5, 2013 3:01 AM

Years (80s) ago accustic transmition of data was a common standard techique. But this needed calibrated devices and bandwidth was even with this devices rather small. Yes, it is possible.

Wim LNovember 5, 2013 3:03 AM

DDB: I don't think the switch on a SD card is a true hardware write protect; it just touches a switch in the socket that hopefully tells the host not to write. I've accidentally written to "write-protected" SD cards while working on bootloaders and embedded systems (they were all µSD cards in SD adapters, but I don't think that makes a difference).

christoNovember 5, 2013 3:16 AM

If the receiving computer is expecting to decode sound signals into a meaningful instruction, it would have to know beforehand how to handle those instructions. Think about it. Without some protocol which describes what the sound profiles mean, this line of communication is dead. Further, without a process running on the recipient machine which can take the ADC signal and compile that into a meaningful instruction set which could be inserted into the stack of the host system BIOS, kernel, or user-space executable, again the vector is dead. As such, the recipient laptop would have to be pre-infected.

Let's all get back to work now, yeah?

christo

Christian KochNovember 5, 2013 3:22 AM

Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection.

This makes absolutely no sense. Batteries use electricity, too!

ISCNovember 5, 2013 3:37 AM

@George William Herbert: "How does one bring data into an airgap system without excess risk of compromise?"

Floppy discs ? No processor inside. USB floppy drive were common not so long ago.

For additionnal security, you might want to dedicate an air-gapped computer to copy floppies, to prevent a bit off-track transmissions.

Mike the goatNovember 5, 2013 3:43 AM

Wael: I agree. As I stated before - if you know that an evil USB stick is going to be plugged into both safe and air gapped machines and you have a novel way of ensuring the code gets executed on insertion it would be a lot easier to just use the USB device itself to exfiltrate the data from the airgapped machine. After all we assume they are targeting some specific info.

So yes, we are in agreement that it is an unlikely story. I too want to see some hard evidence before I call it confirmed. You would hope that the guy would have got his ducks in a row prior to making these claims - I believe that this is the same malware that he referred to as "BIOS SDR" in his g+ post of about a month ago. If so it seems he changed the story from "software defined radio" (RF) to upper band audible (18-20khz) in between.

Yes, it seems fishy... I won't write it off, however until I have seen some independent analysis. There is no reason why one couldn't make a purely win32 malware (spread by conventional methods) that used audio to communicate - perhaps there is little point but I have seen a working PoC posted so we know it works (hell, most hams that experiment with packet radio will tell you it would work) and using a patched BIOS to achieve persistence ala Computrace pr the Award only "mebromi" has been done before.

So my analysis at this point is that we need more data. That what he claims is unlikely but theoretically possible. It seems there would be a much easier means to an end than using audio to transmit data.

name.withheld.for.obvious.reasonsNovember 5, 2013 3:50 AM

A design that make sense to me would include a multi-phase initialization sequence initiated a boot looking for a response to a simple audio beacon. Once proximity has been established a hook is installed at the ACPI layer. After bringing up the kernel, call into the hook and broadcast/beacon an all ready message. As a client the newly "hooked" system is loaded with additional OS level features. One would probably be an audio version of a software defined radio (mod'd for use in the LF range). With a SDR, once clients or peers could form a robust mesh. I'm sure someone already mentioned this but the number of threads got a bit large for a catch-up read. My apologizes. Now, how about a parasitic response client. Something that might ring the crap of of an infested host--just for fun.

Alain from SwitzerlandNovember 5, 2013 4:31 AM

"Although it sounds theoretically and practically feasible, I doesn't look like a very efficient method to me. If I were a resourceful spying agency interested in bridging the air gap, I'd probably look into covert powerline communications instead of messing about with sound."

I see your point, especially in the context of the "badBIOS" story, but generally my impression is the following:

From all the facts and programs that have been revealed about the NSA this year, it seems reasonable to assume that the NSA (and others) are exploring and trying to exploit ALL possible channels that could bridge an air gap, just like they are also otherwise looking for all ways to get information. For example, I could well imagine that someone uses a notebook computer with wireless/bluetooth hardware removed and battery operated only, but forgets about microphones and speakers or any other hardware that might produce or detect sound. Malware that is transported via USB sticks or so to the air gapped notebook could then make use of that to communicate back across the air gap. I guess in some cases, like a "high-profile" target in a country where you cannot get physically close, a slow connection via sound might be better than no connection at all. Having a few people explore the possibility would only consume a very small fraction of a budget that is at least 10 Billion $.

Moreover, I would expect the air gap now to become relatively fashionable among journalists, activists and maybe even artists to protect their original work, as well as of course also among criminals and so on. Air gaps got quite some media attention since the people who published the NSA revelations had been using them, not quite mainstream attention, but still...

About specifically the "badBIOS" I don't know, will be interesting to hear what (if anything) remains in the end. If a lot of it was true, though, its robustness would maybe remind me most of a "Kalashnikov" of Malware ;) ?

Clive RobinsonNovember 5, 2013 5:13 AM

@ Mike the Goat,

With regards "ducks in a row" I don't think he's investigated that far yet, and that it's still an ongoing investigation.

Take for instancs the SDR claim and what's involved with SDR. If you are looking at a sampaling system from the software side not the transmission side then you would actually see very much the same activity with SDR that does baseband (zero IF) convertion that you would with an audio signal. What differentiates them is the zero offset RF oscillator and upconverter on the output of the sound card.

Now one thing I do know having seen/heard it is those fast rising edges out of a sampling system are rich in harmonics and any nonlinear component will act as a "mixer" and you will on a spectrum analyser see lots of spurs on a Sin X over X pattern centered on multiples of the sampling frequency. If your spectrum analyser has the appropriate detector circuitry you will hear the generated audio on those spurs.

So if the EMC filter components are not there you will see RF energy at the output, modulated with audio. Now seeing that could lead you investigation down a blind ally for a period of time.

What makes it worse is that these days due to cost sensitive nature of PC and importantly Laptop production all manner of methods are tried to minimise or remove the expensive and often bulky EMC filter components.

One method that has been used for years is to add jitter to the system clock --which is a DSSS technique used as "whitening"-- such that all spurs get spread across the RF spectrum. That way the laptop will just get inside the EMC Masks so EMC components are not required...

Now the thing is many people beleive that this jitter causes their systems to be unreliable so they turn it off in the BIOS... So much so that some manufacturers started turning it off by default prior to shipping...

So I can see a fairly clear route by which somebody investigating this suspected malware could go down a blind ally quite easily.

Now there is another issue and that's journalists and their low reputation for checking facts and or hype and pushing their own "make it sexy" line. If you have a hunt on the internet you will see that atleast one journalist gets singled out for comments about this sort of behaviour.

Now the issue is Ruiu is activly investigating so you would expect to see him to dropped into and pulled out of blind allys, in almost the same way police investigators do with suspects in serious organisd crime. The difference is that he is blogging about his investigation as it unfolds, the Police however have been repeatedly bitten by journalists in the past and thus are naturaly weary of what they say to them.

So if a journalist conntacted Ruiu and Ruiu did not clearly state the terms of refrence for the "chat" then it leaves it open for the journalist to do what they will and some will push it to far and not go back and check the details with the source. Now ask yourself honestly if a journalist contacted you over your blog entries would you know to set the terms of refrence and how not to leave the journalist wriggle room?

Mike the goatNovember 5, 2013 6:24 AM

Nwfor: yeah, I postulated on the idea of borrowing some concepts from AX25 and modern mesh networking to form a kind of mesh. You could even do something a lot simpler. Using the system clock to pick a time where nobody is likely to be around all hosts pick a random time to send their station ID burst. Every five minutes the process is repeated (in case of collisons) all hosts are elucidated or the hour has been used up. If the ARP like broadcast burst include not only a station ID but whether it has a route out to the Internet and also the station ID of peers it can also hear (along with quality or SNR estimates) then a mesh can be created with peers choosing the most convenient path to an internet connected node.

Clive: yes, that's what I was thinking. It is clear from his twitter feed that he is hypothesizing about how this malware is functioning and hasn't clearly elucidated exactly how it works. I don't believe he is being deliberately deceptive as some on other forums have suggested (with someone saying he has a shill for MITRE to promote their Copernicus tool)

WinterNovember 5, 2013 6:53 AM

@Clive
"So if the EMC filter components are not there you will see RF energy at the output, modulated with audio. Now seeing that could lead you investigation down a blind ally for a period of time."

Exactly. What ticks me off most about this badBIOS story is the idea that this thing can infect all OS platforms and all hardware equally well. Such a system would be extremely convoluted and brittle (bug-free code, anyone?).

Technically, all steps are physically possible. We can imagine a small payload that infects some persistent memory in most hardware, say the BIOS, and then downloads the necessary specific software for infection.

But such a thing would be extremely complex, with versions for all combinations of hardware and software releases. And then it communicates with a nearby co-infected computer over (ultrasonic) audio.

Targeted to a few specific computers in a specific locality, I can see that. Stuxnet was targeted at a specific site, a unique plant even. Just thrown out into the wild it would be extremely brittle I think.

What it looks to me is that he is trying out all physically possible scenarios. In the end, he just might have a mole in his organization that is spying on him. And he is looking at the wrong places.

Mike the goatNovember 5, 2013 7:06 AM

Winter: yes, if this was win32 malware that used audio to communicate and inserted itself into Phoenix BIOS's as an ISA component to ensure persistence then it would be more believable than something that supposedly works on all OS's and can infect magically just by a USB flash drive (not even mounting it, he claimed). None of the individual claims are outrageous by themselves nor are they technically impossible.

I don't think he is being deliberately deceptive. More likely he has come across something he is having a difficulty understanding and has made the judgement error of publishing a running commentary on Twitter.

I hope that he is right (or close to "right") as given the amount of attention and beat up this has been given by the tech media, if it turns out to be uh, nothing (or misinterpreted wildly) then it may adversely affect his credibility and potentially future employment prospects. But I am sure he knows that and didn't intend for this to erupt into a storm. Note I found it funny that it took almost a month before the tech media picked up on his claims. Talk about lag!

joniNovember 5, 2013 7:29 AM

I'm a little late here and I haven't read all of the posts above so sorry if I'm repeating, but the bit where he observed network packets is just nonsensical. How did he observe them and why would the rootkit make them observable? I would say that this is his "wink wink" to anyone who isn't clueless.

A surprising number of people are taking the story seriously, but it's the internet age so maybe they didn't even read past the first paragraph.

DilbertNovember 5, 2013 7:46 AM

It seems that numerous people are just browsing highlights without looking at specific details of the claims.

1) There's no claim that the machines have been infected via mic/speaker/audio. Rather, it seems that there's a persistent BIOS infection that later leads to further malware being emplaced on the affected system.

2) The guy hasn't been working on this for 3 yrs. There's been on/off problems that he's finally correlating into a long-term pattern of infection and now he's trying to determine the attack vectors and components.

It MAY be that there's a persistent BIOS infection, but that doesn't mean the WHOLE package is sitting in the BIOS. This may just be the initial vector. Once a system is compromised it can then download further payloads to enhance functionality or capabilities.

It's been proven that audio communications is possible, so why is everyone getting hung up on this issue?

He's "seeing packets" that he believes are being communicated over audio channels. If that's the case, then the malware must implement a pseudo network interface to channel these communicators over audio ports. Again, this has all been done therefore it's POSSIBLE. Until we see the actual data, binaries, network captures, etc... we won't be able to verify the conclusions.

Are any of you volunteering to assist? Or are you just sitting here throwing rocks over TCP/IP??? I'd love to get in on this, but I lack the technical chops to be of much value.

Mike the goatNovember 5, 2013 9:07 AM

Dilbert: I would love to assist and have already offered to analyze an infected thumb drive or even better an actual infected PC. As you know I am one of the few that hasn't immediately thrown out the possibility that this is legitimate. As I have said time and time again from a social perspective then it would be pretty stupid to come out with such claims only to be found incorrect so I agree that he is personally convinced of the fact that it exists and its capabilities are as he has postulated.

There is nothing impossible about using the audio hardware to transmit data. To all the nay sayers download "blurt" and try it out for yourself with two laptops perhaps five feet from each other. This is a very simplistic proof of concept but it shows that it can be done. I'd suggest that by choosing your spectrum carefully, timing the time of day you choose to "talk" and by using the lowest possible amplitude to get the job done you could probably make it quite inconspicuous. You could even monitor how "noisy" the environment is and use this as a variable to determine whether it is safe to transmit or not. Given it is likely running as a win32 service (let's assume the BIOS component is just for persistence and just injects a dropper into a file executed when windows starts up and the core of the thing runs like typical win32 malware) it could potentially use the time since last keypress or mouse pointer movement as some indication as to how idle the computer is. I am going to make a joke and suggest it could use echolocation to see if anyone is standing between it and the other infected host (okay, crap joke).

Joni: it is our duty as security professionals to take every threat seriously, no matter how unlikely it sounds until it is proven not to be a threat.

At a minimum Ruiu's purportedly infected PCs should be taken for analysis by someone equipped to do a thorough job. This means spectrum analyzers (for the audio component), USB interface debugging equipment, etc. No doubt this will happen soon enough and we can have a conclusion to this tale.

Yes, I am sitting on the fence on this one. I have been in the industry long enough to see "impossible" threats that everyone said were purely theoretical or just a PoC become very real. Ruiu might only be half right. He might be dead wrong. I don't know and neither can anyone else until we get a full analysis, with said exploit code dumped from the "evil" USB device. Sounds outlandish, I agree... A lot of variables here and it seems unlikely you could make something that infects the BIOS portable enough o spread well. That said even if you targeted Phoenix you'd get a good percentage of PCs. The BIOS bit might be incidental. An extra feature but otherwise unnecessary. If the malware exists I expect it does its audio comms in Win32 land.


BryanNovember 5, 2013 9:40 AM

@Mike the goat

Wael: I don't think the guy has claimed that infection can occur via audio, only that two already infected machines can communicate via audio in the absence of a traditional network.

I also see implied in Ruiu's statements that badBIOS can reassemble it's self after system wipe plus BIOS rewrite and use audio based data transmission during that phase. It sounded to me like the wiped system described didn't have any other code sources than what was already on it, the OS install disk, and over audio. They wiped it clean to a level they thought was clean, but enough bits were still there. Those bits were enough to initiate a rebuild of the full exploit kit, and they saw that kit in action as they worked on it. I'd really love to have a proper image of all the system's FLASH and EEPROM memories.

@George William Herbert, safe data transmission.
I'd use serial, and heavily audit the code used for the file transfer. The device that strips the 8th bit sounds interesting, but could also be mostly done by setting both serial ports to only transmit 7 bit characters. Knowing only 7 bit printable characters get though is way to easy to get around, but it does make sending over a buffer overflow much harder, but maybe not impossible. The Raspberry PI has a serial port on the P1 connector, and some of the handshake lines are on the P5 connector. It will need level translation hardware as the port pins are only 0 to 3.3V, but that is a simple chip, or could even be made using transistors and resistors. USB to serial port chips could also be used if serial ports are lacking on the system, but they may have a hidden microcontroller in them.

@DDB
The write lock switches only work on some SD cards. From years ago I do remember some ads saying their write switch was truly effective. Those ads made me not trust the switches at all. A bigger issue is the on board controller and the unused replacement FLASH blocks. My guess is the controller code could be changed on most SD cards, and the replacement FLASH blocks used for storage of exploit code or side channel data. So, even if you used 100% of the physical space on the card, data could still be transferred in the bits that aren't normally accessible.

Mike the goatNovember 5, 2013 10:17 AM

Bryan: if you are interested I made my device using an ATMega164P and two MAX232 level converter ICs. The code is pretty simple. On boot it checks two GPIO pins that determine how it functions - depending on how they are set it will either allow full duplex comms, allow unidirectional u1>u2, allow unidirectional allow u1

Unfortunately it is limited to 9600bps but is perfect for my use (moving text and code backwards and forwards to sign/crypt). If I must move binary I uuencode or base64 first. The whole high ASCII restriction was an effort to mitigate buffer overflows in the RS232 code in the kernel, not to stop binaries from moving backwards and forwards.

UhuNovember 5, 2013 11:32 AM

I get the impression that we slowly get to the conclusion that what is claimed could technically be possible, but since it is an extraordinary claim (the malware would be beyond StuxNet), we would need more evidence. Unfortunately, what we have seen so far severely lacks technical details. In my opinion (and as stated by others), one of the key questions is: how does Mr. Ruiu observe packet transmissions?

DilbertNovember 5, 2013 12:42 PM

Why does everyone keep claiming this is "beyond StuxNet"? There's no real basis for comparison IMHO. StuxNet infected systems, then targets Siemens industrial control systems in order to intentionally damage nuclear centrifuges. What does that have to do with this possible badBIOS malware in any way? The only correlation that I can see is that USB drives are a possible infection vector... beyond that I don't see anything that can be directly compared. Any judgement of "difficulty" is just a matter of opinion - at least until we see the actual code.

Brandioch ConnerNovember 5, 2013 12:52 PM

@Bryan

I took that paragraph to mean the air-gapped computer wasn't fully cleaned of infection.
I can see how that paragraph could also be read that way. And I think that that lack of clarity in the original article is the root of the problem here.

So we end up with discussions of whether X can be done in a lab between two very specific systems.

And Y.

And Z.

And (for suitably broad cases of X) (for suitably specific systems) the answer is usually "yes".

The discussion then becomes exactly how broadly defined X, Y and Z are and how specific the specific systems need to be.

Can a USB stick overwrite the BIOS of a specific motherboard? Yes. That's how I upgrade the BIOS on my systems.

Can one USB stick (reformatted) overwrite the BIOS's from 3 different vendors on 30 different motherboards (no OS) and still work sufficiently that it can use the microphone/speaker to download more code? I find that difficult to believe.

I am willing to donate a computer for testing. Is anyone setting up a lab?

KevinNovember 5, 2013 1:26 PM

To answer David Dyer-Bennet's question about the SD memory card "write lock", as mentioned by wim/bryan this does not physically prevent writes, it is up the the card reader/adapter and/or the OS to enforce the write lock. Some card reader interfaces will prevent the host computer from writing when the lock is set, but not all.

For all the cards I have seen, the card itself doesn't have any way to enforce the write lock, the card doesn't even know the position of the switch, which is not an electrical switch but rather a piece of plastic that slides down and interacts with a true electrical or optical switch in the SD card socket on the reader.

If performance and capacity is not a consideration, you can directly interface to the SD card using a simple serial protocol on GPIO using the older protocol provided for backwards compatibility to the old MMC form factor. The WRT54 team has quite a bit of info on this topic.

David AlexanderNovember 5, 2013 2:03 PM

Surely this must be a hoax if it claims to be working across an airgap with no previous interactions. The microphone would need to have a compromised device driver in order to respond to the audio tones (of whatever frequency). For this to work the airgapped machine would need some malware loaded from media of some kind so that it could then communicate this way. This could not spread by sound alone unless the systems were already pre-loaded with the modified device driver beforehand.

Mike AnthisNovember 5, 2013 2:38 PM

"Now they know how many holes it takes to fill the Albert Hall. I'd love to turn you on."

This story has what it takes to trigger a geek frenzy.

Clive RobinsonNovember 5, 2013 4:38 PM

@ Mike the Goat, Bryan,

If you think about it the one thing Ruiu's little experiment did show is the code is not overwriting the BIOS in ROM... So maybe we should stop calling it BadBIOS.

It's almost directly pointing to something a GoodBIOS (TM) does normaly to load executable code into memory (which is the expansion card extention from AT bus onwards). I pointed this out on the Friday Squid page and Jacob handily posted a link showing exactly how to do it.

As it happens it's relativly easy to disable this functionality in the ROM code (look for the memory test for OxA5A55A5A and fail it). Unfortunatly it may disable the functionality of some of the IO devices. But if this done and the malware does not return you have the proverbial smoking gun.

I've also been thinking further and I would now say that this malware is aimed specificaly at laptops not at desktops or servers.

Importantly with laptops you know in advance what sound card chips are going to be used for two reasons, firstly they are soldered to the mainboard, and secondly in general laptops use a very limited set of generic sound chips, probably more limited than the range of CPUs...

Further I don't think the software is going to be very large as most of it's already built into the sound card as standard and it's going to be more a case of calling existing subs than coding from scratch.

I also have an incling that the software was designed to infect laptops at conferances on those give-away USB drives with all the marketing PDFs and as such may exploit one of the myriad of Adobe PDFviewer bugs that were endemic back three years or so ago. Back then as an infection vector the USB/PDF combination would have had very close to 100% success rate of infection.

BryanNovember 5, 2013 7:04 PM

@Mike the goat,
I've got plenty of leftover MCUs from various projects to make one from if I want to. ;) I even have a few tubes of the RS232 level converters. I guess that's what I get for having an electronic hardware hobby for a few decades.

@Brandioch Conner

Can one USB stick (reformatted) overwrite the BIOS's from 3 different vendors on 30 different motherboards (no OS) and still work sufficiently that it can use the microphone/speaker to download more code? I find that difficult to believe.
Maybe. I see no reason it wouldn't work. BIOSes have defined interfaces that can be linked to and used for doing lots of things. I'd guess if you know 0 days for the USB interfaces for a bunch of different OS/BIOS combinations you could also just try them all and see what sticks to the wall. :} When something sticks, send the rest of the exploit for that system over. This isn't rocket science. It's plain and simple dotting the Is and crossing the Ts. Computers can be very patient and thorough if programmed to be that way. Also store the exploit code in the reserved pages on the FLASH device.

Clive filled in/confirmed the last details I was wondering about. Thinking about it a bunch while I broiled lots of bacon for bacon bits, I'd be willing to bet that the persistent infection code is all stored in the device's BIOS extension blocks, or whatever they are called.

@Clive Robinson

It's almost directly pointing to something a GoodBIOS (TM) does normaly to load executable code into memory (which is the expansion card extention from AT bus onwards). I pointed this out on the Friday Squid page and Jacob handily posted a link showing exactly how to do it.
I've wondered about this, but I've never been a PC BIOS device driver coder so I don't know how all that really works and has changed over time. My device driver coding experience is under UNIX or embedded mircocontrollers. They are different beasts. I at least figured the extra space on the memories is a good spot to store persistent parts of the exploit. They could easily be grafted in as part of the device's code. That would take a bit more pre planning and be a bit less flexible, but it would also be allot better at not causing bad side effects the target will see. Weren't those odd images Ruiu mentioned 4k and 8k in size... Hum... Perfect size to replace a specific controller's BIOS block. Looks like the space needed for the extra code in the CDROM handling code block squeezed out the code for booting from CDROM.
Further I don't think the software is going to be very large as most of it's already built into the sound card as standard and it's going to be more a case of calling existing subs than coding from scratch.
I'd figured this out too. It only makes sense to use what's already there, and could potentially be different for different hardware. Also, why rewrite what already exists. If you do, then you must take into account hardware differences, and do you know them all?

Brandioch ConnerNovember 5, 2013 7:32 PM

@Bryan

Maybe. I see no reason it wouldn't work. BIOSes have defined interfaces that can be linked to and used for doing lots of things.
I do not know of any BIOS that controls the microphone.

Could you post the motherboard make/model and BIOS version of yours that does? Thanks!

Romulo CholewaNovember 5, 2013 7:45 PM

It is really hard to believe that a cheap mic or speakers are capable of listening to or even "speaking" in ultra high frequencies to one another.

These components are hardly capable of going beyond 20KHz.

If this is happening, other components are being used.

viszNovember 5, 2013 11:00 PM

it is not a hoax.. i believe schenier and Dan are keeping their reputation well. How could the virus spreads through air gaps ? It must be a surveillance system that can do those thing

VinzentNovember 6, 2013 12:58 AM

@Romulo Cholewa:

For microphones I'd say, yes, probably.

But speakers (especially small ones, like those used in Laptops) are perfectly capable of delivering 20 kHz, even though in most cases they will probably be outside the linear range (well, sound quality doesn't really matter in the scenario, does it?).

Additionally, you don't even need to go ultrasonic to appear virtually silent, because

a) the ear is more sensitive to certain frequencies, that means to mask in ambient noise you can use a louder signal with increasing frequency, and
b) the duration of the noise is also quite important, not only because a certain energy is required to actually move things at the receiving end, even if it is just small hairs (which would pose a similar problem to the microphone), but also because this very advanced post-processing filter called brain. So, you could deliver the sound in short bursts (say 10 or 20 ms, which makes it four to eight complete sine waves at 20 kHz) to make them even more inaudible.

Mike the goatNovember 6, 2013 1:22 AM

Clive: I like that. GoodBIOS®

Romulo: I think Vinzent gave a good response but I will offer that your malware could simply negotiate the highest frequency (and baud rate) that works.

Alain from SwitzerlandNovember 6, 2013 1:29 AM

Regarding initial infection via sound, here's a clear disclaimer from Dragos Ruiu, from his Google+ Account, see the comments of the post of November 3rd with the 0-50kHz spectrum image:

[other poster] Are you hypothesizing that the motherboards/BIOS could be shipping "ready and listening to be infected" straight from the manufacturer, hence the ability to infect a clean and disconnected computer? I would assume such a state would be ensured only by the interference of something with nation-state-sized resources.

[Dragos Ruiu Nov 3, 2013] No these machines were probably infected via traditional means or USB. Wish folks would get off this infected by audio nonsense. The audio is only a c&c channel between infected machines to bypass air gap.

Regarding the story as a whole: According to this article and all I have seen like so far nobody found anything in provided BIOS, font files, disk dumps, etc. Apparently two (supposedly) infected laptops have been sent to other researchers:

"I’ve surrendered up a couple of my laptops. We had somebody fly in from New York and pick some up yesterday," he told Ars on Tuesday, declining to identify them by name. "They’re going to have some smart guys force some eyes on it. We’ll get some peer review and find out if I’m completely losing it or if we found something significant." Then, he paused for a moment and added: "By the way, I still don’t think I’m losing it."

To me feels to be most likely an illusion in the end, nothing real, but also no pressure to judge, just yet :)

Saint CrustyNovember 6, 2013 1:59 AM

Theorising is one thing but here goes. In reverse order of boldness. Wild speculation starts here.

1) The researcher's machines had already been compromised with what i'd dub crippleware. Payload was delivered but 'dead' and exists of fragments. The real malware would only 'boot' if all pieces were present, say by inserting an USB key.

2) There is a possibility of a covert channel which is even more theoretical than anything else. The article(s) explicitly state the two computers communicating were close to one another. Could this imply somehow the magnetic field of the speaker or the sensitvity to electric/magnetic fields of the microphone were used to measure information in some alternate way ? Could it be the voltage of these components can be 'steered' ?

In some office environments this could be an ideal way to maintain covert communnications.

3) Did the researcher try removing only the microphone and/or speaker ? What happened then ? Did he apply a voltage meter to these components while in operation ?

4) I've been called paranoid by people too many times not to take this seriously. By now i'm in dire need of some luck as the ethical corruption in corporations is upsetting.

Andrew CrystallNovember 6, 2013 8:07 AM

That this stuff is even potentially possible really backs up my feeling that UEFI is going the wrong way.

Mike the goatNovember 6, 2013 8:35 AM

Alain: I had a look at kit.tgz and found nothing untoward. the BIOS dump he posted was benign too.

I really hope there is some substance to this for Dragos' sake, but it seems less and less likely.

Alain from SwitzerlandNovember 6, 2013 9:07 AM

Mike: I agree. From what I have seen, I never got the impression that Dragos Ruiu was dishonest and after the arstechnica article was out, it seemed to me that he has been very helpful with providing everything needed to clarify the issue.

PhosphorNovember 6, 2013 10:58 AM

Ultrasonic is analog, computers are digital. Unless you have a converter that can change that ultrasonic wave to ones and zeros. Maybe. Otherwise it would be the same sending smoke signals to your computer. And totally incompatible with your WiFi signal.

Also Ultrasonic travels primarily through air which makes the statement “Air Gap” a double statement. If it was a Vacuum there would be no ultrasonic wave.


- Marc Detrick

ThinfoilHatManNovember 6, 2013 12:16 PM

A couple of questions for anyone who might know:

1. can a speaker be turned to a microphone with just a change in the driver?

2. could this sort of malware explain the static I hear when I listen to music on my PC?

AspieNovember 6, 2013 1:15 PM

@TinfoilHatMan

I'm sure others will wade in with this with more sagacity but:

the answer is yes, it can be a very poor microphone, however ...

The problem, as I see it, is that a speaker is designed to emit rather than collect sound so its design is more for the former than the latter.

Second it needs to be connected to sensitive amplifiers to pick up a usable signal. In addition to which, again because of its design, it has a completely different frequency response to a good microphone because it's designed to move air to make sound rather than with delicacy to allow air to move it.

The static you hear is either poor quality audio from the PC sound card, a noisy transistor in the audio amp stage or a bad PSU passing through noise from the mains (if you're using mains).

As for drivers, I doubt that amps can be reversed by them but then again there was always that splendid Theremin thing ...

BryanNovember 6, 2013 2:12 PM

@Brandioch Conner

@Bryan
Maybe. I see no reason it wouldn't work. BIOSes have defined interfaces that can be linked to and used for doing lots of things.

I do not know of any BIOS that controls the microphone.
Could you post the motherboard make/model and BIOS version of yours that does? Thanks!

Please do just a bit of research. ALL of the motherboards I've bought in the past 10 years have had integrated sound IO systems. They are a dime a dozen out there in the real world. Look up the VESA BIOS extensions, especially VBE/AI.

@Saint Crusty

1) The researcher's machines had already been compromised with what i'd dub crippleware. Payload was delivered but 'dead' and exists of fragments. The real malware would only 'boot' if all pieces were present, say by inserting an USB key.

I doubt this. There is no need. Use the VESA BIOS extensions to get the reinfection code running. It can then load other modules squirreled away in other places around the system. Places like the USB controller's FLASH code memory.

2) There is a possibility of a covert channel which is even more theoretical than anything else. The article(s) explicitly state the two computers communicating were close to one another. Could this imply somehow the magnetic field of the speaker or the sensitvity to electric/magnetic fields of the microphone were used to measure information in some alternate way ? Could it be the voltage of these components can be 'steered' ?
N squared is not your friend. Electro magnetic links like used for RFID tags have severely limited range, and that is even for tuned transmitters and receivers. I'd bet that they would need to be within a foot or so of each other. TI has some very good white papers on this. They also sell some nice RFID tag reader evaluation modules. I used one of them to make a RFID reader for cattle use. Years ago RFID tag readers were expensive, so I made my own. Learned allot, and saved over a thousand.

@ThinfoilHatMan

1. can a speaker be turned to a microphone with just a change in the driver?
It would take a hardware change. The speaker would need to be hooked up to an ADC, but then some ADC input lines could be doubled up as a DAC output line. It would depend on the chipset that provides the sound system and the components on the motherboard. I don't know if any do double up an ADC input with an DAC output. A side note: It is becoming common for microcontrollers to have multiple peripherals assigned to each IO pin, and peripherals to assignable to alternate pins. The Broadcom SoC chip used in the Raspberry PI even has this capability. What it means is some peripherals can be moved from pin to pin, but this usually also requires differences in the circuit board the chip is connected to. Because the amplifier used to drive the speaker is likely a one way circuit, then it is highly likely even with chipset support it would not be possible. Of course, what if the amplifier is part of a reconfigurable analog chip, then it may be possible. There are analog equivalents of the FPGA. To answer our question, in all likelihood, no, but that doesn't mean that it isn't possible for some odd system now, and hardware changes in the future may make it easy. The tech is there, just not implemented.

So, what tools can we use now to find and disinfect systems with compromised VESA BIOS Extension chips, and USB drives? JTAG is very cumbersome to use to detect and cleanup infections, but it may be the only way. This is because the system may prevent you from getting direct access to the hardware.

RobertTNovember 6, 2013 2:32 PM

The ONLY problem that I see with this explanation is
How do you simultaneously infect three or more different computers with very different OS's all at the same time.

It seems to me the solution might be easier then a lot are assuming.

Think about a typical Air-gapped computer system setup. From my experience all computers on the air-gapped side are basically the same OS and usually very similar hardware. This is done to simplify the maintenance issues.

So in reality we can infect the air-gapped systems ONE at a time. First off we could try a *NIX variant, second try Windoze third iOS and so on. The process does not need to be done in parallel IF you control one point, where the USB stick is regularly inserted then simply go through the list of likely target os's for the air gapped side, as they said the reinfection often took weeks to occur.

The other thing that makes this attack mode interesting is the likelihood that both Air-gapped and Internet connected servers will be co-located in the same air-conditioned space. I'm thinking about commercial air-gapped systems rather than something an individual or military might do.

Even for an individuals air-gapped system I'll bet people regularly operate their isolated laptop in the same room as their internet connect computers so this return channel can work somewhat real time. What concerns me most is the likelihood that the normal return vector is over the data channel of the targets smartphone. Think about it how many people using an air-gapped laptop have a smartphone in their pocket at the time. This makes surreptitious comms using audio an ideal vector for smartphone infection of air-gapped PC systems. As I've said before, I've seen security aware IT managers actually plug their 3G connected smartphone into the USB port of an air-gapped network computer to recharge, (as everyone with a smartphone knows battery life is miserable). Do this once and get infected from then on the info flows easily over the acoustic path.


WaelNovember 6, 2013 2:53 PM

@ RobertT

You bring an interesting dimension into the discussion -- The cell phone.

As I've said before, I've seen security aware IT managers actually plug their 3G connected smartphone into the USB port of an air-gapped network computer to recharge
Then, technically, their 'puter is no longer air gapped.

RobertTNovember 6, 2013 3:04 PM

Re Using Speaker as a microphone

As others have said it is possible BUT makes a bad microphone and is especially bad at high frequencies due to the high weight of the speaker diaphragm, compared with a typical microphone diaphragm .

These days the speaker amplifier is almost always a ClassD amplifier.

Most ClassD amps still use analog in => analog out so their is very little risk of a return channel unless someone intentionally solders a wire from the driver back to a microphone (along with a suitable potential divider network) (2W class D amp uses 5V supply, a typical ADC might have a maximum 1.8V input signal)

BTW when the speaker is connected to an amplifier the amplifier output impedance acts as an active load to suppress any movement of the speaker diaphragm so the sensitivity of this parasitic mic is further reduced.

RobertTNovember 6, 2013 3:49 PM

Re Audio cards.
Their might be a large variety of audio cards available but the truth is that 90% of the PC market uses Realtek audio chips especially for motherboard audio. They have such a large percentage share because the price for this function (AC97 audio) is VERY low so no other vendor wants to supply chips at this price point. This is good news for an attacker because they can just focus on Realtek's chipset and firmware.

Something for the security paranoid to consider: In the chip market place it is common for there to be less than 3 vendors for a particular function. The sales volume is usually
50% for first
30% for second
15% for third
5% others

This market share breakdown is common across a wide variety of parts, so the reality is that regardless of how many PC makers you have the odds are good that you can predict the chipset used for a given function especially at the consumer level. For a given vendor even when the part number changes it firmware is usually VERY similar.


Now for a more interesting question. In the case of Audio chipset nobody competes because the price is too low to make money, basically an Audio chip sells for less than its production cost (or very very close to production cost) WHY would any vendor willingly participate in a market at this price point? Maybe, just maybe, they are being compensated from other sources. Maybe this is to include functionality above and beyond the requested device spec.

Having worked for many years on just this sort of part, I can assure you that no PC vendor has ever audited the security processes of the Audio chip vendor. If the specified functions are met then the vendor can stuff whatever else they want onto the Audio chip, thats their business. the reason to be concerned with this is that both Comms and Audio require very similar design styles that fall outside the normal digital flow, additionally the SoC market just keeps integrating more and More and MORE, so an Audio chip might easily contain a Bluetooth transceiver or an NFC comms system. Many times this might be something that the vendor is developing and has not enabled yet and simply not told anyone about. However If you look at the chip under a microscope you'll be able to see functional blocks that are not needed to meet the device specification. Many vendors do this sort of analysis of their competition to get an idea about what new functionality the competition is thinking about and it is surprising what you find if you look close enough.


RobertTNovember 6, 2013 4:23 PM

@Dilbert,
"Are any of you volunteering to assist? Or are you just sitting here throwing rocks over TCP/IP??? I'd love to get in on this, but I lack the technical chops to be of much value."

I'm thinking about it BUT very wary because anyone that developed this capability did not do so by accident. This is not the work of a few script kiddies, we are talking about professional organizations with a definite mission. They will not be amused when someone uncovers and publishes even some of their secrets.

Brandioch ConnerNovember 6, 2013 4:46 PM

@Bryan

Please do just a bit of research. ALL of the motherboards I've bought in the past 10 years have had integrated sound IO systems.
It looks like you're confusing "integrated" with a microphone that is controlled by the BIOS such that it can receive updates via audio tones.

They are not the same.

Now if you want to say that you do have a motherboard that can do that, would you be able to post the make/model of that motherboard and the BIOS version?

Otherwise this "virus" will need at least a vulnerable OS for it to update itself.

Given the level of the unsubstantiated claims being bandied about, this is starting to sound more and more like the "Blue Pill" virus from earlier this century.

https://en.wikipedia.org/wiki/Blue_Pill_%28software%29

Clive RobinsonNovember 6, 2013 6:49 PM

@ Brandioch Conner,

    It looks like you're confusing "integrated" with a microphone that is controlled by the BIOS such that it can receive updates via audio tones

I don't know why you even thinks this is relevant. As far as I'm aware it's only the very ill informed that are hanging on to this notion.

For the sake of saving you having to re-read all the relevent (not journalistic hype) information.

As has been repeatedly pointed out the experements have been carried out on machines that WERE PREVIOUSLY INFECTED FROM USB. The BIOS was wipped and re-installed as was the hard drive. However other Flash ROM on the system was not wiped and reloaded.

As I and others have pointed out the BIOS as part of it's ordinary operation loads code from IO Flash ROM and executes it. Thus if there is malware that has overwriten an IO device flash ROM the the code gets executed no matter how many times you wipe the disk and BIOS flash ROM.

Do you understand this now? And do you further understand how it makes your comment irelivant?

@ RobertT,

Thanks again for reenforcing the point that there are very few on board sound chips.

I've said it a couple of times already but various people still want to believe otherwise so they can argue that "It's all improbable/impossable".

Somebody I used to know who's job was highend clan-EmSec once said the following to me "You know what they say can be found under a pony tail? Well the same can be found under an ostriches tail feathers, and it's most obvious when they their head in the sand..."

With regards using speakers as mikes yup it's unlikely that the speaker would have a full circuit back to an A-D converter unless it was put there as a payed for extra.

However I can think of one non obvious way to do it. You are probably aware that some DC motor controlers these days are bridge format Class D driven and the back EMF is sampled in the off period to get speed feedback under varying load conditions. And you are probably also aware that some highend digital speaker drivers are also bridge class D. What you may not be aware of is that one UK manufacturer used the back EMF of moving coil speakers to provide linearising of the speaker response some years ago (but because the owner would not "kickback" to the old grey haired "golden ears" reviewers it did not get written up by the HiFi mags). The thought occurs to me that the same could be done with either a low end DSP block or just given as another function to the CPU core in the audio SoC.

However as you note the sensitivity would be rather low at best due in part to the stiffness of the cones etc.

@ Wael,

With regard "air-gaped" computers I've yet to see one using a commodity OS such as any MS offering or *nix offering (including Apple's OS's). IT bods are frequently "patching or updating" and there is no verifiable audit trail to full level test on them.

As @ Nick P has pointed out before it's only a few of the specialised vertical market OS for safety and medical systems that get the "full works" certification with verifiable retest&certify on patches and upgrades. But even these are potentialy a fail due to "code signing" issues.

Oddly one or two *nix systems only patch and upgrade source code and don't provide executables. In theory if you can strip back and audit the source code to the required level this is the safest way to go using an appropriate data diode / sluice / verifing choke system.

WaelNovember 6, 2013 7:41 PM

@ Clive Robinson

With regard "air-gaped" computers I've yet to see one using a commodity OS such as any MS offering or *nix offering (including Apple's OS's).
Oh, No! don't get senile on us, @Clive Robinson, we need you man! I am sure you've seen a lot of them before the internet was popular. I still have a commodore 128 ;)

Senile = Sea + Nile.
Should be Rivernile, oh, lack of sleep getting to me.

RobertTNovember 6, 2013 8:42 PM

@Clive R

Re ClassD amps

Bridge vs single ended: Almost all low end consumer stuff is Bridge configured ClassD because the single ended typically needs a physically large Electrolytic cap something like 470uF to set the low freq pole. If there is room for the Cap than single ended makes some sense because the FET Rds-on losses are halved (only one series fet)

Normally the reason for using Bridge configuration is to double the Watts power rating for a given supply. (Eg 12V bridge configuration results in 8w to 10W amplifier in single ended you need 22V to 24V for the same power rating. Typical PC's dont have 24V supply however LCDTV's do so LCDTV's are often single ended whereas PC 10W amps are bridge configured.


These days, for any ClassD amp above 6W it is typically a standalone part Analog audio in and direct drives the Speaker.

It s only worth considering Integrating the ClassD with other audio functions If you use an MCM (multi-chip-module) but it creates a lot of cooling problems so it is normally avoided)

Re Feedback around ClassD amps
Every reasonable ClassD on the market uses feedback to linearize the transfer function. Without feedback the best you can achieve with reasonable effort is about 50dB THD. The same device with feedback to the integrator will easily deliver 70dB THD. For direct drive (no filter) the output of the switching elements feedsback typically through resistors to form a summing junction at the input to the first integrator stage. There are plenty of ClassD's that will achieve 100dB plus THD BUT they typically feedback from after the LC filter.


This is all way OT so I'd better stop.

SchneieronSecurityFanNovember 7, 2013 1:44 AM

In looking at the researcher's spectrogram, maybe there is electromagnetic interference that is causing a speaker to produce the ultrasound or the microphone to detect ultrasound? The lab technique should utilize multiple microphones and meters or scopes to see if they produce equal measurements. Also, the lab should be in a Faraday cage or have copper-lined walls similar to a room with a medical MRI scanner.

Question: Can the audio from an infected computer's speaker be in the audible range and masked from a human listener by utilizing psychoacoustic techniques?

Cases: For the last two or three years in the U.S., Arbitron - now Nielsen - has provided radio stations with a device that encodes station identification (and song info?) below a listener's threshold of perception into a station's audio program. These sounds are then picked up by a device called the Portable People Meter that is worn by a listener which identifies the station.

Around 2006, cellphone ringtones in the near-ultrasound range were used by children so that their teachers wouldn't hear it. I was surprised that the speakers of cellphones at the time could reproduce those frequencies.

In 2005, Nils Schneider and Bernard Leach figured out how the 1st-generation iPod could be modified so that it will boot into Linux. There is a piezo speaker inside this iPod that could be programmed to "play" the bootloader. Different sounds represent the bits. It took 20 hours in a small soundproof box for the iPod to play the bootloader as beeps. A recording was made and the sounds were turned back into the bits and bytes of the bootloader.

Mike the goatNovember 7, 2013 3:47 AM

Wael: sea + Nile?? Man, that sounded like something my good buddy would come out with. This is a guy that walks his dog while mumbling semi coherently in a torn up Grateful Dead T-shirt that looks like it's from when Jerry was still alive. One hell of a guy. Our local residents co-op invited him to the Halloween function the neighborhood was having and he turned up to a "child friendly event" with a four gallon gas can filled with whiskey one of his "mountain brothers" had stilled himself.

Yep... Some say he went to war and came back, joined the peace movement and became a pot head. Others say he has always been that way. You know what I say? That he was a well regarded cryptographer that found a novel method of breaking RSA, and the government did it to him. A cautionary tale for all of us ;-)

Alain from SwitzerlandNovember 7, 2013 3:53 AM

Here is 25 min radio interview with Dragos Ruiu on the "badBIOS saga" (direct download of mp3 file). Actually it is for large parts a monologue and shares in my view the following characteristic with the original arstechnica article: Dragos is rather inspecific about facts and especially not clearly separating facts and how they might have been obtained from interpretation, hypotheses and speculation.

Assuming most of what he claims would be facts, the only viable hypothesis I would see would be that some attacker with some kind of shell access even across air gaps was actively playing cat and mouse with him (and whoever else was on his side, Dragos always speaks of "we") and in the end maybe even deleted most or all traces of activity from disks and BIOS etc. I leave it to the reader whether hoping for this possibility is enough incentive to continue to investigate this saga.

On the other extreme, Dragos would be just a skilled manipulator of the media and people in general, i.e. he would be the one playing cat and mouse with the audience. Previously I wote that "it seemed to me that he has been very helpful with providing everything needed to clarify the issue", now I disagree with me, especially in light of what he says near the end of the interview regarding the immediate future. I expect this saga to just linger on without facts clarifying significantly any more.

Mike the goatNovember 7, 2013 3:57 AM

RobertT: that's the thing. A motherboard manufacturer needs, say an audio chip. So they put out a tender and it turns out that RealTek can give them the best price, and will throw in 1000base LAN. The motherboard vendor doesn't know any more than we do about what goes on in the "black box" that is these accessory ICs.

Regarding badBIOS: if the claims surrounding BB are true then I doubt that the nation state responsible would dare try and persecute researchers. It goes against their usual m.o. of deniability, ie "uh, wasn't us.. Couldn't have been us. Maybe it is the Chinese?" That said we live in a crazy world and the powers that be (the real owners of this country) are likely to do anything to neutralize anyone who may have embarrassed them or exposed their agenda. If sounds conspiratorial then I apologize in advance.

Clive: exactly right. Dragos has said repeatedly that the audio comms is a way for two already infected machines to share data, not a vector for infection yet the tech media won't let this erroneous claim die. Given what I have seen in the last few days I think its possible that Dragos is way beyond his depth and badBIOS may turn out to be a complete non event. Even if it does - I think it is important that we consider that malware like badBIOS is a distinct possibility.

Mike the goatNovember 7, 2013 4:04 AM

Alain: I agree with you here. I was a staunch defender of Dragos but his recent behavior has led me to question his motives more strongly. As I said earlier though - even if badBIOS is a hoax/misunderstanding/nothing - perhaps some good will come out of it, in that people may consider side channels when designing supposedly secure systems. For example, does a supposedly secure office terminal used solely for email and word processing need a webcam, mike and speaker? Probably not. We are starting to see corporate America wake up about the danger of data exfiltration via employee's thumb drives with many now disallowing their use (by policy, through disabling in software, or through physically disconnecting the front ports and using a locking port cover on the rear of the PC).

SchneieronSecurityFanNovember 7, 2013 9:16 AM

Mike the goat: No, RDS is detected by the radio receivers and doesn't effect the audio program.

Arbitron's audio encoders work in the audio portion of the program, either on analog or digtial broadcasts - analog radio; digital radio, television, internet streaming, etc.

The Portable People Meter (PPM) is worn by a listener. The PPM "listens" to the encoded audio no matter where the listener is - in a car, an office, a party, etc. It records station identification and the time of day.

Here's a link to the patent.

SchneieronSecurityFanNovember 7, 2013 9:39 AM

Mike the goat: To clarify - RDS is detected by compatible receivers only; not all receivers.


The PPM system has greatly effected radio station ratings in the U.S. over the last two to three years.

Clive RobinsonNovember 7, 2013 10:10 AM

@ Wael,

You forgot

See + nile, which could --like watching paint dry-- provide a modest soul with contemplative entertainment untill old age gets them into scams such as pyramid selling...

With regards "air-gaps" perhaps I should have been a little more explicit, runing a system "stand alone" is not anywhere close to running it "air-gapped", it is but the first step on a long and arduous journey.

It's a mistake many people make and I'm sure it's a distinction that whilst lost on the average tech is ruthlessly exploited by those with a view to seeing what it is you wish to keep private (be they ordinary criminals or those in government employ).

@ Robert T,

Yup it covers it :-)

The problem I have posting on an open blog to those of a higher than average knowledge is including enough detail for others to read and get not just a feeling of what's being discussed but able with a little thought to follow along.

I should say that one of my pet peeves is published papers in the more general journals, that when you read them you feel they were written in compliance of George Orwell's postulated "new speak" rules.

And one thing I'm contious of on this particular thread, is what should be a fairly simple discussion has taken on an almost Halloween dimension of "don't go there it's full of spooks with magical powers you've no hope of understanding bewitching your very electronic soul".

Whilst some of the things sound mystical they are all fairly readily explained well within the laws of physics and plenty of practicle examples that you, I and others had provided. Which I thought had "put it all to bed" on last Friday's Squid page quite satisfactorily. Howevere many commenters here are apparently not reading what's been said or are misunderstanding it, and as others have noted apparently deliberatly so. Thus trying to correct the misunderstanding is giving rise to more extensive comments, which try to head off more misunderstandings before they occure...

Hopefully there will soon be results of other testers showing what they have tested with the how and why of the tests so all the lose threads can be brought together.

However of one thing we can now be certain, if such malware did not exist prior to this point it will now be developed by any number of entities because it's been shown with enough detail for the average under grad to stitch it all together as a project in a week or so...

As for three letter agencies getting upset about another of their easy but obscure techniques being revieled, they realy should be used to it by now, as they don't have a monopoly on either curiosity or inventivness and the genie is out of the bottle.

Brandioch ConnerNovember 7, 2013 10:29 AM

@Alain from Switzerland
Thanks! I recommend everyone listen to that. At 12:50 he starts to talk about how USB might be the vector for infection. But his description of his process sounds flawed. Like how he may have infected one of his forensics systems with a USB drive from a suspected infected system when he was trying to move a file between them.

Dragos is rather inspecific about facts and especially not clearly separating facts and how they might have been obtained from interpretation, hypotheses and speculation.
Yes. He claims to have seen files from this "virus" on a hard drive but never goes into specifics.

Even if he didn't have the tools to take apart a BIOS he could at least have snapshotted a clean Windows box and then infected it and then snapshotted it after the infection.

And with network packets, even if they are encrypted, he should be able to identify the destination IP addresses and block those.

WaelNovember 7, 2013 11:27 AM

@ Clive Robinson

untill old age gets them into scams such as pyramid selling...
I'll reimburse you. Hopefully you didn't buy a warrantee, these things last for ever ;)
runing a system "stand alone" is not anywhere close to running it "air-gapped", it is but the first step on a long and arduous journey.
Good observation. Stand alone is not a requirement, though. An air-gapped network of systems could also exist. For simplicity, I would think an Air-gapped system means the following:
1- Isolated from external network
2- Isolated from external input/output, such as Light and electromagnetics, for example Electromagnetic emissions and reception.
3- Isolated from external power supply lines (probably by filtering)
4- Started in a known clean state
5- And after this thread, it needs to be isolated from sound as well.
Can you share what other characteristics a system needs to meet to be qualified as an air-gapped system?
as they don't have a monopoly on either curiosity or inventivness and the genie is out of the bottle.
1- They do have a monopoly on law enforcement, though!
2- When the genie came out the bottle the first time, it was put back again -- Long story.

WaelNovember 7, 2013 11:34 AM

@ Mike the goat,

Yep... Some say he went to war and came back, joined the peace movement and became a pot head.
If I wanted to be a pot-head, I'd move to Washington.
You know what I say? That he was a well regarded cryptographer that found a novel method of breaking RSA, and the government did it to him.
Wouldn't surprise me. I think that's what happened to John Forbes Nash, Jr. as well.

Nick PNovember 7, 2013 12:12 PM

@ Wael

"Can you share what other characteristics a system needs to meet to be qualified as an air-gapped system?"

Back when I was trying to figure it out, I just started with how US govt protected their most secret stuff. They used dedicated networks/PC's for certain levels, air gaps, high assurance guards, non-bypassable TCB's with custom firmware on certain things, EMSEC protection, certain cryptosystem approaches, power filters, and rooms within rooms with isolated tech (SCIF's).

My assumption was that they've been dealing with these problems for a long time and plenty of wisdom would be built into their internal recommendations. Most of them seem like a good idea to this day. Quite compatible with many items on your list, for example.

WaelNovember 7, 2013 12:20 PM

@ Nick P

They used dedicated networks/PC's for certain levels, air gaps
@Clive Robinson brought up a good point. Is the term "Air-gapped" formally defined?

Nick PNovember 7, 2013 12:51 PM

@ Wael

When have you known me to go by formal definitions? Remember how our different backgrounds got us hung up on the word "trusted" in a previous discussion? ;)

Anyway, I'm not sure if there is a formal definition. The "de facto" definition is physical separation. Military/Intelligence groups did this with separate networks, PC's, routers, fibers, etc. EMSEC was part of it from what I could tell because part of physical network separation included placing components a minimum distance apart to prevent a sensitive component's emanations from causing an effect in wires/chips of another. Certain "controlled interfaces" were allowed for main classified networks, albeit with strong security requirements.

The definition is ad hoc and informal. The procedures are systematic and formal. So, you could say the air gap definition is semi-formal. It's also a definition that's implied by their methods of implementing it more than any statement on paper. I mean, the older documents I read didn't even use the phrase although they told how to build it. For that reason, I focus less on definitions and more on practical aspects such as the How and Why of implementing them.

Their only screwups that I've seen were underestimating the importance of both object code attributes and the chips in their machines. Both have resulted in many security problems that their standards/certifications didn't address well enough. They're wisening up to that in this century hence all the DARPA, DOD and military research in that area.

Nick PNovember 7, 2013 1:17 PM

@ Wael, others re "what is an air gap actually?"

Here's some supporting evidence for my theory. I figured why not just look up the first security paper I know of and see if it contains air gap, a description of one, etc.

The paper that started our field (1967-1970)
http://www.rand.org/pubs/reports/R609-1/index2.html

I think readers will enjoy this paper regardless of their curiousity about air gaps for its historical value. I enjoy it because I look at their situation then and what they decided was necessary for computer security. I then compare it with what we know now. They did a decent job with many principles having lasting significance, albeit not necessarily their implementation. Anyway, here's a few things that relate to air gaps.

"Fundamental principles... The means employed to achieve system security objectives shall be based on any combination of software, hardware, and procedural measures sufficient to assure suitable protection for all classification categories resident in the system."

"Any communication line that passes classified information between a terminal and the central computer facility or between computer systems must be protected in accordance with Government-approved communication security methods. They may include provision of approved secure cable between the terminal and the central location, or of approved cryptographic equipment. Intelligent deception of the link (i.e., spoofing) must not be possible. "

"Any terminal through which a user can gain access to classified information in the central computing facility must be physically protected in accordance with the highest classification of information processed through the terminal."

"The software of a resource-sharing system includes the Supervisor, the language processors (compilers, assemblers, etc.), the program library, and the utility programs (e.g., sort programs, file copying programs, etc.9. The design of a computer system must consider all software components of the system, as well as the hardware on which the software will run. "

(Pretty thorough, that.)

"Central processor hardware must provide some or all of the following mechanisms, depending on the class of service it renders its users: user isolation; supervisory software1 protection; and assurance against unanticipated conditions. "

So, as you can see, the focus was more on procedures and technological equivalents to existing standards for classified information protection. That was the concept. *Those* basic principles and procedures date back to 1940 Executive Order for handling "Restricted Data" under which the Manhatten Project was also governed (source: FAS).

I'll leave it to someone else to show us where "air gap" got its start. However, I think the paper & EO I cited show it's a ad hoc phrase representing an extremely watered down version of classified information handling procedures. Probably with watered down effectiveness, too. ;)

WaelNovember 7, 2013 1:54 PM

@ Nick P
Good paper!

I'll leave it to someone else to show us where "air gap" got its start.
I think he's already working on it. I don't think I need to disambiguate "he" :)

RobertTNovember 7, 2013 7:04 PM

@Mike the goat
" The motherboard vendor doesn't know any more than we do about what goes on in the "black box" that is these accessory ICs."

This is a good point because most times the chip vendor develops the firmware for something like an Audio + 1000baseT combo chip. The motherboard maker gets the firmware delivered by the chip vendor and rarely has time to make modifications, if firmware mods are needed it this task also falls back to the Chip vendor. Generally speaking the Motherboard maker is clueless about what's inside the chip. It could have an ARM processor plus with its own Flash integrated or maybe MIPS or possible 8085 the motherboard maker neither knows nor cares whats under the lid.

About 10 years ago the last of the US based chip makers got out of the low end component market (like Audio) they were replaced by mainly Taiwan companies like RealTek, MediaTek .... These days there are also a lot of Chinese companies doing low end PC Audio. Unfortunately many times these Chinese firms are such low budget affairs that NOBODY really knows how the chip or firmware works (sounds absurd but they'll just get something like a RealTek chip reversed engineered and make their own copy), the whole company will be maybe 5 engineers so they have very low overhead AND only compete when the Fabs offer them a low price.

To be honest it would be trivial for me to rewrite their Audio code and add a virus, their design processes are also incredibly sloppy which opens up room for other exploits.

One final point, since these Chinese vendors copied something like a Realtek chip they are 100% compatible, so sometimes they'll decide to even brand their chips as RealTek and sell them through the Hong Kong distributor markets.

Point is Nobody really knows what they are getting, all they know is that it works OK as an Audio chip, what else it does is anyone's guess.

RobertTNovember 7, 2013 7:38 PM

@Nick P

Good summary of Air-gapped principles.

On a related topic,
Many years ago where I worked they had a Cray YMP it was used for secure calculations so the computer and terminal was actually built inside a big walk-in bank style safe. Nobody ever used it, which I knew because my desk was close to the entrance door.

One day I had a difficult Finite Element Analysis problem (not really related to the exact work I was doing) so I coded it up and let it run on the YMP. The simulation took a few days to run and I was half way through my forth iteration when the big boss (along with his underlings) comes thundering in and slaps down an old style line-printer accounts printout. The first words from his mouth are WTF are you doing, I catch a glimpse of the bottom line and it was much higher than my yearly wage. I'm not sure what BS I told him but it certainly wasn't the whole truth, job stuck in an infinite loop something like that.

What I didn't know was that they allocated processing costs to any department that used the Cray, since I was running it full time they dumped all the costs onto me. After that it went back to being completely unused which suited everyone just fine. Eventually I thought this is stupid so I wrote a virus of sorts that corrupted job time logging software and returned the Null job indicator whenever my program was running.

Wonder how much hard time I'd get if I tried that sort of thing these days?

Mike the goatNovember 8, 2013 2:41 AM

RobertT: I seem to recall a story about chip counterfeiting in China/Taiwan. Given we have seen reports of consumers getting more than they bargained for with Chinese hardware (credit card terminals complete with integrated skimmer, kettles that launch a MITM attack against users of open WiFi networks, etc.) I can only imagine what a government (rather than a disorganized, perhaps ham fisted criminal group) could do - given China's unique positioning in the global marketplace. The vast majority of accessory ICs are made in their country/administrative regions. Imagine the damage you could cause, particularly if you engaged in spying that had a low likelihood of detection.

Wael: hmm, isn't it funny how our brains utilize context. I was reading your comment about pot smoking in Washington, saw the surname "Nash" and immediately thought of Crosby, Stills and Nash playing in the smoke filled air of Woodstock. Guess it wasn't that funny after all... But yes, I agree that the govt could have somehow initiated his mental issues, no doubt about it. After all, they didn't spend all that cash on MKULTRA for no reason.

Brandiocch: yes, it seems that he hasn't adequately explained himself.

Schneieronsecurityfan: ahh, makes sense. I was thinking that a ratings agency would just give the volunteers a radio that would collect the RDS info and log it, but the "portable people meter" makes a lot of sense as a lot of radio listening is done away from home - in the car, at friend's houses, etc. By modulating the signal in with the music, if carefully designed nobody would really notice it but your device could capture it with its mike. Very clever.

WaelNovember 8, 2013 10:27 AM

@ Mike the goat

I was reading your comment about pot smoking in Washington...
I'm afraid that context will give readers the "wrong" impression about me ;)
...MKULTRA...
Perhaps Bruce should say something about this. Wondering if someone administered some weird control drug to him through his air-gapped computer. You know, aerosol can (able to, not the "can" you drink from) jump that air-gap, and make him tight lipped about things that they want to keep hidden...

Nick PNovember 8, 2013 12:19 PM

@ wael, mike the goat

Ah, MKULTRA. That reference inspired me to do a writeup on it in a thread where it's also on topic. ;) It's one of those things America should never forget. Matter of fact, I suspect elements of the project are ongoing or will repeat in the future as its goal is one governments will never let go of.

Clive RobinsonNovember 9, 2013 9:25 AM

@ Sparx,

    See below link for a decent debunking

No it's nothing like "a decent debunking", in fact it comes about as close to a "strawman argument" as you can get without it being blatantly obvious.

About the only thing the writer got right is "BadBIOS" is a bad name.

As has been noted above you don't need to change the BIOS as by default it will load in code from IO card ROMs at boot time. The fact the author of the page you've linked to claims to be a BIOS expert but has not mentioned this tends to cast a certain pall on his claims.

Further as noted above the sound systems on most mother boards come frome a very very small selection (of just about one) and the ROM on such systems would only require very small amounts of changes.

Mr ManNovember 9, 2013 9:44 AM

Am I the only person guessing that this is all an elaborate exercise in social engineering designed to illustrate how much silliness we'll all believe when it comes from someone with a good reputation in the field? Honestly, I can't believe people are taking the idea of this legendary malware seriously.

Clive RobinsonNovember 9, 2013 10:15 AM

@ Mike the Goat, Nick P, RobertT, Wael,

As I have an old protyping sound/modem AT card from the 1990's knocking around I thought I would have a play around.

The sound/modem chip has a 6502 CPU core in it and an external ROM which I've swapped with a ROMulator I've also got that dates back to the 1990's (when I was doing a settop box design based around a Motorola DragonBall single chip 68K device as used in some PDA's).

I dug out of my dead tree cave a book on DOS and other PC related programing that had some usefull code for building your own AT format I/O cards as well as code for flashing Keyboard leds.

Cobbled it all together and wrote some 6502 code to implement a narrow band filter (notch and subtractor) tuned to 1Khz with the sound chip that raised a UART interupt on detection and loss of 1K tone that triggers the changing of the Caps Lock LED...

Ran up a vanilla Win95 install on a 486 motherboard I've got hanging around with no mods or additional programs to the BIOS or Win95 and once booted up with the moded AT card in the Caps Lock LED comes on and goes off with the card detecting a 1K tone from an audio generator.

So yes if you have data on the sound chip and embedded CPU core data transfer by audio is doable without changing the BIOS or OS on HD with 1990's hardware...

I guess the question now is getting development data and hardware for an embedded AC97 chip set and trying that with Win2K, WinXP or Linux and making it look like a SLIP/PPP serial network port etc, oh and one other important resource "time"...

Brandioch ConnerNovember 9, 2013 10:48 AM

@Mr Man

Am I the only person guessing that this is all an elaborate exercise in social engineering designed to illustrate how much silliness we'll all believe when it comes from someone with a good reputation in the field?
You are not alone. There are three broad scenarios here.

1. BadBIOS does everything that has been claimed or implied or hinted at in the articles. This should be easy to demonstrate. But it has not been demonstrated, yet. The super-virulent virus has been around for three years (maybe) during which it has not escaped Ruiu's lab (that anyone can show).

2. BadBIOS does a subset of the things claimed, implied and hinted at.

3. BadBIOS is a hoax/mistake. Whether from Ruiu or a friend with access to his machines or faulty hardware or sloppy practices or whatever.

It isn't whether X functionality can be demonstrated in a lab on specific hardware. It's whether X, Y and Z functionality can be demonstrated, automatically, on various machines outside the lab. So far the extraordinary claims do not have the required extraordinary evidence. And as time passes, it becomes less likely that they will.

Nick PNovember 9, 2013 10:58 AM

@ Clive Robinson

Interesting experiment. Seems you've proven the concept. I think the main takeaway, though, is that it's 2013 and you're still coding 6502 assembler for use in Windows 95 PC's. :P

Nick PNovember 9, 2013 11:52 AM

@ RobertT

(late reply my bad)

"Many years ago where I worked they had a Cray YMP it was used for secure calculations so the computer and terminal was actually built inside a big walk-in bank style safe. Nobody ever used it, which I knew because my desk was close to the entrance door. "

I can see where this is going... :)

"...After that it went back to being completely unused which suited everyone just fine. "

This mentality no longer surprises me but never ceases to be aggravating. They for some reason decide to purchase a vector supercomputer that they never use because using it costs money. (facepalm) Why can't people making these expensive decisions make beneficial expensive decisions...

"Eventually I thought this is stupid so I wrote a virus of sorts that corrupted job time logging software and returned the Null job indicator whenever my program was running. "

Nice hack. :) I'm jealous as I never got to use a Cray in my time dealing with supercomputing. On related note, I think certain HPC techniques hold some potential for cloud or virtualization type security that have been untapped so far. Here's a few things I noticed from my old studies.

1. IBM mainframes give strong hardware separation with LPAR's and their [presumably weaker] PowerVM software separation for within LPAR's. These options can be mixed to a desired tradeoff. This trick should be doable within a suitably designed desktop or server that's non-IBM.

2. I've often said a dedicated chip for each system function with easy management & fast communication would be better than software security. People have a hard time wrapping their head around it. Funny thing is Massively Parallel Processing systems were most of the way there: 128 to several thousand independent nodes; low-latency, high speed interconnect; fault isolation; management nodes can can move work around; single system image; on certain machines a restricted OS for compute nodes (eg Cellular IRIX).

3. Many secure OS designs used forms of memory-based security. However, they ran on systems with little memory and the best strategy for IO was using dedicated external device for most of it. NUMA machines have global shared RAM and dedicated nodes for different functions (compute vs IO). Just imagine combining a high assurance separation/security kernel, global address space w/ crossbar switch, MMU/IOMMU, security-enhanced NUMA nodes, etc.

4. SGI's NUMA machines showed that FPGA's can be integrated directly into global address space & seemlessly directed by regular nodes. Many ultra-secure, bottom-up designs are currently prototyped onto FPGA's. These range from object processors all the way to secure monitoring coprocessors. One objection to some of those techs is that there's only a tiny bit of chip real estate in a desktop or whatever meaning one must pick and choose functionality. Yet, NUMA machines are *designed* to be vertically expanded with many chips. And they have been used for desktop and server virtualization.

I just keep looking at the supercomputing field, particularly 1990's to early 2000's, seeing so many possibilities for using their developments for security. Category 4 has nearly endless combinations for instance. Aside from FPGA issues, it might be my best idea yet for implementing software security w/ diverse techniques/components. Yet, I've seen almost no academic and commercial uptake to this idea outside of IBM's System Z. And, of course, it barely compares to some stuff in points 2-4 and has legacy mainframe weaknesses.

Your thoughts on any of this?

WaelNovember 9, 2013 3:35 PM

@ Clive Robinson,
I would have skipped the filter code and just checked the attack vector. I forgot to mention that those motherboards had built in speakers with a higher frequency response, unlike the magnetic type external ones. By the way, what range did get? And how high was the sound?

BryanNovember 9, 2013 7:10 PM

@Clive Robinson
You beat me to it. I was thinking of modifying a ROM on a PCI ethernet card and have it take control of the sound system to output varying tones while Debian runs.

@Nick P

...I think the main takeaway, though, is that it's 2013...

Not a problem at all. VESA BIOS extensions data back to before then. The soundcard one was formalized in '94.

RobertTNovember 9, 2013 8:59 PM

I dont get it, what's not doable.

Audio Comms is definitely doable, heck its how we send messages to submarines. There are definite throughput limitations on the acoustic channel, created by the response characteristics of speakers and microphones and the room reverberation, but I didn't see any suggestion that this was a high bandwidth channel. It's a side channel through which very small amounts of data associated with system configuration seem to flow forwards, I dont remember any comment on what possible information flows back, the only claim was that the packets were encrypted (which is a claim I dont really know what to make of)

If I understand the claims correctly, even a 1bps Audio channel would be adequate (Skeptics: Is this acceptable ?) if not please specify a minimum channel throughput rate and provide some reasoning for this minimum)

As I've said before, there does not seem to be a need to simultaneously corrupt all possible OS's with one Virus, Once you infect the Internet connected host, where the USB is regularly used, you can try a different virus load targeting a different OS each time.

So we know Acoustic comms is possible (heck its how we talk to each other)

We know USB sticks can be used as a virus transmission vector for infecting isolated systems with different OS types (Windoze to Siemens PLC OS)

We know that PC support device firmware can contain some unknown / unknowable elements.

We've seen viruses in the past that disable certain features like the CD drive because it make it harder for admin to use a liveCD to check for possible rootkits.

I'm obviously missing something here:
What element of the #badbios claim is not technically possible?

Sure the combination of tactics is unusual, it definitely makes me wonder what is so special about his setup that it is attracting this sort of attention. I seriously doubt the data on the isolate computer is the real target. I'd guess his local network, for some unknown reason, looks similar to the real target network. Since we have no idea what the real target is, it is hard to know what precautions the virus writers might have taken to avoid discovery and limit viruses spread.

Why hasn't he shared this with other researchers and Anti-virus companies? that's a good question. I'm guessing it is difficult to reproduce the infection. If he takes an infected USB to a friends house and nothing happens, that just tells me that whatever steps were taken to limit the viruses spread are working perfectly.

Bottom Line: IMHO It's all possible, but its definitely not the work of script kiddies regardless of how talented they think themselves.


Clive RobinsonNovember 11, 2013 4:10 AM

@ Nick P,

Yes it was old hardware but it's what I had in the junk box that required no "physical" modification, and that I had full development data that I'd signed an NDA for years ago.

PCI and more modern sound cards have two problems on this front, no development data on the internal ARM / MIPS / etc CPU core and ROMs that are surface mount. A secondary effect of this is Pb-Free solder issues the lead gets replaced by silver etc which have higher melting temps, pluss it pulls the copper of the much finer PCB which limits the number of re-works to around three.

This experment was "quick and dirty" making minimal changes to a copy of code I already had on floppy discs in the safe from the previous "set-top" development.

The main point behind it was not making a sound channel work --we know that works already-- but showing that you did not have to change or add code on an existing motherboard BIOS ROM or importantly to the OS on the HD, just put the sound card in...

If you like to put it another way I was showing that Ruiu is "barking up the wrong tree" talking about a BadBIOS, it's not the motherboard BIOS or the OS HD that have got malware on them it's tucked away on another bit of semi-mutable memory. It's an attack vector that you and I have talked about intermitantly for many years and it's one that has likewise been ignored by the industry for years.

Also it may be a way around the Fritz chip and successor TPM systems that try to unrealisticaly enforce DRM I need to get more uptodate info to investigate if you can end run these TPM systems. I suspect you can by subverting an existing channel mechanism, that is you modify the "hidden CPU" code on an IO card to stuff illicit data into an existing approved channel in the right format. An end user supplied app then grabs the other end of this channel and transcodes the illicit data and sends it on to disk or whatever in an alowable format.

@ Wael,

I only implemented a very simple sound channel, I did not in any way optomise it, nobody is paying me to do it and I do have other "non payed time" activities including such mundane things as "house work". I used 1KHz simply because it's in the middle of the "age weighted" audio band. I don't currently have an external audio analyser I got rid of it when I stopped doing telephone development. But the channel worked across the room with ordinary moving coil speakers at a level that you could comfortably hold a conversation over (I know this because at one point I had the mobile phone tucked between my ear and sholder chatting to a friend who had phoned me whilst I was playing with the setup).

@ Bryan,

I got one of those self induced head smack moments when I read your "PCI ethernet card" comment... yup whilst they are not quite "a dollar a bucket full" they are cheap and easily available so wrecking one during test/development is not an issue.

As for the VESA extentions yes they do go back a long way, whilst digging in the junk box I actuall found a VESA Local Bus RAID card, it cost a fortune when I got it, now it's at best of historic interest only (for those reading along who are in their thirties or less who have never heard of or seen VLB have a look at http://en.m.wikipedia.org/wiki/VESA_Local_Bus ).

However the two books I draged out of my dead tree cave are as old... One even talks about interfacing to the casset motor BIOS routiens in a very serious way, and yes in my dotage I'd forgoton the Debug commands for calculating a Device ROM check sum :-)

@ Robert T,

As far as I'm concerned it's all possible, but more importantly explainable including the bits Ruiu is getting hung up on. I can also see clearly how he arived at various assumptions like BIOS & SDR (I also "feel his pain" on not having the right test kit on hand I've been there a few times myself).

But after a little thought I can even think of not just why the authorities might drop this on him but how. He's not the target but his position as a conferance organiser makes him a usefull step in the chain to people the authorities might otherwise not be able to get at.

I certainly would target any computer that the likes of proffesional Black Hats might put their USB thumb drives in to upload their presentations. The chances are they will do a bit of poor OpSec and put it back into their own laptop later and thus step back up the line when they use that laptop to build a new presentation which they use another thumb drive to get screen dumps and data of their development machines etc...

Good opsec like good bio-control in a germ lad are very difficult to do right all day and every day year in and year out. And level 3 adversaries are generally very patient you only have to read up on Project VENONA to see that.

StephanNovember 11, 2013 4:19 AM

As outlined several times before, and specifically by @RobertT, there's no doubt about the audio air-gapping. More details about this issue will be, by the way, released by two collegues of mine, working at the Fraunhofer Institute for Communication, Information Processing and Ergonomics, in the upcoming November edition of the Journal Of Communication - dubbed "On Covert Acoustical Mesh Networks In Air".

On the other hand, I don't have the in-deep knowledge on the BIOS-side. But, even if Phillip Jaenke is right in all his points, that's no proof that there's no threat at all! It rather, in the first instance, means, that Drogos interpretation of the issues he (and his team) recognized, monitored and analyzed is not completeley true.

Dragos has shown he has sufficient operational security to research another 12-24 months on this one. We don’t need to know now, now, or now. We gain nothing by trashing his name neither. So that's about that for now, I'm afraid - it's a question that can not be answered by a single person and not right now.

snortNovember 12, 2013 7:42 AM

is this
https://forums.comodo.com/general-security-questions-and-comments/is-this-real-or-bogus-and-paranoia-gpubasedparavirtualizationrootkit-t93778.0.html

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

the same thing ?

what if drago is looking in the wrong place ?

what if he got a variant of this malware paravirtulization if you looked at the both malware
it could be plausible ???

anyway in the end this is no work of a kid
who could be behind such strange attack ? NSA ?

BTW the virtulization rootkit exists " Blue Pill "
for example

Mike the goatNovember 12, 2013 8:18 AM

Snort: as much as I like the guy I believe Dragos has been truly stumped by this. I don't want this to sound like a personal attack as I have been vocal in his defense for the last few weeks - especially those who claim that it was impossible to have an audio mesh (news flash: it's not and PoCs exist).

The dumped BIOS's are essentially the same except one has a Thawte certificate attached. This isn't necessarily evil though - as the cert might be dropped when the BIOS is flashed (ie the flashing tool uses it for code signing then strips it). You'd see a hell of a lot more modification than a few kB for a bootkit of the capability he has described, even for the scenario where a basic component was appended (in the same way Mebrombi did it - by using the OEM's tool to dump the current ROM to a file, add the evil code as a component and then flash the new file) that just performed a "persistence" function by injecting a dropper - perhaps by using a bit of NTFS aware code ala Computrace to replace a file that is read by Windows on boot with the evil code that will download the full kit from the Internet.

So if we assume that Dragos is dumping the BIOS correctly then we have to rule out the actual BIOS flash itself as the "hiding" spot of the malware. This of course assumes that he isn't in some kind of virtualized environment - in which case the evil hypervisor could make his flash dumping tool return whatever it wanted.

My theory at this point is that if there is code executing at boot time as Dragos suggests /and/ the BIOS dumps are clean then the next thing that should be considered are the option ROMs of all bus connected devices, which as Clive pointed out are dutifully executed by the BIOS at startup (example PXE client from your Ethernet card, RAID controller status screen given by a PCIe RAID controller, etc). So you could suspect the video card (distinct possibility), Ethernet basically everything that has a flashable firmware where we could modify what gets executed at boot.

The second precondition is that Dragos said that the malware communicates via audio. By far the easiest way to do this would be to do it in userland within Windows as you avoid becoming dependent on specific audio hardware as the abstraction layer of Windows audio APIs handles all that for you. I realize he mentioned that the /infection/ process worked under any OS but as far as I know the audio behavior was seen only under Windows. It is conceivable that it is occurring directly in the audio card firmware but it seems like you are really narrowing down on the hardware your malware can execute on.

As time goes by and other researchers find nothing untoward I am becoming increasingly skeptical that what we will find will necessarily correlate with what Dragos thinks we will find. I hope for his sake that his claims at least mesh somewhat with what can be proven or reproduced. It seems that at least one of his spectograms released is strongly suspected to be noise from a switching regulator. In one of his tweets he laments about dumps being changed when he exports them from the infected machine. One would assume if things like this were occuring a $100 digital camera would be a good way to document it.

Mike the goatNovember 12, 2013 8:27 AM

Snort: sorry hit submit prematurely.

Regarding Blue pill and virtualization style rootkits. No doubt when these things are perfected they will become a very interesting new threat. It is entirely possible that Dragos could have something ofnthis type on his hands (and would explain a lot of the supposed behaviors), then again it is equally probable he doesn't.

This is the problem - we haven't seen enough data. Everything that has been uploaded as "proof" has been famously inconclusive. If the guy didn't have some cred as an event organizer for Pwn2own a lot of people wouldn't have taken him seriously. He has our attention now, and no doubt everyone at PacSec last week would have been volunteering their assistance. I think this is why a lot of people are getting upset - responses like "if this were my PC I would have desoldered every damn flash chip for analysis" are common. And they've got a point. There are many ways you could either confirm or refute his hypotheses, and yet here we are three years later. He doesn't have the excuse that many have - knowing many in the security industry as part of his job as an event organizer - coordination of some serious analysis should have been trivial.

If I were in Dragos' shoes I would have kept silent and worked with a trusted team of researchers in concert to fully elucidate the threat - hell, at least produce enough evidence to positively confirm infection - before disclosing anything. He didn't do this, and if the negative reaction is anything to go by, he probably wishes he didn't play it this way.

Anyway - I truly hope we have a new and exciting piece of "stuxnet" grade government malware to analyze. While what he speaks of is all technically possible I am not seeing any evidence, and at this point my initial excitement is drying up and turning to suspicion.


IvesNovember 12, 2013 5:03 PM

Well, I always read - the bios has been dumped - but I miss the part where the extension bios images are in the game? Maybe they are part of the bios dump but I doubt they may not - which may explain why the bios itself is/looks clean but the computer may be still infected.

About the sonic communication I'm unsure but for the infected bios part - I would place code within the extension bios images. Within older bioses it is nearly a trivia to write an extension bios image place it in some eeprom/flash and the bios will call those images (it must comply to some extension bios header requirementes - defined within isa/pci extension bios standards - match some hardware ids and some checksums) during system initialisation - depending on the eeprom/flash sizes and used code-packers quite some code could be placed there - usually at least 64k if the eeprom/flash is not used, as was the case for intel eepro 100 around year 2000 - we abused that for some fancy stuff back then -> therefore I know you can place code there that does whatever you want - at least before the os comes up, which was sufficient for our use case.
Never tried to keep that code alive after os start - therefore won't comment that - but it would explain why it doesn't matter - what os runs later on... as such code gets initiated simply before - and thats default behavior of a bios - no magic at those parts at least...

there are questions if the code survives the os startup later on but that may be achiveable - nontheless the pre execution rom/ram mappings are declared explicitly volatile by the standard, if I remember correctly but - well... doesn't mean it's impossible.

so getting code called by the bios not within the bios is possible and its really easy - at least with bios - don't know about uefi/efi as I don't know the standard - but if not much changed - it may be as easy as before (beside the signature stuff - that would make it a little bit harder most probably)

IvesNovember 12, 2013 5:09 PM

I admit, I didn't read all the comments before, just to realize the previous posts mentioned the extension bios stuff already. I also would suggest to take very close look on that site - as this is an easy to go way without even touching the bios itself.

Sorry for that ;).

Mike the goatNovember 14, 2013 6:01 AM

Ives: no problems, you're absolutely right the extension code that resides in peripherals (e.g. Ethernet card boot ROM for PXE boots, video card, RAID consistency check code from the RAID card) is indeed loaded by the BIOS at startup and wouldn't reveal itself in a BIOS dump. I think this is the most likely scenario.

David DilworthNovember 15, 2013 10:43 AM

You’ve got to be kidding me!

Is no one here over 30 years old?

For the skeptical theorizers -- Have you never heard of acoustic modems? sometimes called acoustic couplers?

That well-worn technology has been available for at least four decades. Adapting it up to do Bios updates, or anything else is not at all difficult - just darn clever.

WaelNovember 15, 2013 11:22 AM

@ David Dilworth

Have you never heard of acoustic modems?
Acoustic whaaaa?
That well-worn technology has been available for at least four decades
From one "skeptical theorizer": Have you understood the aspects I was "questioning?" Did all "skeptical theorizers" contest the same thing? Don't take one comment and peanut-butter it all over the place, and that's especially true when your comment has been answered several times on this thread. The main question relating to acoustic communications in this claim was: Is the frequency response (transfer function) of the cheap speaker/mic used in PC's or laptops suitable for ultrasonic communications, and if so, how was did it manage to remain persistent after cleaning the system.
That well-worn technology has been available for at least four decades. Adapting it up to do Bios updates, or anything else is not at all difficult - just darn clever
Actually, it is difficult. And I did BIOS code development. Besides, the current consensus is the BIOS was not updated -- it was more likely an Option ROM rogue. All is still speculation, because the guy didn't give enough info.
Is no one here over 30 years old?
I'll take that to be a rhetoric question, since most of us know @Clive Robinson is 730 years old ;) (in encyclopedic-knowledge-accumulation years)

AtomicNovember 15, 2013 7:05 PM

You all forget the possibility of BIOS motherboard battery as last source. and I dont need pc speaker to send UHF, only a flip flop cycle program in one ic pin with diode attached. afterall the crytal clock is Mhz. S+up1d geek...:>

seriously ou all need redesign your college paper to design microcontroller.

Saint CrustyNovember 20, 2013 2:27 PM

@Mike the goat: Thanks for that post. As a senior in ICT i'm overwhelmed with the flood of 'experts' below thirty these days. Not to say i'm stumped by what some experts above thirty dare to state.

Not that am much older than able to state i started in the late nineties. Firewalls, Intrusion Detection, Encryption, Hardening, Switches, Ajax ... most of that was "fresh from the drawing boards" some technologies more than others, but that was the general idea. It was the introduction of genuine "power" in the industry of information technology.

On top of that i've been ever stumped as around that time there were articles ( based on scientific research ) stating it had been proven the x86 architecture could not ever be assumed to be secure. Secure as in, not flipping one bit of information without knowing why. While most vendors of these spanking new toys claimed the exact opposite, security is feasible.

Then came the malware, mostly called "a virus" back then. And with it the proof as well as speculation on what was secure ( or insecure ) and what was not. I learned a lot back then, for sure. But I've also had people proclaim complete nonsense ( basics countered by 'expert claims') and get away with it ever since. Get away with it because they offered "manageable solutions" while the justified criticism they received was often determined as "unfair", corporations seem allergic to criticism as solutions are manageable thus beneficial.

However, i perceive Dragos as a reputable researcher and consider what he's describing as certainly viable ( imho: The audio is merely to exchange commands and keep-alives, a c&c channel ( swarm intelligence so to speak ) as it could well be controlled by the simplest devices such as robotic flies etc )

I believe Software Defined Networking might be part of this puzzle. ( i don't want to think of what as possible popularisation of reprogammable processors could mean for security researchers )

It is indeed most disturbing most of the information regarding this "BadBIOS" miracle is fragmented all over the internet. I don't know for how long dragostech.com is down but it's been a while.

It is not even discussed on VRT, so let's assume this is a stunt of some kind. Every aspect of this type of supermalware however is plausible. Why would it not be real ? Is it not and has it not mostly been a playground for ultra-smart people and other power players ?

Just stumbled across this one, is all this really just driven by media ?

http://rt.com/news/airgap-jumping-virus-navy-012/


Avat4rNovember 21, 2013 11:45 AM

You guys are all working under the assumption that you know what hardware is actually present in your boards... you do not. Even if it was physically hard to break into and modify the output of a hardware factory (note: it is not, nothing more than a few doors and people, who are fooled more easily than the doors) what would stop a state sponsored intervention, to allow such hardware to exist without your knowledge?

Bearing in mind the smallest possible graphene RF transceivers are no more than a few atoms in length... would you know?

RonnieDecember 2, 2013 4:19 PM

Proof of concept developed

http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/
Scientist-developed malware covertly jumps air gaps using inaudible sound

Computer scientists have developed malware that uses inaudible audio signals to communicate, a capability that allows the malware to covertly transmit keystrokes and other sensitive data even when infected machines have no network connection.
...
The new research neither confirms nor disproves Dragos Ruiu's claims of the so-called badBIOS infections, but it does show that high-frequency networking is easily within the grasp of today's malware.

JohnDecember 3, 2013 11:27 PM

HW Developers should (have to) implement a HW-Switch (i.e. a simple jumper) to disable/enable Firmware-flashing! This could not be overridden by Software.
Disable flashing by HW - Problem solved, easy and effective.

honeyDecember 4, 2013 1:32 PM

I agree with "Brandioch Conner".

Additionally:
I rly do not have faith in the credibility of Dragos Ruiu or his research.

ElmoDecember 5, 2013 4:20 PM

I've taken a standard PC, freeware Audacity, and manually generated both Morse Code and Binary data in a simple .wav file using 20kHz - 22kHz "sound" with some fade in/fade out to clean up 'tics'. When played you cannot hear it (the dog goes nuts though). I then used my iPhone and a sound spectrum analyzer (free app) and monitored the inaudible frequencies. BINGO... A partition type virus combined with modem type software (but modified to use inaudible sound) could easily perform communication between PCs. Sound itself cannot infect a PC so if a standalone PC was not infected by a USB Device virus then the original install media, the original operating system or a utility used on the hard drive was infected.

JoeJanuary 7, 2014 7:45 PM

Sounds a bit like 'SCP-1198'. A science-fiction virus that can infect through airgaps without any previous malware installed to listen for it. It's 'interesting' that no one's able to just walk into his lab and duplicate the behavior on other computers. BS called and collecting the pot unless this challenge is met.

Seriously though, with ever-reducing costs of adding a microcontroller to every chip in a system, in theory you could have backdoors that are enabled by specific patterns of sounds. This is in the realm of conspiracy theories right now, but is trivial to implement. Now that people are thinking openly about it, I can imagine it being added silently (or even openly) not just for espionage but for Cinavia/Macrovision functionality. It's not like it would take much bandwidth over Gb/s busses, to send 50b/s of extra data. Think of that as a tiny wedge which can then go to the Internet to download a full payload. Even with just audio you could have several KB of code in a few minutes, which is plenty to run a downloader. Technically, you don't even need the Internet if you have enough time. If you've ever reflashed a WRT54G or used (Gameboy/DS) Flash carts, you probably know where I'm going with this. Chips now have hardware debuggers that can flip bits on pins.

What isn't mere speculation is that scanners and copiers ALREADY have code to detect money. There is probably some trivially simple algorithm that takes very little transistors for this. I'm thinking something hidden in the frequency domain picked up by shift registers. Of course, it could just be some shoddy implementation like a firmware module. ;) As the US SS isn't exactly talking about it, who knows how it works... We just know that you can deliberately disable some machines with a common 20-dollar bill. Also, yellow dots to identify counterfeiters (and data leakers AKA whistleblowers) are well-known among techies.

If it ever turns out that a brand of hardware has compromised firmware out of the factory for this purpose, I imagine I'd be wanting to dump/margin call that stock ASAP when discovering it. But that would be wrong to do insider trading. Yep, no one's ever done that!

David JoyceJanuary 15, 2014 3:17 PM

OK everyone, read the NYT story this morning ("N.S.A. Devises Radio Pathway Into Computers"), then re-read the entire blog. Clarify your understanding of Ruiu's credibility (it's still intact) the audio issue (the suggested communication is possible), the implied cost and scope of this issue (NSA's recently exposed activities, and decades of its $40b/yr budget), etc., etc.,
Would they do this if they could?
Lord Acton answered this in 1887, "Power corrupts; absolute power corrupts absolutely"

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..