badBIOS: airgap-jumping malware that may use ultrasonic networking to communicate

Security researcher Dragos Ruiu has been painstakingly untangling a weird, scary piece of malicious software that compromises the BIOS of the computers it attacks, allowing it to infect machines with different operating systems. He's dubbed it "badBIOS" and has seen it infect machines that aren't connected to the Internet. It appears that its initial vector may be a USB exploit, spreading by memory stick, but after that, it appears that it continues to communicate with other infected machines by ultrasonic networking through its hosts' mics and speakers (!). On Ars Technica, Dan Goodin has a deep dive into the strange, freaky world of badBIOS.

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

"The airgapped machine is acting like it's connected to the Internet," he said. "Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird."

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps [Dan Goodin/Ars Technica]

Notable Replies

  1. rider says:

    It's Halloween not April Fools day.

    I don't buy this for a second. If it's real let him do a public demo.

  2. If this bug is even partway as interesting as described, it'd be trivially worth the cost of tearing apart the affected systems and dumping every last chip with rewriteable persistent state. Any number of parties (both malicious and not) would be fascinated to have a look at that, and the vendors would know what the state ought to look like.

  3. This sounds like a plot made up by idiot TV writers. Well, except it uses words that kind of make sense.

  4. Spocko says:

    God I'm old. I remember putting an AT&T phone (Square receiver head and smaller microphone mouthpiece) into a standard 300 baud acoustic coupled modem while trying to send an email. It was late at night in the office. The text was showing up on the screen while I was sending it, then getting garbled. I couldn't figure out why. Then I realized that the sound of the woman vacuuming the rug was getting picked up and translated into characters on the screen.. I had her turn off the vacuum so I could send my email. Good times.

  5. Mine sound like an airplane taking off.

    Here in the Living Museum of Vaccum Cleaner Technology (which is just upstairs from the Museum of Water Heater Technology, aka my basement) we find that the two Dysons we have are noticeably quieter than the Kirby Heritage II and noticeably louder than Alphonse and Gaston (our iRobot branded kitten distribution devices). I'd say it's about the same as the Hoover Satellite, which unfortunately my mother gave away at some point so I can't confirm that.

    I can't hold a conversation with any of these things running unless I shout, so I consider them all noisy.

    If I find any ultrasonic malware I'm installing it in Gaston immediately.

Continue the discussion

35 more replies