Tech and Trends:- Dragos Ruiu is a reputable security researcher. He’s the organizer of Pac Sec, a security conference held in Tokyo, and CanSecWest, a security conference in Vancouver, British Columbia. At both conferences, he runs a contest called Pwn2Own, which gives away tens of thousands of dollars to security researchers that can find vulnerabilities in systems like iOS and Android as well as security holes in Web browsers. When Dragos Ruiu says he’s found a new piece of malware, most people believe he’s onto something.
Three years ago, Ruiu was installing a fresh copy of OS X onto his MacBook Air. The computer started to spontaneously update the firmware that made it boot. Ruiu shut it down and tried to boot from a CD-ROM, but the machine would only boot from its own hard drive. Ruiu never clarified whether he had antivirus for Mac software on his computer, but he did notice that the computer started undoing configuration changes and deleting data without prompting. Ruiu thinks he has discovered a mysterious super bug that he calls badBIOS. Other researchers suspect he’s making it all up.
When Firmware Goes Bad
In the early days of personal computers, BIOS was burned into chips and couldn’t be replaced. Now, BIOS is stored in flash memory, allowing for easy rewriting through re-flashing. The more Ruiu watched his computers, the more he suspected that a piece of malware was interfering with his firmware. The BIOS interference was just one of the strange happenings invading Ruiu’s laboratory.
For example, Ruiu saw a computer that hadn’t upgraded to IPv6 transmitting packets using the new networking protocol. He also discovered his machines transmitting encrypted data even when disconnected from networking and power cables and with their Wi-Fi and Bluetooth cards removed. The odd occurrences spread from his MacBook to other Windows and Linux computers. The strange transmissions only stopped when he disconnected the motherboard speaker, the external speaker and the microphone from all of the computers.
Into Thin Air
Dragos Ruiu suspected that his computers were using ultrasonic sound, transmitted by the speakers and microphone, to transmit messages to one another even when they weren’t connected by network cables. He claimed that he and his crew had been hearing to a mysterious ultrasonic sound for months, but they hadn’t known what was causing it.
Ruiu re-flashed a Windows computer, installed a fresh hard drive and started editing some components. According to Ruiu, the registry editor suddenly became disabled, suggesting that badBIOS stored a hypervisor that could survive reboots and even re-flashes. He decided that the infected computers could somehow reprogram USB controllers and use them to re-attack the system even when they’d been wiped.
Real or Unreal?
Everything that Dragos Ruiu described could feasibly happen. Let’s break down Ruiu’s assertions:
- Ultrasonic communication. Attackers could apply a type of bandpass filter to the lower 20 kHz of a computer’s speaker, which is within human hearing range. Then, they could isolate the remaining bandwidth and use it to communicate using simple signal processing technology.
- Covert IPv6 communications. Even if a computer doesn’t support IPv6, an attacker could attach packets to existing communications by hacking into a Web browser.
- BIOS contamination. Although Ruiu has discussed mostly the BIOS flash memory for his computers, BIOS malware could hide on a number of components including the camera, disk drive, trackpad, keyboard, Ethernet cable, graphic processor and SD card reader. Even if the devices come from multiple manufacturers, there are just a few companies that manufacture flash memory and microcontrollers. An attacker could create code for one type of flash memory that could infect multiple devices within a personal computer.
- USB infection. A new exploit called BadUSB takes advantage of the fact that USB controller chip firmware has no protection against being rewritten. Malware scanners can’t scan USB firmware, making malicious code in USB firmware almost impossible to eliminate.
No Verdict Yet
All of what Ruiu is experiencing could be real, but his fellow security experts can’t duplicate his findings. They’ve examined Ruiu’s BIOS dump and found no suspicious rootkits or other code. Ruiu could be making it all up, or the natural paranoia that makes him a good security researcher could be messing with his mind. Whatever the truth may be, if Ruiu’s imagining badBIOS, a hacker somewhere in the world is imagining the same thing.