BadBIOS: the root-kit that supposedly hides in your BIOS and spreads via speakers/microphone...?

[lost_soul]

http://boingboing.ne...ing-malwar.html

 

Anybody read about this? What do you think? Apparently the guy who originally brought this up is a well-respected researcher. Still, I find the idea of malware that can spread via the sound system unbelievable. How is the target machine going to be told to listen for the "infection"?... Unless you think our machines have a back-door in the firmware where they always listen for a certain tone and then begin accepting instructions.

 

It seems much more believable that malware would be able to spread by generating EMI which interrupts and then hijacks another machine that happens to be sitting next to an infected machine. It wouldn't have to be two-way communication. All the infected machine has to do is make the other machine "wget" and then execute a file from some server. EMI generation is strictly regulated though and this is still about as believable as me being hit by a comet in the next 10 minutes.

Edited November 8, 2013 by lost_soul

[Bikerdude]

Untill I see/read about a confirmed infection I will take this with a pinch of salt.

[Outlooker]

Just because one cannot imagine something means not that someone else is regularly doing the same.

 

I know of a guy who likes to hack and is good at it. So he looked at regular hard drives and researched how they work. He found ICs with a couple of quite powerful CPUs and microcontrollers, flash and enough RAM to run even

computational taxing stuff. He even succeeded in running Linux on the hard drive alone (to make that clear for the technically less educated here: He run it on the hard drives controller itself, not on any PC connected to the hard drive in any way).

With this kind of low level access alone about anything is possible - surrepticiously. And there are many more fully grown microcontrollers in a modern PC...

 

Then, theres those old rumors that on US made CPUs there are tiny hidden RF subsystems that listen for a specific carrier/code and brick or at least crash them when they receive it - this would make much sense for national security, just fly a jet with usual jammer (configured for the specific RF/Code) in the area and deny an enemy all computing.

 

Audio/ultrasonic comm is definitely possible - it's just what modems did, just at somewhat higher frequencies. There is even almost ready-to-use code for that in sourceforge. Practically it depends on the specs

of the inbuilt mic and speaker - but people here tried it and most combos in PCs/Tablets/Smartphones are capable of this. They tried 16 to 24 kHz, the higher you go, the less combos work, but at least some even work better at the higher frequencies, they tried it even with a glass window in between and it still worked quite good.

 

The main point is, that real capable attackers (state level) will use deliberately placed "bugs" and backdoors in hardware anyway - you can more easily access and screen software, but checking multi-million+ - tranistor-chips is only possible with

"arcane" equipment (SEMs, Ion Beam Microscopes,... ) and even then it's a lenghty and difficult process.

The US-military want's to use no abroad-built ICs in the future at all, for the reason it's nightmarishly difficult to detect even halfway clever hidden "extra" functionality in ICs.

 

For our own more practical reasons modern BIOS->UEFI is a major headache, because its a tiny full computer in itself, with CPU(s), networking, RAM and flash. One main problem: There is no real write protection for this anymore - in older days you had a jumper that write protected the BIOS, which was quite safe. Today, about anything and anyone can write to it and run code on it.

Very stealthy persistent Trojans/Boot Kits have already come this way - they don't show up in main computer RAM or on HD, modifying no perceivable data - but run along and analyze/send data somewhere.

 

 

 

EDIT:

If someone is more interested;

I just talked with a friend about it, and here's someone else that has documented how to run Linux on a HD:

http://spritesmods.com/?art=hddhack

Edited November 8, 2013 by Outlooker

[NMEAI]

Wudjabeeleev?

I knew?

B4?

[jtr7]

............

Edited February 19, 2014 by jtr7

[7upMan]

@Outlooker: I'm absolutely with you. Before Snowden, hardly anyone could believe in the massive conspiracy by Western secret services. Anyone who voiced his suspicions was put off as a hard case of paranoia. Today, we have hard evidence that those "conspiracy theorists" were spot on.

 

Now, regarding the transmission of viruses through audio channels, remember that even 15 years ago, it was possible to discover what a computer monitor is displaying even if there is a solid wall between you and the monitor. This was done by reading the electromagnetic signals that every monitor - CRT or LCD - is emitting. It was assumed then that with enough research, it would be possible to place a van on the street next to a house and spy this way. The German computer magazine c't had an extensive report about this.

[PranQster]

@Outlooker: I'm absolutely with you. Before Snowden, hardly anyone could believe in the massive conspiracy by Western secret services. Anyone who voiced his suspicions was put off as a hard case of paranoia. Today, we have hard evidence that those "conspiracy theorists" were spot on.

 

Now, regarding the transmission of viruses through audio channels, remember that even 15 years ago, it was possible to discover what a computer monitor is displaying even if there is a solid wall between you and the monitor. This was done by reading the electromagnetic signals that every monitor - CRT or LCD - is emitting. It was assumed then that with enough research, it would be possible to place a van on the street next to a house and spy this way. The German computer magazine c't had an extensive report about this.

I remember reading such an article back in the mid-90s. Some people would add extra ferrite magnets (the lump in many/most monitor cables) to their monitor cables to prevent that from happening.

[Springheel]

// Today, we have hard evidence that those "conspiracy theorists" were spot on.//

 

We do? Like what?

[7upMan]

Spring, did you honestly manage to miss the events surrounding Edward Snowden?

 

OTOH, I do know that this whole affair is much less intensively covered in ... well, most countries except Germany. I don't know about Canada, but even in the UK, the second biggest player in the Five Eyes gang, it's mainly The Guardian that regularly covers the events and offers new insight. Most other newspapers are well on the government's side repeating like sheep that the espionage is for the public good and only goes against those evil terrorists. Like the evil uber-terrorist Angela Merkel for example... XD

[Springheel]

I haven't heard that many details, actually. All I know is that he revealed that a lot of spying was going on, which I don't think came as a shock to anyone. What "conspiracy theories" did he validate?

[7upMan]

If you spoke German, I could point you to my favourite computer magazine that has a comprehensive summary on everything that was uncovered right now. It includes major spying of a magnitude that was not thought possible (to sum it up very coarsely). We are talking about sifting to almost all telephone calls that were made in Germany and France on a certain date (apparently, the data is from 2010, but there is no reason to assume the technical capabilities have not improved). It was also uncovered that the US embassy in Berlin (Germany) has a listening post on its roof that was spying on Angela Merkel, German chancellor and die-hard follower for the US, who was quite a bit mad when hearing this news.

 

While the above mainly is interesting for Germans, The Washington Post and The New York Times apparently have a lot of evidence that US citizens are being spied upon by the NSA as well, which is - as I understand it - absolutely forbidden.

 

There was quite a lot that was unveiled, among that the fact that the British GHCQ has the ability to listen on underwater glass fibre communication cables IN REAL TIME! If you are interested, check http://www.theguardian.com/uk for some interesting reading. I can only assume that as a member of The Five Eyes, the Canadian government has no interest to have information on these events hit the public big time, so I guess they are played down.

[161803398874989]

I knew copper cable was super easy due to tempest, but glass fiber would be much more technical because of having to split the cable and such. Impressive and worrying.

 

NSA has been doing illicit stuff since the beginning of the organisation. Did you know that they pushed IBM (I think it was IBM) to use a 56-bit key for their DES standard rather than a 64-bit key? This was in the early 1970's!

[7upMan]

Interesting. A more recent undermining of a security standard is documented here: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

[lost_soul]

Well apparently I was in error. The malware doesn't "spread via sound". It actually just communicates with other infected nodes via sound. *That* is quite easy to do. (a daemon can listen for pulses at a given frequency , which are generated by the other machine)

 

Also on the subject of strange malware, another guy found a way to infect the *battery pack* of a laptop. http://www.macobserv...acbook_battery/

Edited November 10, 2013 by lost_soul

[7upMan]

The French car Renault manufacturer sells e-cars that have a battery that can only be rented by the car owner. In case the owner is late with his payment, Renault can switch the battery off wirelessly. The potential for misuse is mind blowing...

[161803398874989]

Interesting. A more recent undermining of a security standard is documented here: http://www.wired.com...itymatters_1115

Yeah, I read about that earlier. Clever. Really though, the alarm bells should've gone off when the institute of standards just put forth an elliptic curve with no explanation as to where it came from.

[Outlooker]

I just think that would be fit right in here + is interesting enough:

 

"Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away."

 

Brought to you by crafty Jews, as it so often is:

http://tau.ac.il/~tromer/acoustic/