- badBIOS – now this is a bit scary…
I read that the NSA have made aluminium foil manufacturers change the way they make the stuff so that they can still access your data and mind even with extensive foil based shielding in place.
Holy tin foil Batman!
As cougar says, it’s a Halloween story. It’s so clearly a ghost story it’s a bit cringe worthy.
* Starts working on a film script titled Breaking badBIOS *Posted 4 years ago
Couple of demos from the ErrataSec guy:
Robert David Graham ?@ErrataRob
Left notebook receives 20khz carrier generated by notebook on right while dubstep plays background:
Closer look, showing 20khz carrier visible. This is NOT #badBIOS, just a simulation showing ultrasonic coms possible
— from Twitter: https://twitter.com/ErrataRob/status/396157617283686400
Interesting stuff!Posted 4 years ago
Again, no one is arguing about the technicslities of this. Not of the technical stuff sounds particukarky difficult although the communication over audio seems pretty pointless..
That it’s been going on for three years and this he’s has been investigating for weeks tells you that something is amiss. hes not the only security expert out there but hes the only one who is paying this much attention.
Believe it if you want. I’ve got tens of thousands of devices to protect and I’ll focus on the real threats.Posted 4 years agoandytherocketeerSubscriber
interesting read. have also watched defcon/blackhat type vids, plus watch hak5 pretty much every week, so all though far fetched, i could certainly believe parts of it.
funnily enough the Hak5 ep i was catching up on just 2 days ago was exactly this… communicating with a laptop that has no wireless or wired network connection, and no USB. one method was audio, but in audible range, and the other was via 2D barcodes and webcam.
It may have had USB, but that is definitely an attack vector too. Especially as every single machine out there independent of OS (Mac, Linux, Windows, Solaris, BSD, … doesn’t matter) has one interface that is automatically always trusted.Posted 4 years ago
some more on the topicPosted 4 years agoRioSubscriber
I’m amazed that in 3 years he hasn’t managed to dump the BIOS from one of his “infected” machines and just compare it with what’s supposed to be in there, hence I’ll keep my cynic hat on for now.
People thought malware designed to corrupt industrial applications was a fantasty – until Stuxnet was discovered.
No, they’ve been theorising this and in some places taking it quite seriously for years.Posted 4 years ago
There are many ICS infection vectors that were around long before Stuxnet. Stuxnet used not one but three zero day vulnerabilities to propagate, that’s how serious hackers with multi-million pound development budgets go about their business. They assign targets, they keep their secrets secret and they attack targets worthy of the investment they have put in.
They don’t spend years developing highly advanced attack methods and then pass it over to a small time security researcher.Posted 4 years ago
virus checkers could be made to validate bios for this.
Not so sure. If a virus checker has to make BIOS calls to check the contents of the BIOS then it’d be possible for the virus to hide itself like rootkits do.
I’m amazed that in 3 years he hasn’t managed to dump the BIOS from one of his “infected” machines
Possibly the same kind of issue? Dumping the BIOS from software requires issuing BIOS commands which could be intercepted. You’d need to hook up some hardware that could read the BIOS flash directly.
But you’re right – 3 years sounds like a suspiciously loooooong time for a security specialist to do something like that!
I think the possibility that it is infecting microcontrollers is more concerning than the BIOS stuff, as they’d be even harder to detect. Though my cynical mind wonders why microcontrollers would shipped without blowing the write fuse on the flash first? How often do they actually do field upgrades to the firmware of USB sticks for instance?Posted 4 years ago
Something else that ocurs to me at this point – webcams. If you leave a room with a few machines in running this sort of exploit then singalling using using video output and webcam input is also possible – even if it’s a frame or two of a QR code after 10 minutes of inactivity – hell you if you’re monitoring the webcam you can look to see if anyone’s in the room and not using the machine.
It’s the mesh aspect of this I don’t like.
As samuri says real threats are more important – we don’t know what if anything this does apart from reconstruct itself; but I was talking with my “tame hacker” a few weeks ago and we were pondering what would happen if all the firewalls came down. This stuff is a step in that direction.
I’m not saying I’m going to do anything at this point, but I am, shall we say, interested in the fallout from this article.Posted 4 years ago
How often do they actually do field upgrades to the firmware of USB sticks for instance?
Never would be my guess. I’d be very surprised if USB stick (rather than more advanced USB devices) prom’s are even programmable.Posted 4 years ago
Could be wrong of course but it’s simply an extension of the USB bus at the end of the day.RioSubscriber
Dumping the BIOS from software requires issuing BIOS commands which could be intercepted.
BIOS code is mapped into the processor’s memory space, you should be able to just dump it with a debugger. Although given the rest of what he’s saying maybe this magical malware disables debuggers! But if I was looking at it seriously I’d have ripped out a supposedly infected BIOS chip by now and read it offline.Posted 4 years ago
I’d be very surprised if USB stick (rather than more advanced USB devices) prom’s are even programmable.
Could be wrong of course but it’s simply an extension of the USB bus at the end of the day.
Yeah me too.
Funnily enough today I’m writing unit tests for a USB driver on a MSP430 microcontroller – but that’s for a device that’s a bit more complex than just a USB drive.Posted 4 years ago
BIOS code is mapped into the processor’s memory space, you should be able to just dump it with a debugger. Although given the rest of what he’s saying maybe this magical malware disables debuggers!
Yeah but the action of shadowing the BIOS to main memory requires BIOS commands. Clever malware could supply a clean version or just disable ram shadowing completely since it is usually a user-accessible BIOS option.
But if I was looking at it seriously I’d have ripped out a supposedly infected BIOS chip by now and read it offline.
Yep. Seems like the obvious thing to do if you suspect this kind of thing. Which makes me skeptical, but still interested.Posted 4 years agoandytherocketeerSubscriber
He unplugged the mains, but did he turn off the lights and use a battery powered torch?
Prolly some covert device making the lights flicker, and the webcam is reading the the low-bit rate optical ripple.Posted 4 years ago
edit: and a backdoor in the Intel/AMD chipset to keep the NSA happyMilkieMember
Well we all know how long loading tapes used to take… Freakin ages for a 40kb load.
I call this bollox as the high frequencies would not be picked up by a standard mobo soundcard without you hearing it. If they can get the audio frequencies near the computer I expect they can physically infect it.Posted 4 years ago
If they can get the audio frequencies near the computer I expect they can physically infect it.
You seem to be misundertanding the point there. The hypothesis is that the audio-network-thing is for already infected PCs to communicate without the need for a physical network. I don’t think anyone is suggesting it is a primary infection point. That seems to be the USB.
Well we all know how long loading tapes used to take… Freakin ages for a 40kb load.
Not so long ago we were all using 56k modems that used audio to transmit data. You wouldn’t want to watch YouTube HD on them – but it is fast enough for small virus payloads.Posted 4 years ago
> How often do they actually do field upgrades to the firmware of USB sticks for instance?
Never would be my guess. I’d be very surprised if USB stick (rather than more advanced USB devices) prom’s are even programmable.
Well I had a (very careful!) look at that flashboot ru site that the ErrataSec blog linked to and it does look like you are able to reprogram the controller on a surprising number of flash drives.
(Though I’m not downloading anything from that site to try it!)Posted 4 years ago
The early mention of booting a MacBook Air from a CD-ROM got my senses a bit tingly and moved the cycnicsm to 11 on the dial.
?Posted 4 years ago
Yeah the most suspicious thing about all of this is how easy it would be to prove or disprove some of these theories, especially for an infosec consultant who specialises in this kind of thing.
And yet we’ve seen very little in the way of actual evidence.
All very odd.Posted 4 years agotorsoinalakeMember
I like the approach of the chap in the original article. Just keep plugging shit in. Whatever you do, don’t stop and try a methodical approach. It could be the way the journalist writes it, but it’s like reading about someone who keeps getting his wedding tackle caught in a mangle and can’t figure out why.
I’ll just reference Wired’s article on Stuxnet again. It never fails to impress me: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/Posted 4 years ago
The topic ‘badBIOS – now this is a bit scary…’ is closed to new replies.