If you thought the state-sponsored Stuxnet was scary, then “badBIOS” -- the menacing malware that allegedly utilizes a computer’s microphone and speakers to whisper to air-gapped computers -- may chill your blood. All the science fiction thriller-like capabilities being credited to badBIOS make it sound like it could potentially be the birth of Skynet-like malware.
As the “badBIOS” name implies, it’s a rootkit that burrows in to infect a system’s BIOS [Basic Input Output System]. Supposedly this nasty piece of malware is platform-independent -- capable of infecting Windows, Linux, OS X and Open BSD -- has self-healing capabilities, resists erasure, and uses ultrasonic high-frequency transmissions in order to talk to other infected systems that are completely disconnected from the Internet and all other networks — aka air gap systems.
Since the Occam's Razor line of reasoning suggests the simplest answer is often correct, and the scary claims seem to be straight out of the science fiction realm, it seemed probable that badBIOS was an elaborate Halloween hoax. However, we’re past Halloween and claims didn’t go into the hoax or April Fools’-like tricks category. In fact, Dragos Ruiu (@dragosr), who has sounded the alert, is a well-respected security researcher who organizes CanSecWest and PacSec conferences. Ruiu told told Ars Technica that he’s been battling the brilliantly malicious badBIOS for three years, even after erasing all company systems and starting again from scratch. The malware infects a machine through infected USBs and can "only" communicate via the airwaves with other infected machines.
The strangest, and hardest to swallow, claims involve badBIOS jumping air gaps, as Ars Technica explained:
Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.
With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.
"The airgapped machine is acting like it's connected to the Internet," he said. "Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird."
“Everything Dragos describes is plausible,” wrote Robert Graham of Errata Security in post explaining the badBIOS features. He added, “By the way, there are other ways to do air gapped communications using covert channels. For example, you might exploit blinking LEDs and using the built-in camera on the laptop. Or, you might be able to monitor the voltage on the power supply on one computer while turn on the power supply on/off on another. The overage laptop computer has a god-awful number of inputs/outputs that we don't quite realize.”
But everything “about #badBIOS is completely and utterly wrong,” according to Phillip R. Jaenke, @RootWyrm, an expert in Unix, Storage and Virtualization who has spent two decades dealing with BIOS development and modification. “First and foremost, the very idea that there is some malicious BIOS load that can escape airgapping and is portable is beyond laughable.” He added, “Secondly, the concept that BIOS malware could somehow escape detection is beyond laughable.”
To believe “that someone could just release into the wild a multi-platform, multi-motherboard, highly-resistant BIOS because of UEFI only exposes epic ignorance of what UEFI is.” UEFI, he explained, “is NOT A DAMN PORTABLE EXECUTABLE SYSTEM. It is about PORTABLE CODE.” However, Jaenke acknowledges that, “In theory, it is possible to release an extremely resilient and resistant BIOS level piece of malware. It also would only ever infect one specific machine ever, period. It also would not be even remotely capable of escaping detection using basic diagnostic techniques. Not even advanced security techniques; just basic BIOS diagnostics.”
Reverse engineer Igor Skochinsky, who previously presented “Rootkit in your laptop” [pdf] at the 2012 Breakpoint security conference, said he “analyzed the posted BIOS dump and didn't find anything suspicious.”
For now, security researchers are analyzing badBIOS, debating the malware’s next-generation capabilities and deciding if it is a security myth of urban legend status or the malware motherload. But if everything is true, then some nation-state is probably cursing its luck for such a weaponized virus to fall into the hands of a security researcher and therefore the bright spotlight of scrutiny. If badBIOS can do all the things that Ruiu claims, then it was surely developed to be deployed for highly targeted attacks.