badBIOS Side Channel Comms Indeed Possible

The half baked tech media are running story after story claiming that Dragos Ruiu’s #badBIOS is a hoax on the grounds that breaking an air gap using the audio hardware is impossible.

I am not going to get into a discussion as to what I believe the malware that Dragos is analyzing can or cannot do. It would be premature to do so without an in-depth analysis. Hopefully this will soon be forthcoming, but in the time being, how about we concentrate on the most controversial of his claims.

Communication via a PC audio card is certainly not “unheard of” nor is it “impossible” as some journalists have opined in recent days. In fact audio cards have been used for communication purposes by amateur radio enthusiasts for over thirty years. Even a twenty year old PCI sound card can sample at rates of 44.1khz. Modern laptops like some Macbooks can even sample at upwards of 96 khz. Almost all modern cards can also do so in full duplex (that is they are capable of both sending and receiving said audio concurrently).

Software was available even back in the early days (i.e. DOS with an ISA Sound Blaster card) that would allow you to receive and transmit RTTY at 75 or 110 bps using just your computer sound card. As sound cards evolved so did the software, case in point the linux soundmodem which is capable of a variety of differing modulations with a data rate of up to 9600bps.

Also of interest is blurt – a piece of software capable of “acoustic data communications via ordinary (e.g. built-in) speakers and microphones.” Its author claimed on twitter that it does so using “the 802.11a PHY; convolutional over QAM over OFDM”

So it is conceivable that even in a typical building that, say two infected laptops placed on either side of a desk could communicate using their built-in audio hardware. Dragos has not claimed that it has the ability to infect via audio – only that once infected the malware attempts to leak data using this method.

This makes a lot of sense. Many corporations (not to mention governments) air gap machines that are critical to their enterprise. An example would include machines responsible for automating industrial equipment, particularly where undesired operation could create a risk to employees and/or the general public. If #badBIOS does indeed spread using USB thumb drives it is conceivable that the air gapped machine and an Internet connected machine would both be compromised. Where such machines are in proximity such a function would allow the air gap to be breached.

Given that the malware would want to avoid detection it would likely restrict itself to the narrow frequency band beginning around the limit of an adult’s hearing (the 17.4khz mosquito device designed to deter youth loitering was audible to younger people whilst adults heard nothing) and extending to the limit of both the transmitting soundcard and speaker and the receiving microphone and soundcard’s ability. A one time negotiation could solve this problem, or perhaps the malware will act conservatively at the expense of potentially wider bandwidth. The malware could also take advantage of the system clock to ensure that its transmissions occur when humans are unlikely to be in the office, however this would also come with the risk that the two machines may be separated as, for example, one of the infected machines is brought home for the day with a staff member.

The amount of environmental noise would also affect its performance but by incorporating both robust error correction along with having the transmitting side sample before transmitting to ensure that the environment is quiet enough to ensure a reasonable likelihood of receipt, you could maximize the efficiency of the system as a whole. By utilizing a token system you could also accommodate more than two infected machines in an area. Even better would be to design in some logic where if a packet is received and the recipient system is also airgapped (and no response is heard) for the recipient system to retransmit the packet. In this way a mesh type topology could be constructed to allow multiple hop journeys through infected (yet air gapped) machines until they arrive at one that is able to route the packets onto the Internet and to the attacker.

In real life conditions perhaps the baud rate achieved could be well under 300bps. While slow, if the attacker has a specific goal it may indeed be sufficient for their purposes. After all, with a piece of malware designed to be stealthy they may have all the time in the world. A remote shell, even at that speed would be possible. I know first hand as I owned a 300bps modem (with an “acoustic coupler”) back in the early days!

The moral of the story is that while something may be improbable it does not necessarily make the task impossible. I too have doubts about Dragos’ story, but I will withhold my judgement until all the facts have been made available. That said, to answer the question “can two computers communicate using their internal mic and speaker” the answer is a definitive yes – under the appropriate conditions.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s