Skepticism Surrounds badBIOS

I am a little astonished at the amount of hate that has been directed towards Dragos Ruiu in the last week or so. Almost all of the animosity centers arounds his claims of badBIOS, most notably its ability to breach airgaps using a computer’s audio card, with many calling him out over his claims that computers can be infected over audio. But here’s the thing – he never made such a claim. If you read the big tech media (and not his G+ and Twitter stream) you could be forgiven for thinking that badBIOS will kill your wife then force your children to clean up the crime scene, but if you are basing your assumptions on the capability of malware from the consumer tech media (let alone calling someone out on something they supposedly said) then shame on you. For the record Ruiu has said on no less than three separate occasions that his purported audio based communication link was not an initial vector of infection. He even re-iterated this point in this tweet on November 4:

Let me repeat it one more time, it doesn’t spread by audio. It just uses HF audio for command and control on infected boxes

Andrew van der Stock wrote an excellent post entitled “Stop. Just stop.” that sums up my sentiments on the verbal bashing that Dragos has received over the last few weeks. Another interesting point is that much of this inane drivel began only when the big tech sites started following the story (more than a week after he first started posting about badBIOS and several weeks since he was speaking of BIOS SDR, the previous name he was using to describe the same alleged malware).

Do I believe that Dragos is right? Do I believe that badBIOS really exists? In a way my answer is irrelevant as irrespective of whether he was right on target or way off the guy saw something that looked anomalous and decided to report his findings. Some would argue he decided to do so prematurely, and there would certainly be some wisdom in that, but nonetheless he decided to do the responsible thing and disclose what he hypothesized was going on. There is no shame in being wrong, if indeed he is way off the mark.

My gut feeling is that while the claims that surround badBIOS sound unbelievable such a piece of malware would indeed be possible to create. The most contentious piece of his claims was that the malware used audio to breach air gapped systems. I personally would have thought that the claim that it could reflash your BIOS and then be invisible to flash dumping tools would be the weakest part of his argument but nonetheless people have focused on the incorrectly dubbed “ultrasonic” communication.

First off – what Ruiu is describing is not ultrasonic. It is very much audible, just at the higher frequencies that approach the limits of human hearing (particularly in adults who lose higher frequency perception as they grow older). With commodity PC audio hardware you would need to keep below 20khz to avoid your output being filtered. No doubt the speaker you are driving may also introduce its own limitations, but as laptops appear to be the target and many newer laptops have ceramic speakers, this may not be such a bottleneck. Nevertheless if the malware author added some trivial code to negotiate the highest possible frequencies between the two (or more) PCs.

The malware author would almost certainly be doing this part of its dirty deed after Windows has booted and will be doing so in userland so it needn’t worry about differing audio hardware. It need only use the Windows sound APIs. It could also use the system clock to choose a time of day where the PCs are likely unattended or perhaps sample the microphone to check the ambient noise level. No doubt the time since the last keypress (seeing as it would no doubt be hooking this to keylog anyway) would also provide a metric as to how idle the machine is. The malware author also has a vast choice of software to use to encode their data thanks to the amateur radio community. No doubt they could also adaptively adjust amplitude so that the least volume is used to achieve communication. A simple stack could be used to allow network discovery, perhaps by defining a small header for each packet with two flag bits (the first denotes whether it is a broadcast packet, the second is set high if the sending host has a working Internet connection to the command and control server), a sequence number, a station ID that could be automatically generated by the host. It need not be huge, just big enough to assure that a conflict would be unlikely. If a conflict is suspected (e.g. any host hears two transmissions from the same station ID with dramatically different sequence numbers) a broadcast could be sent forcing new station IDs to be generated. A CRC of the entire packet would also be included. You could condense this metadata overhead down by only sending the full data on every nth packet, sending a condensed version where multiple packets are sent during a period of time. Perhaps using ARP style discovery (remembering all hosts must forward a broadcast) a routing table could be populated on all hosts, and they would choose the shortest (or over time the most reliable) route to a C&C connected host. So that’s my idea, dreamed up in just a few moments. blurt is a PoC for audible networking and implements the 802.11 PHY. If you were considering burst transmissions then there are working software ACARS encoders and decoders available online. Perhaps your malware would negotiate not just frequency but also baud rate (dependent on quality of connection) just like the modems of yesteryear. Perhaps an implementation could use differing frequency selections between nodes rather than time (token ring) to avoid collisions. Perhaps they don’t care about having to mesh and their only use scenario is point to point? I don’t know – but I do know that audio networking is possible and any issues surrounding implementation are surmountable.

Ruiu might be off the mark (and likely is to some extent) regarding his claims about badBIOS. This doesn’t mean he should not have spoken out when he saw something he believed at the time to be unusual. Even if the whole thing is an elaborate and deliberate hoax (hypothetically; I am not suggesting that Ruiu has or intends to be dishonest) then it has opened our eyes a little more as to the Pandora’s box that is the x86 PC. No doubt users in high security environments will be disabling (and hopefully doing so physically rather than trusting the BIOS setting of “disabled” to work as advertised) unnecessary audio hardware.

I could wax lyrical about how it is impossible to trust any modern PC given many prominent motherboards have featured counterfeit chips, no doubt purchased in good faith from an Asian vendor but nonetheless not the genuine article. Many of these fake chips are reverse engineered from well known and loved silicon. Even their firmware is reverse engineered. For all intents and purposes that rogue RealTek audio IC will indeed perform like the legitimate unit. However this parallel supply of counterfeit silicon could indeed have nasties embedded and nobody need know. Most of the legitimate accessory chips are also made in the PRC and it isn’t unreasonable to also suspect these organizations – many of them funded primarily by the Chinese government. We won’t touch on Intel and US tech companies and their links to government, but suffice to say that the West fares no better in terms of trustworthiness. We sure are living in interesting times.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s