InfoWorld Posts Article Doubting badBIOS’ Existence

InfoWorld security advisor Roger Grimes published an article entitled, appropriately enough “4 Reasons badBIOS Isn’t Real” describing why he doubts the veracity of Dragos Ruiu’s story. My personal belief is that while the core concepts that Dragos mentioned (persistence by flashing BIOS with an infected component, audio communication between compromised hosts using the upper audible frequency range, advanced detection evasion techniques) are all indeed practically possible to implement the entire story he has provided so far doesn’t completely add up. This isn’t to say that badBIOS doesn’t exist – it may just be achieving similar goals using different means (for example as his BIOS dumps appear clean it may instead be achieving execution at boot time by residing in a modified firmware of a bus connected peripheral – such as the video or Ethernet card. The BIOS dutifully executes the “option ROM” of each connected device – you may have seen this with, for example the PXE boot function of your Ethernet card).

Unfortunately as more time goes by it appears increasingly likely that we may not receive a prompt resolution in this saga. I maintain that Dragos is a professional with sizeable credibility as an event organizer and I continue to take the man at his word that he has indeed a new kind of APT. Naturally extraordinary claims require extraordinary evidence and both myself and the community eagerly await a full analysis and a sample.

2 thoughts on “InfoWorld Posts Article Doubting badBIOS’ Existence

  1. Yes, the problem is where to look in the firmware. The networking devices are natural places to hide it, but GPUs are also potential places to stash malware. There are just so many little nooks in the firmware to hide something like this that I can’t imagine this can be resolved without scouring every device on these machines that has firmware loaded at boot.

    As much as the mainstream tech press doesn’t want to address it, the burden of evidence for demonstrating the negative proposition, that Drago’s machines don’t have this sort of malware is incredibly high. Yes him being known primarily as an event organizer makes it easy to write this off as a ploy for attention, maybe like Weev he’s into the hallucinogens though there is no evidence of this theory which was presented on #bitcoin-assets today.

    Mostly though I’m getting curious for any given x86 machine if it was scoured chip by chip looking for badware in the firmware what might be found. American diddling in the CPU? Chinese tampering in the network devices? Russian malfeasance in the disk controller?

    • Exactly. People underestimate just how (unjustifiably) complicated a typical x86 architecture PC actually is. Unfortunately three decades of moving forward whilst trying to preserve backward compatibility has crippled it. It is kind of amusing really, given if there was a major architectural change there wouldn’t be the kind of mass disruption that people speculate about. Apple proved this with its move from PPC to x86.

      So long as they get the OS makers on board and help them to port the OS and compiler toolchains then application developers can quickly recompile their apps for the new platform. Include an x86 emulation layer (in software) to ease the transition.

      I think the time has come to reevaluate /everything/ as our current hardware is broken.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s