InfoWorld security advisor Roger Grimes published an article entitled, appropriately enough “4 Reasons badBIOS Isn’t Real” describing why he doubts the veracity of Dragos Ruiu’s story. My personal belief is that while the core concepts that Dragos mentioned (persistence by flashing BIOS with an infected component, audio communication between compromised hosts using the upper audible frequency range, advanced detection evasion techniques) are all indeed practically possible to implement the entire story he has provided so far doesn’t completely add up. This isn’t to say that badBIOS doesn’t exist – it may just be achieving similar goals using different means (for example as his BIOS dumps appear clean it may instead be achieving execution at boot time by residing in a modified firmware of a bus connected peripheral – such as the video or Ethernet card. The BIOS dutifully executes the “option ROM” of each connected device – you may have seen this with, for example the PXE boot function of your Ethernet card).
Unfortunately as more time goes by it appears increasingly likely that we may not receive a prompt resolution in this saga. I maintain that Dragos is a professional with sizeable credibility as an event organizer and I continue to take the man at his word that he has indeed a new kind of APT. Naturally extraordinary claims require extraordinary evidence and both myself and the community eagerly await a full analysis and a sample.