Created at: 2014-02-12 04:25:44 UTC
Updated on: 2014-09-25 01:45:25 UTC
About two months ago the net security community started to hearing some strange things about another well-known security researcher who also claimed to be hearing strange things. That guy was Dragos Ruiu, and he was hearing his machines talk to eachother. Not over the the internet or any audible band, he was claiming that a hyper-futuristic malware had infected his security lab, was hiding in the machines’ BIOS, and was communicating through audio to other infected, air-gapped (no networking) computers to re-propagate the virus if it had been removed. There are a few really big claims in that statement:
1. the machines are being infected at the BIOS level
2. the malware is infecting different machines at the BIOS level (he claims it has infected at least a Windows machine and a BSD machine of different makes)
3. the malware can communicate using high frequency sounds from standard computer speakers/microphones
Any one of those claims would be a attribute of a well researched and targeted attack, however the three of them together make a stuxnet-worthy super-virus.
Had this research come from most sources it would have immediately been regarded as a hoax or a vast misinterpretation of data, but it was coming from Dragos Ruiu (probably best known for organizing the first Pwn2Own a few years back). Ruiu claimed that this malware began infecting his machines 3 years ago, but he only began posting about it (on Twitter & Google+ and Facebook) once he was aware of the BIOS/audio components. ArsTechnica picked the story up and pretty soon Bruce Schneier was even blogging about it. After a couple of weeks of scrutiny from the netsec community, a lot of questions came out about the legitimacy of his claims. There is still some debate, but it seems to me it was (very) throughly debunked here. There’s even been some deflated tweets from Ruiu of late, followed by replies of layman suggestions which make me glad my doctor doesn’t tweet my diagnosis.
I'm not always right. so sorry if I've wasted any folks time.— dragosr (@dragosr) November 24, 2013
However, in the wake of BadBIOS, cyber-acoustics have seem to become a trendy, much talked topic in networking and security. (And Ruiu’s Twitter followers have doubled.) During the excitement of BadBIOS, this MIT program which used ultrasonic acoustics to create a LAN connection between devices was often used as proof that acoustic networking is possible. Another example of wireless networking (that was pointed out by Nuiu himself) is a Cambridge study of using readily available consumer-level audio peripherals. Just recently research from Germany's Fraunhofer Institute demonstrated malware that can communicate over air gaps using these inaudible sounds. While this research doesn’t directly substantiate BadBIOS itself, it does provide a working proof-of-concept.
Maybe an even more startling revelation in cyber-acoustics was a recent study by Tel Aviv University where just by using a smartphone microphone, researchers were able to record the sounds a laptop made during RSA encryption and decode the 4096-bit key within an hour of operation. This exploit was based upon the fact that the execution of different RSA keys, CPUs produce a different range of sound. The attack did rely on a known-plaintext message, however it’s still remarkable to think that modern encryption could be defeated just by listening.
It’s hard to take a step back and think of Steve Wozniak blue-box hacking telephone lines in the 60’s, but acoustics have always been an attack vector for computer networks, it’s just been a long time since we’ve thought of them as viable. Apart from all the debate it has caused, BadBIOS has brought that fact back into the mind of today’s hackers, for better or for worse.