Anyone paying attention to this badbios thing?

[teddykgb]

It all sort of starts here (http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/), with a slightly sensationalist account of a seemingly respected security analyst's assertion that he's been a victim of multiple infections of multiple OS's instantaneously, presumably through a USB attack.  That much is in and of itself pretty crazy, when you think about it, but then it really jumps into overdrive when he claims that command and control of the various already infected PCs was being accomplished through the speakers and microphones of the machines.
 
The security researcher doesn't seem to have much of a reason to make this up, although he does run some events (which do not seem to lack for publicity).  It is of course possible that this is just a giant stunt, or maybe this guy just went off the deep end.  Certainly, most of the characterizations you'll read on this topic suggests as much, but his actual postings about it, largely on g+ (http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/) have seemed to some extent to acknowledge that this seems quite unlikely, he's even linked to one of the more prominent takedowns on the web of what he's posted.
 
Personally, I have no idea what to think.  The claims really do sound too absurd.  But it's hard to see why this individual would put his reputation on the line, and there are other people lining up to vouch for him as an honest individual.  He's not provided enough material for others to independently verify, which really, really, really sets off hoax alarm bells, but I suppose he's starting to put some stuff out.  We are either witnessing one of the weirdest hoaxes/publicity stunts in history or one of the scariest computer malwares the world has ever seen. 

 

[Blacken]

No, no I'm not.

/mac

 

[NortheasternPJ]

The claims really don't sound too absurd. The title and the claims that it jumps airgaps etc. are sensational.
 
The article goes on to claim he's used a number of USB drives and that seems to be when the attacks started.
 
 
 

A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

 
We've seen over the air stuff with Tempest etc. for reading data without any physical contact over the years. if this guy was a target it'd make sense since he's a founder of pwn2own contest and may have access to zero day exploits before they're available.

 

[SumnerH]

No, no I'm not.

/mac

 
That's funny, since his MacBook Air is the machine he first noticed the weird behavior on.

 

[teddykgb]

No, no I'm not.

/mac

 
While normally a comfort, this apparently all started appearing on a macbook of his.  Plus, plugging in the USB and not mounting it supposedly infected a BSD box, which speaks to some very low, system level stuff.  We are, apparently, all vulnerable.
 
 
NortheasternPJ: Each individual claim isn't that absurd, although you're talking stuxnet, tempest, etc stuff to pull them off.  Combining them and getting them to cross pollinate across UEFI/BIOS manufacturers and what not would be quite an achievement.  The resilience of this supposed infection is really insane, if it operates as he's saying it does.  That's still a pretty big thing to prove, and it's likely not going to be proven, but this would be bananas if he's actually telling the truth here.

 

[Blacken]

That's funny, since his MacBook Air is the machine he first noticed the weird behavior on.

That is the joke, yes. Keep up.

(edit: though it does reek of bullshit. Ruiu does not have much of a reputation as a guy actually working in that area. I haven't heard anyone I'd consider trustworthy speak up to verify any of his claims.)

 

[changer591]

http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/
 
Somebody debunking the whole thing...personally, not concerned at all as it sounds ridiculous.

 

[SumnerH]

That is the joke, yes. Keep up.

(edit: though it does reek of bullshit. Ruiu does not have much of a reputation as a guy actually working in that area. I haven't heard anyone I'd consider trustworthy speak up to verify any of his claims.)

Avatar updated overnight.
 
And, yes, it does seem unlikely, especially since it's been months with no outside verification.

 

[teddykgb]

http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/
 
Somebody debunking the whole thing...personally, not concerned at all as it sounds ridiculous.

 
This was the aforementioned article Ruiu himself has linked to.  I think it does a very good job of explaining how implausible it would be for the rootkit to reside entirely within the BIOS.  It seems clear that it couldn't be entirely a BIOS based exploit, but I'm not sure it proves that the entire attack that is being described is impossible, more that it couldn't rely solely on some sort of BIOS infection vector.
 
And I'm mostly just playing devil's advocate.  This does sound too ridiculous to be true to me as well, but I still find it fascinating.  If it does somehow prove to be true, I'm sure I will have several very different emotions.

 

[Blacken]

Public opinion among security folks I know has flipped from "well, benefit of the doubt" to "he's a fucking nut" in the last 24 hours.

 

[NortheasternPJ]

Well now we have POC audio malware!
 
http://www.engadget.com/2013/12/03/audio-malware/

 

[Blacken]

That's not news. POC audio command-and-control stuff has been around for a while. I don't think anyone ever called that part of it unusual, more the claimed virulence.

 

[SumnerH]

That's not news. POC audio command-and-control stuff has been around for a while. I don't think anyone ever called that part of it unusual, more the claimed virulence.

There were some people who questioned whether consumer audio could do this at the inaudible frequencies claimed; I think this settles that (though I haven't duplicated it, so I'm not 100% sure).  But, yeah, not real news to most people.

 

[Nick Kaufman]

Does this news legitimize what the guy was saying?
 

WASHINGTON (AP) — The National Security Agency has implanted software in nearly 100,000 computers around the world — but not in the United States — that allows the U.S. to conduct surveillance on those machines, The New York Times reported Tuesday.

The Times cited NSA documents, computer experts and U.S. officials in its report about the use of secret technology using radio waves to gain access to computers that other countries have tried to protect from spying or cyberattacks. The software network could also create a digital highway for launching cyberattacks, the Times reported.

The Times reported that the technology, used by the agency for several years, relies on radio waves that can be transmitted from tiny circuit boards and USB cards inserted covertly into the computers.
 

 
http://talkingpointsmemo.com/idealab/nsa_international_computer_snooping

 

[SumnerH]

Does this news legitimize what the guy was saying?
 
 
http://talkingpointsmemo.com/idealab/nsa_international_computer_snooping

 
No, that's using radio waves; we see that all the time (e.g. wireless networking cards, cell phones).  It's just implementing its own on-chip and bypassing the need to take over the machine's networking (and its adding networking if the machine lacks it).
 
The badbios thing was supposedly using sound waves, using the computer's speaker and microphone to communicate remotely.