BadBIOS malware claimed to defeat air-gaps

November 1, 2013 // 11:03 a.m.

Tags: #air-gap #badbios #cross-platform #dragos-ruiu #insecurity #malware #security #uefi #virus #worm

A security researcher claims to have discovered a strain of malware which can defeat air-gap protections by transmitting itself over inaudible tones generated through computer speakers.

According to analysis by consultant Dragos Ruiu, carried out over the past three years, the so-called badBIOS malware is capable of communicating with other infected machines even when Wi-Fi, Bluetooth, Ethernet, and all other radio or networking devices are disabled or physically removed. The secret, he claims, is high-frequency audio generated from an infected computer's speakers and picked up by another's microphone.

According to a detailed write-up of Ruiu's findings over at Ars Technica, there result is a strain of malware which defeats the most basic of security precautions: the air gap. Named for the literal air-filled gap between computers, a computer protected by an air-gap is physically disconnected from its peers. In these days of ubiquitous wireless connectivity, that extends to an inability to communicate over any form of networking including Bluetooth, WiFi, WiMAX and other standards.

Ruiu claims that badBIOS is a particularly nasty beast: despite having detected the infection three years ago, he has been unable to fully disinfect his network. The malware appears able to infect systems regardless of operating system - with OS X, Linux, Windows and even the notably secure OpenBSD all having shown signs of succumbing to the infection - and to continue communication even when a computer is air-gapped from the network.

The badBIOS malware, as the name suggests, resides in hard-to-detect and harder-to-clean areas of the computer including the Unified Extensible Firmware Interface (UEFI) BIOS of modern systems. Spread on infected USB sticks, Ruiu claims, the badBIOS malware sticks tight into a system once installed and is extremely difficult to remove. Preventing infected systems from cooperating is a challenge, too, with network traffic continuing to flow on an infected system despite the removal of all network-related devices - and even the power cord - until the speakers and microphone were detached.

That, Ruiu claims, is proof that the computers are communicating using audio - but at frequencies too high for a human to hear. If so, the security industry faces a challenge: by using a side-channel like audio to communicate, infected systems can coordinate and transfer data without being logged or triggering alarms on network-based intrusion detection systems.

The biggest risk, however, is to security researchers themselves. If badBIOS can easily be transferred using USB and other removeable storage devices, infect low-level portions of a system, and communicate even when air-gapped, researchers who take forensic images of other computers are the most likely to be infected - and with potentially disastrous results.

More details of Ruiu's research are available on his Google+ account.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU