The stories are everywhere you look about the new Malware that can infect computers via sound waves. Is it true or just another mythical monster?
Dragos Ruiu, a security consultant, discovered a rootkit on his MacBook Air in his lab three years ago. The MacBook would not boot off of a CD, it erased data, and undid configuration changes. In the months to follow the infection spread to other systems regardless of their operating systems. It even seem to infect computers not connected to any network by Ethernet, Wi-Fi, Bluetooth, or any other method.
In the three years that followed Ruiu claimed to have observed the following behavior from the rootkit he named badBIOS:
- Windows, OSx, BSD systems have been infected.
- It changes system settings.
- It prevents booting from CD drives.
- It infects a plugged in USB stick which then infects other systems.
- You must eject infected USB sticks safely or they become unusable, except in the infecting system.
- It has a hypervisor which uses a software defined radio (SDR) to jump Airgaps.
- It replicates via an ultrasonic transmission thru speakers to other machines via their microphones.
- It blocks re-flashing software websites of Russian origin.
Is this real or not? What gives it credence mostly is the reputation of Dragos Ruiu. He is the organizer of the CanSecWest and the PacSec conferences, as well as the founder of the Pwn2Own hacking competition. Ruiu is a respected professional in the technology field.
What about the stated capabilities of this rootkit? Since this is a BIOS infection the operating system has no bearing on what operating systems it can or cannot infect. The BIOS brokers the connection between the operating system and hardware peripherals like the CD drive, USB ports and so forth it is perfectly plausible for a BIOS infection to change system settings, to block booting from a CD and infecting USB sticks. Additionally hardware rootkits are one of the basic forms of a rootkit. Creating a hypervisor is something rootkits have been able to do for several years now. Transmitting an ultrasonic signal from the speakers is also something easily accomplished by a rootkit since by design a rootkit is a command and control program.
What is it then that makes badBIOS so unbelievable? In part it is believing there is a malware that can spread unchecked with no known way to remove it. On the technical side it is the ability of transmitting data using an audio signal. The technique itself is no different than communicating via modem over the telephone lines. However, the maximum bandwidth capabilities of high definition audio are 600 bytes per second, which relates to over two full seconds for a single TCP packet. This is assuming an average packet size of 1500 bytes. A rootkit that would do everything Ruiu observed would need to be several megabytes in size. The rootkit needs to have controllers for USB, CD and speaker hardware this is easily 3 megabytes of code. Add to this code for the changing of settings and deletion of data and the malware gets bigger. But let’s say the programmers of this vicious criminal attack are more innovative than most, they would have to be, and the code is only 1 megabyte in size. This would take almost 12 minutes to transmit. That makes it difficult to believe. Now take into account varying motherboards. Each model, revision and minor version requires the UEFI to be recompiled. This would make the likelihood of badBIOS portability pretty slim. Then consider most BIOS sizes are around 4 megabytes, which would be extremely difficult to accomplish the behavior observed by Ruiu. However, as a 25 year veteran of the technology profession what I find most unbelievable about this story is that an IT professional has a MacBook Pro.
If badBIOS was reported by anyone without the reputation of Ruiu I would never consider it to be for real. Dragos Ruiu will be releasing more detail, and hopefully some code, at the PacSec conference scheduled to be held in Tokyo on November 13-14, 2013. I will wait until then before deciding.