[tr1ck5t3r]

BadBios is not nonsense, it uses CPU virtualisation and Hard Drive controllers which appear as USB devices to load first, then runs independent of what ever OS you are running. If your Bios has been compromised then you cant switch off CPU Virtulisation and your Bios looks and feels like the real thing. Any electronic device with chip's that can be updated can store the malware, USB printers, card readers & writers, some keyboards, the list goes on.

[Buge]

Is there any evidence that badBIOS actually exists? From what I heard, the researcher never found any real evidence.

[throwawayknecht]

There was no evidence.

[geofft]

I thought that one of the specific BadBIOS claims was that it can jump across air-gapped machines via ultrasonic audio played over the speakers or something.

It's definitely possible to build a full virtualization environment that feels pretty seamless, but that was only a portion of the claim.

[tr1ck5t3r]

I dont know about ultrasonic, but I certainly have a camcorder recording of some high frequency sounds which could be used to jump air gaps much like dial up modems used to make when handshaking. You wouldnt hear the sound in a normal office environment only in a silent office, because the external speakers & amp were turned up close to max but not playing anything which is also not normal for most offices. Its quite likely whilst highly technical those behind this form of attack are not able to deduce what environment the attack is taking place in like a normal office or a silent office.

As speakers can be used as microphones (technology is essentially the same just different ohms and materials used for the cone) and modern motherboards can detect when a 3.5mm jack plug is plugged into a headphone socket, it might be possible to have the speakers acting as a microphone in some situations. Its something I'm still looking into, but I have noticed the some DJ mixes on Youtube will play up ie going quiet when you have headphone's plugged in but not when using built in speakers like those found on a laptop. You can reset the mix going quiet by unplugging the 3.5mm stereo jack, now whether this is some sort of DRM technology being used as some of the DJ mixes will be illegal copies uploaded to Youtube, I dont know yet just like I dont know if these are related or separate events to BadBios. Its not unheard of big corps to employ methods to disrupt illegal copies of music & films, the Sony rootkit on some of their music CD's is one such example of big corporations hacking their customers. https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...

[geofft]

Yes, you could use it to jump air gaps. (In fact, that technology is already deployed in production in Chromecast pairing, when your phone is not on the same network as your Chromecast.)

But don't you need something on the other side to receive and decode the data being sent? What's the BadBIOS story for how the infection initially happened?

(Is the assertion that something along the lines of Intel ME is already listening for control instructions over ultrasound?)

[zdkl]

The CIA has been known to tamper with electronics, so between that and pre-backdoored hardware (IME) it's fairly likely that a determined opponent has one or more means to passively wait for a payload in a hard to detect manner.

From there, it's turtles all the way down; you "only" need to deliver an ulterior, possibly tailored, payload from any of the several methods described in this thread.

[nitrogen]

Could those high pitched sounds you recorded just be capacitor whine or noise on the power supply? All cheap sound interfaces in computers produce noise that correlates with CPU, GPU, or bus activity, and many power supplies make squealing sounds that can be heard in quiet rooms. It's conceivable these could be manipulated as side channels in an already compromised system, but they exist regardless of compromise.

[zdkl]

That's the beauty of such methods. Anytime an avenue for compromise seems "noisy", I'd be willing to bet someone smart organised and well funded has investigated using it for hi-value penetration.

[guipsp]

>you cant switch off CPU Virtulisation

OK, makes sense

>looks and feels like the real thing

Not really, because you can't turn off virtualization

[tr1ck5t3r]

>>looks and feels like the real thing >Not really, because you can't turn off virtualization

To be clear what I mean is, the bios can be made to look and feel like the real bios when in fact it could be a compromised bios which still shows the manufacturers logo, menu options etc etc.

Bottom line is, if someone can make it, someone can modify it.

Only getting a SOIC clip hooked up to something like a RaspberryPi to get a copy of the chip code will you possibly be able to tell otherwise. Something like this might get people pointed in the right direction. http://www.win-raid.com/t58f16-Guide-Recover-from-failed-BIO...

One of the other attributes I have seen with this "suite of malware" is its ability to spread over the USB bus. If hit with it and it stops your usb devices including printers, mouse & keyboard, PS/2 mouse and keyboards still work so you can safely shutdown your machines instead of pressing and holding the power button to force a shutdown which can lose work. Lets face it, when looking at how USB works, its a disaster waiting to be exploited when considering how much attention goes into monitoring ethernet traffic. Having spoken with Tomasz the developer of this tool http://desowin.org/usbpcap/ on windows, you only get what windows will show you, so a separate malicious OS using CPU virtualisation could still interfere with the USB bus.

One file I've isolated when using partedmagic will not display its entire contents in the included opensource hex editor if its accessed using the hex editors file load method, but if you read the block device sector by sector, you can navigate to where the suspect file is stored and then read the entire contents of the suspect file. There seems to be a sort of magic string which prevents further investigation of suspect files including the ability to dd dev zero block devices which is a nuisance.

In all, who ever is behind this is IMO hacking chips so that even if you do a full disk wipe to whatever standard and reinstall the OS, you'll never get rid of it unless you reprogram the chips, it like a complex zero day spread over hardware and software, so in isolation parts look innocent enough but when combined becomes malicious. Its very very clever whoever is behind it and theres not many entities with the resources or knowledge to pull something like this off IMO.

Plus when considering the NDA's that exist with chip/cpu/hardware manufacturers, the knowledge at this level is even more restricted.

If you want to get lucky, dont always follow industry standard practices, its sometimes the only way to spot the anomalies.

[zdkl]

Thanks for sharing this. Got any links/further reading related to this mess?

[throwawayknecht]

BIOS and firmware viruses have been explored for a long time. That alone is not "BadBIOS" which was a claim about an novel C&C (or if you're extremely paranoid, infection) mechanism using the PC speaker, and an unrealistically robust infection potential. (And to be clear, "BadBIOS" does not exist.)