My first impression was that badBIOS was an elaborate troll on the part of Ruiu, to make the point that just taking what even a "well-respected researcher" says at face value is NOT good security practice.
The surprise is not that, when given a relatively subtle and complex topic such as this, he made such an utter hash of it that the subject of his interview came off like a paranoid schizophrenic. The surprise is instead that Ruiu didn't know better than to give a third-string jackass like Goodin an interview in the first place.
I've heard this referred to as the "Nobel disease": http://rationalwiki.org/wiki/Nobel_disease
I understand the point being explained here, but is this really accurate? I don't know of any SDR platform, let alone a "dongle" with anywhere near the capacity necessary to operate as a wifi AP.
Maybe some radio smartperson can clarify?
(802.11ac is out of bounds, its channels are 80MHz minimum.)
it's been possible to operate a variety of wifi cards in host AP mode for like 10 years or more. have a search and you'll see this is easily doable.
[1] http://en.wikipedia.org/wiki/John_Forbes_Nash,_Jr.#Mental_il...
I only say this because people want us to take these claims on faith, citing a credential that he hasn't actually established. Furthermore, his tweets so far seem to be full of rookie mistakes. I've seen a fair number of "security enthusiasts" do exactly what he is doing.
I disagree. The definition of plausible is "seeming reasonable or probable".
To say "the idea is completely possible" might be accurate but has a completely different meaning.
A security researcher discovering malware that infects several different BIOS types including on PC and Mac hardware with every major operating system that can spread via USB and communicate via sound between standard speakers and a standard microphone over distance and then going about his normal day-to-day life over the next three years is the very definition of improbable.
1 superficially fair, reasonable, or valuable but often specious <a plausible pretext>
2 superficially pleasing or persuasive <a swindler… , then a quack, then a smooth, plausible gentleman — R. W. Emerson>
3 appearing worthy of belief
Is it true that if you control the firmware, then you control what the dumps of that firmware will look like? The only way I can imagine getting a clean dump of that machine is by desoldering the chips and imaging them via some specialized tool. If the machine's firmware is rooted, how can you trust any signal the machine sends, especially firmware dumps? The virus could trivially hide itself by detecting a firmware dump is in progress and sending a decoy (clean) image.
Then you can use an external EEPROM reader that can dump the contents, but is not capable of running the code.
The EEPROM is storage only; it's contents are loaded by the PC at boot. So if it is removed, there is no processing that an occur internally than can mask the data inside of it.
EDIT: Sorry for being unclear. I'm aware EEPROM can be overwritten. But presumably that requires special privileges, or a special circumstance (like the user physically holding some button on the motherboard during bootup, or something). The article isn't at all clear how it's possible to write a program that escalates its privileges to such an extent that it can then overwrite EEPROM. Is it really possible? How?
(edit: actually called UEFI: EFI is an old name...)
> Dragos believes that two infected computers can communicate with each other over the audio port
Infected computers. The audio communication is between infected machines. It is not the vector of initial infection.
"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."
"Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps."
I presume the computer that had reflashed BIOS, fresh disk drive, with zero data, installed from a Windows System CD, was uninfected. Then it became infected. Then he mentions a theory that it jumps airgaps with speakers and microphones.
This strongly implies that the claim is of a virus that jumps airgaps from an uninfected machine to an infected one through sound.
Which part of this is incorrect?
(Also, the claim that infected computers communicate via sound to bridge airgaps is not mutually exclusive with the claim that infection can spread over airgaps. So what you quoted does not contradict this claim, which is why I didn't take it as a refutation of my previous reading).
Are we looking at a future where a standard OS install is a multi-VM situation?
Of course, you're merely moving your trust anchor from code (verifiable, easy to subvert) to CPU (unverifiable, hard to subvert). Pick your poison.
However I'd advise to limit the impact UEFI can have on a system (which, right now, is universal). And sometimes I even work on it (https://github.com/pgeorgi/edk2/tree/coreboot-pkg)
I'm willing to give Dragos the benefit of the doubt here and just assume that Dan Goodin has his head so far up his ass he can't see clearly and that Dragos has no intention of misleading people.
But having these issues for 3 years? Let's just say that extraordinary evidence needs to come out fairly quickly now. Or at least a massive correction of the hype here. Surely, in 3 years, someone else would have discovered this thing.
Hardware backdooring is possible - By Jonathan Brossard http://www.youtube.com/watch?v=yRpilXPv8pU
(This one more recent from nullcon, made a splash from DefCon 20 earlier).
It's not really much of a stretch that an agency (commercial, criminal or government) that dedicated a few man-years of work could come up with something along these lines.
There's really only one-and-a-half "out there" claims: the "half" being networking via audio, the "one" being cross-platform.
It'll be interesting to see if they manage to grab a dump of the malware and we can get more eyes looking at it...