back to article Indestructible, badass rootkit BadBIOS: Is this tech world's Loch Ness Monster? VOTE NOW

Well-known computer security researcher Dragos Ruiu claims to have been hit by seemingly invincible firmware-infecting malware. Dubbed BadBIOS, the mysterious rootkit has split the infosec community after Ruiu said the software nasty can jump over air gaps, meddle with a number of different operating systems, and survive …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Hmm... Technically possible, but cross platform, an infection updating bios and then trying to communicate to other machines, unlikely.

    Why would malware need to communicate with another machine, which would already have that malware installed, especially if over such a short distance?

    1. btrower

      Re: "Why would malware need to communicate with another machine, which would already have that malware installed, especially if over such a short distance"

      Bootstrapping.

      1. Anonymous Coward
        Anonymous Coward

        What do you mean "bootstrapping", as I understand it bootstrapping is what happens when you initially turn a machine on and it runs the basic code from rom required to boot the machine. This malware has allegedly already infected the bios, so why would it need to communicate with another machine in the local vicinity, which would already be infected? If there were other machines in the vicinity they wouldn't be infected, so wouldn't have the appropriate network driver installed.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Why would malware need to communicate with another machine, which would already have that malware installed, especially if over such a short distance"

        Simple. Anyone handling the yet unreleased Snowden dox would be doing so on an airgapped machine. By communicating ultrasonically they could detect the dox and remote delete them/phone home a geolocation where they were found.

        Anything of this sophistication is clearly by nationstate players, and i don't mean china.

    2. Old Handle

      Why?

      "Why would malware need to communicate with another machine, which would already have that malware installed, especially if over such a short distance?"

      Clearly, this isn't just any malware. It must have been designed with a specific purpose in mind, assuming it exists, of course. I would guess that purpose is either espionage or sabotage. Even though someone would still have to screw up, once, to bring it to the wrong side of the air gap, turning that into a two-way link to the outside would still a huge advantage for someone trying to lift info off it, or tamper with a connected SCADA system. All they need is another infected computer in the same room that also has internet access.

    3. Oh Homer
      Headmaster

      I call bullshit

      Without even reading any of the other analyses:

      . "simply by plugging in" - Not without some autorun mechanism (none here at all on my Gentoo/Openbox system). As for exploiting "buffer overflow bugs" in drivers to execute arbitrary code, that would depend on not only targeting hundreds or thousands of unique drivers across multiple platforms and multiple architectures, but then also targeting the payload similarly. And we're really supposed to believe this will magically fit into a thumbdrive's micro-controller firmware? Bollocks.

      . "reprograms [thumbdrive] micro-controller firmware" and "can hook into classic BIOS, EFI, and UEFI firmware" - Which one? There must be hundreds if not thousands, and they're all different. Again, we're seriously supposed to believe all that code can be squeezed into a single USB thumbdrive's micro-controller firmware? Bollocks.

      . "survive motherboard firmware rewrites" - Survive where? If it's in RAM then a cold boot and full discharge will kill it. If it's on disk then it'll need to hook into the startup process, which can be detected and removed. If it's in a backup BIOS then that can be wiped too. Survive? Maybe, but it wouldn't survive some pretty rudimentary intervention.

      . "transmitting data encoded in ultrasonic sound" - Transmitting to what? My non-existent microphone? And note that this isn't an attack vector, both systems must already be compromised, otherwise there's nothing listening at the other end, even if there is a microphone. What nefarious purpose this would serve is a mystery.

      It sounds to me like some script kiddie has hacked a small collection of hardware and drivers, then proclaimed this as a universal vulnerability.

      Unlikely.

      1. adnim
        Thumb Up

        Re: I call bullshit

        I don't need to say anything now. Thanks for saving me time, have an up.

      2. CheesyTheClown

        Re: I call bullshit

        Come on now...next you'll tell me the tooth fairy, santa claus and intelligent business grads are all fake too.

        Get real :)

      3. Anonymous Coward
        Anonymous Coward

        Re: I call bullshit

        Let's just say that he malware author overcame all the obstacles with installing on many different chipsets and architectures and that indeed it somehow magically manages to create ultrasound via the speakers and it somehow manages to interpret the signals received via the microphone. How big is this malware? I would imagine you would need substantial amount of code to interpret ultra sound from loud speakers (even though that's highly implausible but for the sake of argument lets assume it's true) and take into account noise levels in different environments to not corrupt the data, how much data can you fit in CMOS? Not that much I'm pretty damn sure.

        Get a life Dragos Ruiu or change carrier and write science fiction.

        1. Peter2 Silver badge

          Re: I call bullshit

          The PC's cross an air gap by communicating via ultrasound via the PC's speakers and microphones? Ultrasound is at 2Mhz. Human hearing drops off at 20khz, and even if you accept "ultrasound" as being inaudible sound slightly above the audible spectrum then I still don't believe that a cheap crappy AC97 sound chipset with the cheapest speakers on the market (which is what most people use) is actually going to be able to produce sound far outside of the audible spectrum to be a practical communication method.

          Even if it did, every involved computer would have to have a microphone (turned on) and again, I doubt cheap mic's could pick up sound outside our hearing range. That, and he's not producing copies to other people.

          He is so definitely talking shit.

          1. Cliff

            Re: I call bullshit @Peter2

            Speaker quality - absolutely. Most speakers barely cover the whole 20-20kHz human hearing range, and tail off massively at higher frequencies.

            Even still, if the teeeeensy bit of code that can fit in BIOS is able say to modulate volume levels or beep gently, it still has to be decided, but nobody is listening, let alone have the appropriate decoder installed, plus a microphone of any quality.

            And this is supposed to be in BIOS remember - a space which is pretty much full of, well, a basic in out system. This sounds somewhat unbasic...

      4. DWB

        Re: I call bullshit

        | "simply by plugging in" - Not without some autorun mechanism (none here at all on my Gentoo/Openbox |system). As for exploiting "buffer overflow bugs" in drivers to execute arbitrary code, that would depend on |not only targeting hundreds or thousands of unique drivers across multiple platforms and multiple |architectures, but then also targeting the payload similarly. And we're really supposed to believe this will |magically fit into a thumbdrive's micro-controller firmware? Bollocks.

        Since this is talking about BIOS based attack, operating system is irrelevent. So only a few key devices would need to be targeted. This coupled with the reality the there are only a few manufacturers of these key devices, which often reuse routines to save development time, means a much smaller set of devices to attempt to target. So possible yes. As for "Autorun" BIOS requires an autorun routine to function.

        |"reprograms [thumbdrive] micro-controller firmware" and "can hook into classic BIOS, EFI, and UEFI |firmware" - Which one? There must be hundreds if not thousands, and they're all different. Again, we're |seriously supposed to believe all that code can be squeezed into a single USB thumbdrive's micro-|controller firmware? Bollocks.

        There are thousands of devices, but again a limited set of manufacturers. Again with these manufacturers reusing codebase, narrowing the set of devices to target.

        |"survive motherboard firmware rewrites" - Survive where? If it's in RAM then a cold boot and full discharge |will kill it. If it's on disk then it'll need to hook into the startup process, which can be detected and removed. |If it's in a backup BIOS then that can be wiped too. Survive? Maybe, but it wouldn't survive some pretty |rudimentary intervention.

        Motherboard rewrites often target the onboard BIOS, but often do not clean all settings and registers. This coupled with other firmwares which do not often get rewritten like video card and other onboard devices, makes a malware capable of hiding more plausible. This has happened in the past with connect printers hosting viruses. Old school.

        |"transmitting data encoded in ultrasonic sound" - Transmitting to what? My non-existent microphone? And |note that this isn't an attack vector, both systems must already be compromised, otherwise there's |nothing listening at the other end, even if there is a microphone. What nefarious purpose this would serve |is a mystery.

        Most sound cards emulate Soundblaster 16 compatibility, and it is common now for motherboards to have routines built to handle sound at the BIOS level, for things like diagnostics and status indications. As for nonexistent microphones, most target PCs would have microphone attached, so because yours does not, would not make this attack improbable. I still believe that both machines must be infected, but given what I outlined above, entirely possibly. Given that sound can travel quite far, let's say that the malware searches for infected machines connected to a hot connection, so that updates can be transmitted throughout the physical space.

        |It sounds to me like some script kiddie has hacked a small collection of hardware and drivers, then |proclaimed this as a universal vulnerability.

        Even if a script kiddie did pull this off, it can demonstrate a serious problem, in that old school tactics can still be a problem even today.

    4. AlanB

      > Why would malware need to communicate with another machine, which would already have that malware installed, especially if over such a short distance?

      Send new updates, and/or repair malware which has been half removed.

      And send _back_ sensitive information which was carefully being kept on an air-gapped computer, but put on it in the first place using USB sticks, one of which turned out to have been infected.

      That degree of low-level cross platform USB driver bug compatibility seems far fetched though.

      1. Primus Secundus Tertius

        @AlanB

        Your comments look pretty sound. Also, one remembers that Stuxnet was spread by USB sticks.

        1. Chemist

          "Also, one remembers that Stuxnet was spread by USB sticks."

          AFAIK it wasn't spread by USB sticks that magically installed software - it needed autorun

          1. Old Handle

            AFAIK it wasn't spread by USB sticks that magically installed software - it needed autorun

            It was at least a little bit magical. Unless I'm mixing it up with another worm, it launched using a zero-day related to parsing icons or something like that. It may still have relied on autorun on some level, but just turning autorun off in the normal way was not enough to prevent it form installing.

            1. Anonymous Coward
              Anonymous Coward

              "it launched using a zero-day related to parsing icons or something like that."

              Maybe on Windows crap but not on real OS

          2. Chemist

            ""Also, one remembers that Stuxnet was spread by USB sticks."

            The original versions used a modified autorun.inf file.

            http://www.symantec.com/connect/blogs/stuxnet-lnk-file-vulnerability

            Later versions used a vulnerability in how .lnk files were handled

            "This means that, even with AutoRun and AutoPlay disabled, you can open a removable media device (USB) and execute malicious code without user interaction."

            http://nakedsecurity.sophos.com/2010/07/15/windows-day-vulnerability-shortcut-files-usb/

            1. Destroy All Monsters Silver badge
              Big Brother

              Thanks for the memories.

              In post-Snowden world, it is apparent how bizarre this 'load DLL via shortcut, oops' was.

              "I accidentally automated the whole autorun thing purely by accident! I swear!"

              "Sure you did, Johnny. See me after class."

              1. FrankAlphaXII

                @Destroy All Monsters

                Yeah its not the normal MO for NSA/CSS or USCYBERCOM, which makes me believe even more than I already did that it wasn't American in design, plus the numerous references to passages from the Torah in the code that Kaspersky Lab found.

                I don't think that we're creative enough to be able to do something like that, though we may have been the infection vector as the Special Collection Service, and TF Orange* which is the Army's version of the SCS for all intents and purposes, are very good at what they do whether through direct action as TF Orange tends to prefer or social engineering.

                I still believe it was the Israelis in collusion with the Germans, even if it was unwitting cooperation on a part of Siemens.

                *-Each of the so-called Tier 1 SOF groups like SEAL Team SIX and Delta Force (among others) have a Color coded task force name which is used among higher echelon units supporting them to refer to them without naming them, at one time TF Orange was called Intelligence Support Activity, and a good number of defense analysts still call it that.

    5. CheesyTheClown

      No it's not

      No, it's not technically plausible.

      Next dumb comment please?

  2. Richard Stubbs
    Mushroom

    Only one option ....

    Nuke it from orbit, it’s the only way to be sure.

  3. btrower

    I voted entirely plausible

    The more I look into securing systems, the more hopeless it seems. You can most certainly send data from one system to another over an air gap. It is no more magic than electromagnetism (which is in fact pretty magical).

    You can't lock down an attack vector if you don't even think of it. It only takes a single breach to wreak havoc. Back when BIOSes were vulnerable to such a thing I lost two motherboards to malware that destroyed the motherboard via the BIOS. The hardware had to be scrapped. It was thought impossible at the time, but it happened anyway.

    I just spent four hours the other night getting rid of a bit of toolbar malware for someone. They did nothing out of the ordinary, a single oversight failing to uncheck a box for an ordinary installation. Experts miss this type of thing. Unfortunately, this toolbar was tenacious as hell. I had to lock down directories, rewrite files, comb through the registry multiple times and reboot a half-dozen times in various maintenance modes before it was finally gone. It attacked on multiple fronts and changed its camouflage repeatedly.

    Malware of all stripes pays money and that money is getting bigger every day. In this lucrative arms race, attack is always cheaper than defense. Incredibly sophisticated attacks are possible and once proof of concept exists implementation is not far behind.

    A billion or more dollars a day is up for grabs. How much would it cost to mount an attack such as the one described? I expect it is less than the money to be made.

    1. heyrick Silver badge

      Re: I voted entirely plausible

      Each vector on its own might have a degree of truth, although the ultrasonic one sounds fairly implausible to me. The problem is, this super virus is supposed to do it all, rewrite micro controller code and....you know, it was just too over the top, it stretched credulity too far. I voted "bullshit".

      1. Rampant Spaniel

        Re: I voted entirely plausible

        Ditto. This 'bat net' BS is laughable. Most speakers can cover somewhere around the 48Hz to 20KHz. Ultrasonics is usually considered north of 2MHz. Human hearing range is 20Hz to 20KHz. Microphones will pickup a similar range. So basically they are saying that this can use a speaker and microphone that are restricted to operating within the human range to work outside that range? Make your mind up. It's either ultrasonic or it uses standard speakers and microphones, you can't have both. Utter BS. Sounds like someone needed some attention.

        1. Andy Gates

          Re: I voted entirely plausible

          My Polar F6 HRM communicates by sound: it chirps like a cricket and is very finicky. But most of the finick is with having to retry, and that doesn't annoy scripted processes. Making it chirp outside human hearing is a whole other matter.

    2. Grogan Silver badge

      Re: I voted entirely plausible

      Well... it's far more feasible to write one or more bytes of data to corrupt the bootstrap routine of a BIOS (CIH/Chernobyl style) than what you are arguing is plausible. (especially not on a diverse scale)

      Yes, I too have run into tenacious rootkit backed malware that has given me a run for my money. There's nothing supernatural about that either.

  4. eLD

    There was a chap at work who had a wig. Up until now, that was the least plausible thing I've ever seen in my life. Its just so stupid on so many levels. ASUS couldn't even reflash my BIOS without messing it up with the benefit of source code. What hope for something to have hundreds of BIOS patches, patches for affecting multiple OSes and all ready fit inside one BIOS.

    1. the spectacularly refined chap

      I actually considered the BIOS to be the most believable part of this. BIOSes are modular and that module interface is standardised - this is how e.g. your graphics card maps itself into the BIOS. If you have network cards or disk controllers on expansion cards they are probably doing exactly the same thing. Usually that is held on a separate memory chip on the card itself but there is no reason it can't be put in spare space on the motherboard flash memory. Indeed, some budget disk controllers require you to do exactly that if you want to boot from them, see e.g. here.

      On the other hand some of the other claims simply don't seem credible. How many different USB flash controllers are out there? How hackable are they really, and even if you can how do you go on to infect the host computer in the absence of any cross-platform autoplay mechanism? Sure, USB drives use the SCSI command set, but it's a heavily cut down version and you can forget about peripheral-initiated actions. Tampering with the data on the device isn't a goer either. How do you identify a request for executable code instead of data? How do you identify the correct place to make the insertion for a broad range of platforms? Presumably this has to fit in a relatively restricted environment if it is to work inside a flash controller.

      Extraordinary claims require extraordinary evidence: until there's some actual evidence presented this is bull.

      1. This post has been deleted by its author

        1. the spectacularly refined chap

          Re: USB

          That's the device enumeration process - basically product and vendor IDs and endpoint details. It's all initiated by the host when it detects a connection, and the details are treated as data rather than code. What USB doesn't allow is for a device to state on its own initiative "Send this to that device" or similar in the same way as e.g. a full implementation of the SCSI command set allows for.

      2. Tom 13

        Re: be the most believable part of this.

        I think almost any piece of the description is believable. It's putting them all together in a single BIOS memory piece of malware that makes it difficult to believe. Of the whole description I think the speaker and microphone transfer bit is the least believable, but mainly because I work mostly on desktops that don't have mics. although if your primary device is a laptop or tablet, then you'd have both devices. Might be some hyperbole about frequency. You could opt for an audible at a time people aren't likely to be near the systems. Maybe you could work out a set of flags that indicate people aren't around instead of just a simple time of day check.

  5. Herby

    Exactly.....

    5 months premature.

    Enough said.

    1. CheesyTheClown

      Re: Exactly.....

      Damn it, that was my line!

      1. Destroy All Monsters Silver badge
        Coat

        Re: Exactly.....

        The war on drugs hasn't been won yet, you can have another one.

  6. Busby

    The transmitting via audio sounds fishy. Fair enough most modern machines are capable of receiving and translating code sent that way. But would they do so unless already infected or set up specifically to do this?

    By no means an IT expert never mind security but doesn't seem plausible to me. Unless the average desktop or laptop is constantly set to look for and run code sent this way why would it work?

    Fully expect someone to correct me but it just doesn't make sense to me.

    1. Adam 1

      I could believe that a pre infected PC with dormant malware could receive instructions from the C&C using such a technique.

      I could accept even that a specific BIOS had some sort of buffer overrun that allowed such a vulnerability, although that seems a very long bow. But to have an exploit of a nature that would work like this across multiple BIOSs sounds too big to fit in the available ROM so I think this is unlikely.

      What I am willing to accept is some similar technique in the mobile space. E.g an overrun in Siri or Samsung's equivalent in Android. Such an exploit could spread to others on your bus or train.

    2. Andy Gates

      Say you have two infected computers, one on the network and one air-gapped. This allows them to communicate across the gap.

      If the payload is stuxy-specific then it could be, say, "dude, have you found the file [checksum]?" "yep" "I'll phone home then". Not much communication is needed to be useful.

  7. 4ecks
    Black Helicopters

    Paranoia ?

    See Icon -->

    1. Anonymous Coward
      Anonymous Coward

      Re: Paranoia ?

      No real paranoia would be not contributing to the discussion because you think the descriptor isn't real, but it is a plant from the spooks who are looking for a way to create just such a piece of malware. For instance you could

      On second thought I'll leave that bit out. Don't want to give them any ideas.

  8. David Given

    Reprogramming USB stick flash firmware?

    Does anyone have a reference for how to do this? It's something I've been interested in doing for ages --- a flash microcontroller is typically an ARM SOC, and programming them should be easy. But I've never actually found anyone who's done it. It'd be a very interesting platform to play with.

    (It's not as ludicrous as it sounds. Here's a guy who's run Linux on a Western Digital hard drive motherboard:

    http://spritesmods.com/?art=hddhack&page=1

    )

    1. Pookietoo

      Re: a guy who's run Linux on a hard drive motherboard:

      He didn't run Linux on the HDD, he used a Linux PC to hack the HDD firmware, creating a persistent back-door by manipulating cache content.

      1. David Given

        Re: a guy who's run Linux on a hard drive motherboard:

        Sorry, I don't follow you. He has a ucLinux kernel running on the ARM microcontroller on the HDD board (see the video). That's running Linux on the HDD, surely?

        1. Chemist

          Re: a guy who's run Linux on a hard drive motherboard:

          "He has a ucLinux kernel running on the ARM microcontroller on the HDD board (see the video)"

          Quite a guy - I enjoyed that !

      2. carl0s

        Re: a guy who's run Linux on a hard drive motherboard:

        Yes he did run Linux on the HDD. Check page 7. His hacked HDD responds to the string "HD lnx!" going through its cache, by loading the Linux kernel and an initrd from some sectors of the hard disk, and booting it on one of the HDD's ARM cores. The console is output on the HDD's serial port.

        Unbelievable.

    2. Destroy All Monsters Silver badge
      Devil

      YFW: Chucky in your appliance.

      I lolled at Here's a guy who's run Linux on a Western Digital hard drive motherboard.

      Embedded stuff is amazing, sadly I haven't had an occasion to look at it since I had to run floating point calculations on COP microcontrollers in the 90's.

      Have an upvote.

  9. Destroy All Monsters Silver badge
    Trollface

    This is "Halloween", not "April 1st".

    I would rather believe Fukushima radiation can cause people to be zombified.

    (I remember a very bad pulp fiction story with a virus from Mars that infected Earth machines via download through a martian probe...)

  10. JeevesMkII

    The ultrasonics bit sounds like utter cobblers to me.

    Firstly, isn't the case speaker driven off a fixed crystal? Even if it were capable of generating ultrasonic tones, and I highly doubt any of the little piezo tweeters they mount on motherboards could vibrate that fast, who actually has a microphone capable of picking that up.

    At least that part of the claim sounds like BS. I'd be astonished if you could reprogram USB sticks at a fundamental level either without physical access.

    1. William Boyle

      Re: The ultrasonics bit sounds like utter cobblers to me.

      Never heard of using a speaker as an input device? :-) You need to do some serious review of current audio system technology... Also, who uses the case speaker any longer? Even laptops have cone speakers for the most part, in order to get some sort of dynamic range out of them for audio reproduction. They may be piezo instead of magnetic driven, but that belies the point. An electric pulse/current can drive a piezo device, but causing the vibration of a piezo device from an outside source will generate an electric pulse/current as well. They are superbly bi-directional!

      On my workstation at home, the only time the in-case speaker is used is for the diagnostic beeps on start up. All other audio output is via the HD audio chip set on the motherboard which drives a pair of Bose speakers. :-) Nice sounding ones they are, too!

      1. Destroy All Monsters Silver badge
        Paris Hilton

        "Raaah Lovely..." -- wait, did I hear something?

        Never heard of using a speaker as an input device? :-) You need to do some serious review of current audio system technology...

        Right. I suspect to use the speakers as input device, with the piezo as transducer, you need a very precise wattmeter across the piezo so that you can find out how much energy you are actually pumping into the atmosphere in the different frequency bands given your input signal. So you have the expected power spectrum during Δt [computed from the output signal] and the actual power spectrum during Δt [measured from the wattmeter], which tells you how much energy the atmosphere is actually absorbing or even giving back. Then you have to pass the two spectra through a possibly nonlinear map to find out what the incoming signal might actually be. Will you hear the wife working in the kitchen over Stoya's lovely moans? (Just a research example, of course). Sounds feasible (PUN!), but does anyone do it and do boards have hardware to do it?

        1. Dave 126 Silver badge

          Re: "Raaah Lovely..." -- wait, did I hear something?

          > But what's interesting to consider - is there a way that a computer program could induce EM noise into either the mains or the environment,

          That thought occurred to the researcher in the article... he says he unplugged the power cables from the laptops, leaving them to run on their own batteries during testing.

    2. Old Handle

      Re: The ultrasonics bit sounds like utter cobblers to me.

      My PC speaker has no trouble generating sounds in that painfully high mosquito-like range. For obvious reasons it's difficult to determine whether it can make sounds still higher that I can't hear, but it doesn't seem unlikely. I would think the microphone would be the bigger problem. Not least because, most PCs other than laptops don't have one built in.

      1. 142
        Black Helicopters

        Re: The ultrasonics bit sounds like utter cobblers to me.

        I've verified a laptop outputting very strong signal at 20kHz (see my post below). But what's interesting to consider - is there a way that a computer program could induce EM noise into either the mains or the environment, that would result in noise being induced into the input of a computer sound card's Analogue to Digital converter? Doing something with the monitor perhaps, etc?

    3. 142

      Re: The ultrasonics bit sounds like utter cobblers to me.

      They'll be perfectly capable of generating / detecting frequencies well into the 20kHz range. Mic / speaker frequency responses are given as a tolerance - e.g. pro gear would be flat response between 50Hz - 20,000Hz, +/- 3dB, consumer gear 100-15kHz +/- 6dB (it varies a lot). That doesn't mean they can't detect / generate frequencies outside that range, it's just they'll be few dB less sensitive or powerful at, say, 25kHz.

      Even the cheapest consumer soundcards handle 96kHz sample rates these days. And, to be honest, unless you're banging pots and pans around the laptop, not much else in an indoor environment generates sound in the 20kHz+ range, so I'd suspect there'd be less interference to handle than you might instinctively expect.

      1. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: The ultrasonics bit sounds like utter cobblers to me.

      Samsung have an app that you can use to transfer data between 2 galaxy phones using high frequency audio.

      https://play.google.com/store/apps/details?id=com.sec.android.easyMover

    5. pinkmouse

      Re: The ultrasonics bit sounds like utter cobblers to me.

      Exactly. Most PC speakers roll off around 18K, and of those that go higher, it's mostly distortion so I doubt you'd get any significant bandwidth. Then, you also have the fact that most cheap mic capsules as fitted in PC's roll off at about 15K...

  11. William Boyle

    Just too possible!

    Everything that I have read about this (and it is a considerable amount of stuff) is well within the realm of possibility. This is a respected security researcher, and unless he is playing a REALLY bad Halloween joke on us all (unlikely in my opinion), this is something to be wary of! FWIW, at work I disable my speakers and on-board microphone, and only use a USB headset. That won't completely block this sort of attack, but it will make it more difficult.

    1. CheesyTheClown

      Re: Just too possible!

      I heard from a respected homeographic doctors that drinking water with the essence of gold will change your DNA to make you appear as a direct descendant of King Midas himself.

      Respected security researcher ... that's too damn good. :) I love this stuff.

      William, do you drive around a van with your name and photo on the side and a nifty slogan like "PC Problems? Call the Dr. Data!"

      Thanks, I needed a great laugh.

  12. William Boyle

    FWIW

    FWIW, I have been doing serious cross-platform coding for 30+ years (including boot-loader and BIOS engineering), and with todays' systems, this sort of attack is a lot easier to accomplish. Not simple, for sure, but not impossible, and I could probably do it by myself in about 6-12 months of 100% effort. Of course, my wife would probably kill me after about 3 months, so it may be a moot point! :-)

  13. Anonymous Coward
    Anonymous Coward

    Stuxnet 2.0?

    The only credence I could give to this is that it came from the same sort of people who created Stuxnet.

    Some of the claims sound a little out there, but given what I've recently learned my government has been up to, and with cooperation from Intel, Microsoft and others when creating PC standards to deliberately a leave a few cracks in the door open for something like this, who knows...

  14. ammabamma
    Unhappy

    Missing a real money making opportunity here...

    Bollocks to the malware. I want those universal drivers that automagically configure themselves to any computer architecture flawlessly and without any user interaction.

    I have enough trouble as it is using the buggy, broken shite supplied by the OEM manufacturer. (I'm looking at you Océ!)

  15. jake Silver badge

    Uh ... computer says no.

    I just rigged up a bit of assembler to output 20,000 Hz from a couple of different modern sound cards and speakers. My high-end microphone connected to an oscilloscope couldn't pick it up. I couldn't hear it, either ... but I can hear that frequency as output from one of my frequency generators[1] (gawd/ess only knows how my ears survived the early 70s thru' the late 80s!).

    Dragos Ruiu needs to show me, not tell me. Sounds bogus.

    Or, in the vernacular, post proof or retract.

    [1] Yes, I can hear the flyback on most CRTs ... Probably part of the reason I hate TV as much as I do.

    1. 142

      Re: Uh ... computer says no.

      Jake, are you sure you were hearing 20,000Hz and not a subharmonic induced by distortion somewhere along the signal chain?

      1. jake Silver badge

        Re: Uh ... computer says no.

        yes

        And that's "jake", "Jake" is somebody else in this forum.

      2. 142

        Re: Uh ... computer says no.

        Ok, just ran a test myself: thought so.

        20,000Hz (sine wave)* being played out of my laptop (macbook pro), and being picked up by its built-in mic, what looks to be well over 40dB above the noise floor.

        http://imgur.com/8pxFgjG

        I've verified that this is not crosstalk in the electronics.

        Macbook pros' speakers are woeful, and their mics are worse. If it can work on a macbook, it can work on anything.

        [And I can't edit my post now, but of course I offer my most humble apologies for misspelling your name, oh uncapitalised one! ;-) ]

        [*inaudible to me, though I can hear it on square waves due to distortion]

        1. tentimes

          Re: Uh ... computer says no.

          It's square wave you need - makes pulse width the identifiable factor for difference between one and zero on an inversion (usually it's a double inversion actually, though you can do funny stuff and get double tones by making asymetric wave halves)

        2. CheesyTheClown

          Re: Uh ... computer says no.

          Last time I programmed for CoreAudio on Mac (a long while back), the audio driver had a fixed sampling rate of 48Khz and the audio card's crystal had a interesting drift.

          That would be 2.4 samples per bit. This is certainly suitable for sampling a sine wave and the .4 makes it likely that you wouldn't even have to be in phase. Of course, you'd need to run some form of digital signal processing to reproduce the peaks. You'd need additional DSP high pass filters to extract any actual data from the signal. We'd probably need some additional time to make it work so that PLL could kick in. Of course, there are other modulations methods for transmitting data over sound waves, but they're going to be SLOW!!!!

          Now, in order to make this work, you'd have to have code running at all times on all audio cards and/or drivers and/or OS kernel audio implementations and/or BIOSes running what I'd imagine would need to be a 20 point filter for everything to work.

          I just love this nonsense.

          Oh.... but you said square waves... that makes it more realistic.

          Can someone please get Zack Brown from the Linux kernel over here. He needs to make some comments to bitch slap some people around.

          1. 142

            Re: Uh ... computer says no.

            @CheesyTheClown

            I suspect that's been upgraded to a 96kHz clock on newer macs, given the nature of the options presented in Logic (88 and 96k valid, but 176.4 and 192kHz greyed out) when my internal card was selected. [I don't deny they could lie though.

            But anyway, I can tell you that it is possible to transmit data like this - I've done it using Dual Tone Multi Frequency encoding, transmitting text from one computer to another through their a soundcards. I knocked something together in an afternoon before, (using FFT, iirc). Mine worked in the audible range, but it will work in the ultrasonic range too. This is (very) slow, but incredibly resilient. We're spoilt for modern data rates. Cut back the bloat, and have a lot of stuff pre-programmed, and there's an awful lot you could achieve with 10bps.

            1. Anonymous Coward
              WTF?

              Re: Uh ... computer says no.

              I know I can hear up to 55 kHz as that was just under the top freq. in the audio oscillators we used to train students on in our (US Navy) Basic Electronics/Electricity school. And yes, I could hear the old TV's fly-back transformer. If I hadn't been a nuke, they would have soldered on some earphones and made me a sonar-tech. Now, not so much in display/tv-land and the ears are just fine.

              I looked at the indicators and so far they aren't present here. But I don't practice promiscuous anything, even in my non-existent love life. [Sad, that] I can't call this out of the realm of the possible, I've got way too much engineering across the disciplines to EVER say that. Probable? Just perhaps. Likely, don't believe so but if it's real: Damn! I wan't a piece of that action deciphering it, even at the cost of hardware tested to destruction.

              In actuality, it's far more likely that it's all a test to determine the 'openness' meme/trope in the security industry. [Let's write up an over-the-top malware description (behavioral pattern) and see exactly who and how many buy into it? Then again, Mom's an anthropologist and I was the frequently chosen victim for psychological experiments, as the known outlier, for my teen years. So, I'm kind of used to seeing experiments where others muddle-through.]

              1. TWB

                Re: Uh ... computer says no.

                55 kHz . really?

                But TV flyback?, that is only around 15 kHz for SD NTSC or PAL - many people can hear that, even me and my hearing ain't that great - mine rolls off at 13 kHz.

    2. CheesyTheClown

      Re: Uh ... computer says no.

      Well, to be fair, I do have a microphone connected to my video workstation with a microphone which does actually have a 100-22,000Hz frequency response range. I've tested on a scope as well.

      What I love is the suggestion that there would be some special code which would contain code to run a filter to extract ultrasonic from an "ultrasonic signal". I'm pretty damn sure that Nyqvist would have a blast with this. Next we'll here there's a DSP PLL to compensate for sampling rate issues on these sound cards. :)

    3. Anonymous Coward
      Anonymous Coward

      Re: Uh ... computer says no. @jake 04:56

      "Or, in the vernacular, post proof or retract."

      Really? *You* demand that someone else provide proof of their claims?

      "[1] Yes, I can hear the flyback on most CRTs ... Probably part of the reason I hate TV as much as I do"

      And no doubt you can see into ultraviolet and infrared and pick up the electrical signals from peoples' bodies at two miles away.

      1. Jess--

        Re: Uh ... computer says no. @jake 04:56

        re : the flyback on crt tv's

        I wonder whether jake ever had the misfortune to spend time working on tv's.

        I too can hear it, to the point where I could stand at a friends front door and tell them whether they had a tv on in the house. newer widescreen crt's seemed to have been demanding too much from the flyback in terms of power, they always had a nasty screech too them which changed massively with the brightness of the screen.

        at the time it seemed to me that people that worked on tv's (repairing them) could clearly hear the flyback system but people that just watched tv seemed to have developed a natural notch filter around the noise since the noise (on a standard pal tv) was somewhere around 15kc and should have been well within normal hearing range but most people couldn't hear it

  16. Neil Barnes Silver badge

    It's all very well the speaker being able to send a signal

    And indeed the microphone being able to hear it - but what about the filters in the front end of the ADC? What about a back end stack on 'every' computing device that listens for and silently understands not just data but executable commands, completely invisible to the OS? So every BIOS ever made comes with this capability?

    I can see how, if one had a voice activated browser, it might be possible to send a human-inaudible spoken command (for example, transmit above 20KHz and let the undersampling on the input ADC turn it back to expected audio frequencies - assuming it survives the anti-aliasing filters) and to then direct the browser to a drive-by attack site... but a generic attack as described?

    Colour me sceptical.

  17. SMabille

    IPV6?

    Why do you want to limit yourself to IPv6?

    Except if this is tailored to a specific target using IPv6, 99.9% of (UK/Non Asian) ISPs and businesses are not using IP6, so it will be trivial to detect and block (especially on non Windows boxes, without tunnelling enabled by default). Any enterprise firewall has IPv6 disabled by default.

    Most corporate desktops won't have mic installed.

    BIOS compatibility (and the capacity to block overwrite on BIOS flasher) seems once again to point to a particular target

    All that contradict the any OS any system claims.

    So doable for highly targeted system, not much so on generic. Probably Sci-Fi to me.

  18. John Smith 19 Gold badge
    Meh

    A little *too* clever?

    My instinct about this "ultrasonic" infection is it's a mistake. Someone has not fully secured all the conventional attack vectors.

    That said sound is an under appreciated tool for learning about what people are typing in.

    But I'm very doubtful on this on.

    1. Chemist

      Re: A little *too* clever?

      @ John Smith 19

      He seems to claim that audio is used just for C&C links although I find it all very far fetched. There's a forum on SANS

      https://isc.sans.edu/forums/diary/Happy+Halloween+The+Ghost+Really+May+Be+In+The+Machine/16934

      in which the man himself (anon?) is giving some details which I have to say seems very confused. He's saying they are short of money for forensic gear and yet seems to be throwing new PCs at the problem.

      I'd have thought a workshop/lab with even modest equipment should be able to check at least some of these claims.

      The other startling claim is that this may have been affecting him for 3 YEARS.Oh, and "the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.."

      1. Destroy All Monsters Silver badge

        The doctor's verdict is in!

        Either:

        1) Run of the mill schizophrenia.

        2) A now form of UFOs

  19. Anonymous C0ward
    Boffin

    Bet it won't survive a manual rewrite of the BIOS chip with an EPROM programmer or Bus Pirate.

    1. RandSec

      Hardware Malware Infection

      1. BIOS chips are not EPROM's anymore.

      2. The main "BIOS" is saved in sections of motherboard flash.

      3. Video cards have their own BIOS storage.

      4. If the user can re-flash the "BIOS," so can malware.

      5. We can re-flash the motherboard to clean it. But can we then re-flash the also-infected video card BEFORE a restart runs infected video BIOS code and so re-infects the motherboard?

      6. And then, if drive controllers can be infected, how do we re-flash THOSE?

      7. Conveniently, almost every PC in the world supports hardware infection.

      The point is less whether there is actual proof of this having been done, and more that there is no reason why someone who worked at it could not do it. We know that NSA, for example, tries everything they can. And their opponents do the same. We expect our computer security to prevent attacks from others, EVEN WHEN THEY TRY, but for some reason our computers do not protect against hardware infection.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hardware Malware Infection

        Get a MB with a write protect BIOS jumper

        1. RandSec

          Re: Hardware Malware Infection

          "Get a MB with a write protect BIOS jumper"

          The next time I order a billion more PC's for the world, I'll put that in the specs. Also for the video cards. And for the hard drive, SSD, USB, and DVD drives. And whatever else.

          Until then, sadly, we can only use what we have.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hardware Malware Infection

            ""Get a MB with a write protect BIOS jumper""

            Don't understand you - there are plenty

  20. Tromos
    Joke

    Version 2

    The next version includes code to flash subliminal images on the screen to reprogram the human brain. The virus is then passed on by sneezing.

    1. Destroy All Monsters Silver badge

      Re: Version 2

      Version 2.1 however, flashes a BLIT, leading to abnormal termination of user.

  21. Alfonso Garcia-Patiño Barbolani

    It is fake

    None of the claims are technically impossible. All of them have at least a proof of concept. However, all of these demonstrations target specific hardware, software, BIOS versions and USB host implementations.

    It is one thing to create a PoC for a limited subset of computers/brands/USB hosts, and a very different and way, way more complicated, to create something that survives a few different classes of BIOSes, chips, operating systems (many versions), hardware and machines. As an example, think about all the viruses and trojans that target some systems (vulnerabilities in specific versions or architectures) but when tried to execute on others they crashed the machine or did nothing.

    If this was true, as someone else has said above, whoever is doing it would have a much bigger opportunity to make billions in the consumer space just by creating systems that... you know, always work and keep working?

  22. Paul J Turner

    I wonder...

    If his lab is affiliated with the one that discovered polywater?

    https://en.wikipedia.org/wiki/Polywater

  23. silent_count
    Joke

    So I was thinking about the volume of code necessary to do all of the stuff this malware is supposed to be capable of, on multiple types of systems. My conclusion is that it's not only possible but it's already in the wild! Dragos Ruiu has inadvertently downloaded Windows 8.1.

  24. jubtastic1
    Black Helicopters

    Question:

    "How do we infect an air-gapped computer with an unknown but common type of OS and Hardware which will have autorun disabled for USB drives etc and then connect that air-gapped computer to the internet to forward captured data?"

    Why that sounds an awful lot like how Osama's computer was set up, in a residence that gained attention because of it's lack of a digital footprint, funny how that nugget of info leaked, given that it almost guarantees that an average joe type of digital footprint is now going to be part of the standard cover for safehouses.

    If this attack isn't real now, it soon will be, because while there might be billions of possible configurations, at a very low level in a number of areas there is commonality, a very small pool of components from a handful of manufacturers which are designed to work with those billions of configurations.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Question:

      Osama's computer was set up?

      That's the first time I hear of this.

      AFAIK, CIA had to fake a polio vaccination drive to collect DNA, then a physical hit happened which the Pakistanis may or may not have know about, and finally they left, taking the harddisk with them. Then a body was dumped at sea more mysteriously than a Roswell-related disappearance.

      But then again, Seymour Hersh says about that raid "Nothing's been done about that story, it's one big lie, not one word of it is true", so who knows.

      1. Dave 126 Silver badge

        Re: Question:

        >[this is how] Osama's computer was set up

        With that wording, "set up" can either be taken as meaning 'installed normally' (i.e "I bought a new computer and I set it up on my desk"), or as meaning 'manipulated / interfered with' (i.e "It wasn't me officer, honest, someone has set me up!")

        1. jubtastic1

          Re: Question:

          The first one. 'set up' as in how it was installed, air-gapped from the internet, with info delivered by usb stick, that the residence had no internet was mentioned somewhere (may have been on here), as one of the reasons the compound attracted attention.

          It's worth remembering that while the US assassinated him using fairly conventional means*, it did take them 10 years to luck out on his location and it could have taken a lot longer, if the reported malware works as advertised it would be really handy in a similar situation.

          * Assuming it went down as they said it did.

  25. Anonymous Coward
    Anonymous Coward

    My vote

    the guy is not well.

    Read the Mole by Kafka

  26. cruelfate

    It's a marketing survey

    The most plausible explanation I have is a security researcher is attempting to determine the threat threshold the public will accept as possible without any credible evidence presented. If an "unsanctioned" air gap is deemed insecure, a whole new consulting and product category awaits.

  27. tonybarry

    Difficult to see this one happening

    The ultrasonic comms seems a bit dubious to me. Average human hearing runs around 35Hz to around 15kHz (yes, the standard is quoted as 20Hz to 20kHz but few of us can manage that). So our speaker is going to have to run at minimum 15kHz to transmit the info. The data frequency will have to be subsonic ( < 35Hz) or else the sum and difference products will be definitely audible.

    This implies the data rate on this proposed audio channel is around 2 bytes per second (12 bits per byte including start and stop bits). That is just a bit too meagre for any worthwhile comms. If it does happen, the data will have to be very compressed, like unix commands or suchlike. I can't see the value in that - and it opens up the rootkit to easily being analysed because the sonic datastream has to be minimally obfuscated.

    The recipient PC needs some system (executing code) to convert sounds it receives into commands - which implies it has already been pwned. What then is the point of the sonic link ?

    Difficult to believe this one.

    Regards,

    TB

    1. 142

      Re: Difficult to see this one happening

      "The data frequency will have to be subsonic ( < 35Hz) or else the sum and difference products will be definitely audible."

      Very good point.

      1. Dave 126 Silver badge

        Re: Difficult to see this one happening

        >The recipient PC needs some system (executing code) to convert sounds it receives into commands - which implies it has already been pwned. What then is the point of the sonic link ?

        Purely hypothetically, the idea is that the initial USB infection across the air gap only has to happen once; after which data (albeit limited) can be passed back and forth more regularly by the sonic method.

        I'm too ignorant to speculate on the technical validity of the claim, I'm just suggesting a possible end-use were it to be true.

  28. tentimes

    I used to write Tape Loaders and...

    I used to write (in z80/6502 assembly language) tape loaders in the 80's and it is possible to read a magnet or transducer in 1 and 0's, then in assembly language make judgements on the sound frequency.

    This was developed one stage further by DJL software in the 80's and they were able to detect double tones in the headers that threw tape copying, but I digress.

    The point is that, as far as I understand, the BIOS is written in C or assembly language, operates at bare metal level, BUT... and this is a BIG but, it doesn't have access to a microphone without a driver layer. If it did have access to the microphone and a universal driver could be written in assembler, then it *could* poll and listen for audible tones, which then would form the basis for data pulses. In tape systems a one or a zero is represented by an inflection in polarity with a pulse width judged by measuring the edges.

    I think it is highly unlikely given that so many systems and driver levels are uninitiated until the OS boots, by which time, surely, some way of identifying a non-compliant BIOS would kick in. Or would it?

    I just I was back writing embedded stuff or games in assembler.

    1. John Smith 19 Gold badge
      Unhappy

      Re: I used to write Tape Loaders and...

      " If it did have access to the microphone and a universal driver could be written in assembler, then it *could* poll and listen for audible tones, which then would form the basis for data pulses. In tape systems a one or a zero is represented by an inflection in polarity with a pulse width judged by measuring the edges."

      I'd also question the bandwidth of the usual PC microphone speaker combos.

      IIRC the typical aution I/P channel is not that high a quality.

  29. Mystic Megabyte
    WTF?

    Another case here?

    <twilight_zone_theme>

    Sounds like this guy is having the same problem, or maybe it's the same guy.

    http://ubuntuforums.org/showthread.php?t=2173477&p=12784197#post12784197

    </twilight_zone_theme>

    1. Chemist

      Re: Another case here?

      Sounds distinctly nutty - these lines are a giveaway

      "but there is a distinct, new humming in the computing room from the walls Could be something far out there like LAN over Powerline I'd suspect, as the outlets in the room are clearly magnetically charged too now? (wtf??)"

      And his Android tablet - "The read-me and license files were all filled with scripts to keylog and steal photos, video and audio from the microphone" - or maybe that's standard

      "My cellphone, my NON-smartphone cellphone got hacked."

      1. This post has been deleted by its author

        1. Destroy All Monsters Silver badge
          WTF?

          Re: Another case here?

          Holy stuff, this is deep in Chemtrail/Morgellons terroritory.

          And not a single one of the forum 'tards who tells him/her to seek professional help now because cognitive apparatus malfunction, LOL.

          When the Reality of Philip K. Dick is intruding this dimension, the problem is probably with you.

  30. Drew 11

    The door's open, the lights are on...

    Sounds like this guy's got the same problem Aussie motor racing legend Peter Brock had during his "energy polariser" era.

  31. Haku
    WTF?

    Is he trying to pitch a new Transformers film script?

    Viral code that can infect and spread any system?

    1. phil dude
      Coat

      Re: Is he trying to pitch a new Transformers film script?

      ....Independence Day

      I'll get my coat....

      P.

      1. Destroy All Monsters Silver badge
        Pint

        Re: Is he trying to pitch a new Transformers film script?

        I would prefer a Serial Experiments: LAIN movie, really.

  32. mark l 2 Silver badge

    My guess is that either this virus has been written to specifically target Dragos Ruiu PC as some of the claims that it works across multiple computers and platforms seem a bit far fetched. Or (and i expect is more likely) is that someone had pawned his twitter account and posting this BS for fun

  33. Henry Wertz 1 Gold badge

    I thought he was probably mistaken.

    This could be possible, targetting a specific type of USB stick and BIOS. General-purpose BIOS infection? I'm not going to say "impossible!" but I'm just not seeing it.

    The ultrasonic transmission could be possible using the PC speaker (which, usually routes out through soundcard speaker on systems that don't actually have a PC speaker any more). But, what about the mic? Desktops usually don't have a mic at all (and I don't THINK the hardware supports reading the PC speaker bit to do input....), and for laptops you'd need sound device support -- would they just build some "AC97/Intel HD Codec" driver in and assume it'll work for most devices maybe? This seems very difficult at best.

    So, a virus that does both? It just seems highly unlikely. I guess we'll find out in a few weeks! ;-)

  34. mathew42

    Military and other High Security Environments

    There are a few places where the potential reward for investment make sense. Most high security environments (e.g. military, foreign embassies, etc) use separate networks to maintain security. Data is transferred from less classified networks to more classified networks via external media frequently, but not the other way. Standard practice is for two (or more) computers to exist on a person's desk with access to networks with a different level of classification. That person may be able to transfer files using a USB key. One of those is most likely a laptop that connects to external networks and which might be possible to compromise, particularly with a targetted attack. If the primary purpose is extraction of data, then a very sensitive listener could be sufficient.

    I suspect that if this is at all possible, NSA (and other organisations) would be prepared to spend big on research because jumping an air gap could have huge rewards. It wouldn't surprise me that if this wasn't available now, there would be people from various organisations would have been researching since the story broke.

    I think the easiest way to prove / disprove this would be to check the security policies of various organisations. If there are indications in the policies of measures to prevent this kind of attack (e.g. internal speakers removed, headphones only), then I think some credence should be given to the claims.

  35. Toska
    Black Helicopters

    Stuxnet <-> BadBios: There is no such thing as coincidence

    I was an electrical engineer before I ended up in IT. All the time that I worked on SCADA systems (primarily Siemens S5 and S7, but also Allen Bradley and others) I knew full well how crap that stuff was from a security point of view. It was also clear that themost basic security necessities were constantly violated by onsite procedures and habbits of those who dealt with the PCs hooked up to mission critical multi million dollar production lines. Some of these PCs were simply hooked up to the internet and the internal network for no good reason at all and without even a basic consumer level firewall or virus scanner.

    When the details of Stuxnet filtered through to the public I was only amazed that it had taken that long for something like this to happen. Sure, it requires a lot of interdisciplinary brain grease which is usually hard to come by. But that's also what you get when you got nation state level exploits beeing cooked up by scrupulous governments with infinite funding and infinite blackmail potential at their disposal.

    Apply that level of brain grease, funding and scrupulousness to cranking out a sophisticated and highly generic virus like this one and suddenly that scenario is a lot more plausible. Now .... what have these guys that did Stuxnet been doing in between? They probably weren't laid off or are scrubbing toilets these days. Soooo .... that BadBios thingy may sound like science fiction. But think twice: If it's not already out in the wild, then we'll eventually see something like that sooner or later. My money is on sooner.

  36. Jess--
    Joke

    I think the next claim for this terrible infections capabilities will be encoding data and sending it by flashing the screen (at higher frequencies than the human eye can see) and any other device with a camera being instantly infected (your tablet, your phone, your digital camera and your old vhs camcorder)

    1. Dave 126 Silver badge

      >I think the next claim for this terrible infections capabilities will be encoding data and sending it by flashing the screen

      There has been work done in that sort of area:

      In a separate study conducted in the US, the LED lights that adorn most communications hardware, such as modems and routers, have also been used to snoop on electronic communications.

      Joe Loughry of Lockheed Martin Space Systems and David Umphress at Auburn University, in the US, found that the technique allowed plain text to be captured from up to 30 metres away. In a real life scenario, this information might include sensitive information such as passwords.

      - http://www.newscientist.com/article/dn2029-monitors-flicker-reveals-data-on-screen.html#.UnZa0fnwlBM

      Two more possible vectors, one CRT/LCD, one CRT only:

      'Monitor's flicker reveals data on screen'

      - http://www.newscientist.com/article/dn2029-monitors-flicker-reveals-data-on-screen.html#.UnZa0fnwlBM

      "Back in 1985, Wim Van Eck proved it was possible to tune into the radio emissions produced by electromagentic coils in a CRT display and then reconstruct the image. The practice became known as Van Eck Phreaking, and NATO spent a fortune making its systems invulnerable to it. "

      - http://www.newscientist.com/blog/technology/2007/04/seeing-through-walls.html

  37. Francis Vaughan
    Headmaster

    Nyquist and Shannon

    There is a significant issue with ultrasonic communication that has been touched on earlier, but seems a lot less understood than it needs to be.

    I just checked on my Macbook Pro, and as I expected that internal audio (ie that one available to the internal mic and speakers) is 44.1kHz (ie CD) sample rate. This places an absolute hard limit of 22kHz on the highest frequency is it possible to generate or detect. In fact the need to have a realisable (as opposed to theoretically perfect) anti-alias filter requires a frequency limit that is lower than this, and for all useful purposes means that the audio is limited to 20kHz - ie the top end of a young person's hearing. Whilst Macs and PCs have long supported higher sample rates in the OS and over connections to sound gear, that does not mean the on board basic sound chips do.

    Any computer trying to converse with ultrasonic sounds would drive any pets in the room wild.

    On the other hand, the idea that you could have a clandestine channel to an air gapped machine does have merit. So long as you are prepared to put up with a low bit rate there are quite realisable ways of doing it with the on board audio. Ultrasonics is simply naive. There is more than enough horsepower in a modem machine to use sub-noise techniques that would be robust enough, and essentially undetectable, to be quite useful here. Again, it is Shannon that shows you how.

  38. Prndll

    through it out there and see if anyone bytes.....

  39. Oengus

    This has to be the easiest thing to test for... Put an old style non-programmable Oscilloscope in the room attached to a super sensitive Microphone which can delect untrasonic sounds and look at the resulting trace... Turnoff the PCs and watch the ultrasonics trace "disappear". Turn the PCs back on and watch the ultrasonics reappear.

  40. RAMChYLD

    Technically not possible, given the vast proliferation of different audio codecs, different motherboard chipsets, different USB controller, different flash chips, etc.

    Also, AC@20131101/23:06 has a point: What about completely different platforms like Power, Sparc, Alpha, MIPS or ARM? Or heck, lesser known firmware like OpernFirmware and LinuxBIOS?

    And then there's the fact that x64 UEFI systems not capable of running i86 UEFI code and vice-versa.

    I suspect either FUD by M$, Intel, NSA, BSA, RIAA and the MPAA to push manufacturers to implement Secure Boot and force TPM onto the unfortunate masses. Either that or a very late April Fools joke (or as Holly puts it in the episode "Queeg", April, May, June, July, August, September, October and November Fools).

  41. Big_Boomer Silver badge

    Utter Bollocks

    Can I have some of the drugs he is on please?

  42. Anonymous Coward
    Anonymous Coward

    I, for one,...

    One thing for sure:

    If this thing is real, then we have found not only irrefutable evidence of God, but God her/it/him-self!!

    ...Or maybe it's just that laptop from Independence Day...

    Needless to say, it's pure BS.

  43. Anonymous Coward
    Anonymous Coward

    I am so literally scared to death of this

    I literally believe every single word of this.

    I've also heard that the virus can propagate itself by encoding its software data stream in high frequency flickering of the Windows start icon (which is why Microsoft cleverly left it off in Windows 8, but the virus fought back for Windows 8.1).

    The flickering hypnotises a human sitting at the computer and the human vector then, in a daze, shuffles over to another computer, and literally types in binary into Notepad using only the '1' and '0' keys, saves it as c:\windows.com, and that infects the computer. It's a bit like snails and wasps or something.

    However, once again, Microsoft is ahead of the virus: they've eliminated the human vector in the 'Surface' line of products, by making those products completely uninteresting to all humans, even desperate IT folk.

    As Gartner put it so succinctly: "This has gone up 57% year on year, we'll send our invoice by email. Payment terms: 30 days".

  44. Anonymous Coward
    Anonymous Coward

    Re. malware

    Makes sense, for all we know the malware was encoded at manufacture.

    Adding an ultrasonic chirp based takeover routine wouldn't show up during testing because they aren't looking for it.

  45. Anonymous Coward
    Anonymous Coward

    "...data encoded in ultrasonic sound emitted from the device's loudspeakers..."

    Run it through that old EQ/mixing desk gathering dust on the floor since VSTs came along 10 years ago, and EQ-out the top-end: no more ultrasonic.

  46. Anonymous Coward
    Anonymous Coward

    This is not a HOAX!!! I am having the same issue with my system(s) and yes android /iphone too! I've been in IT for over 20+ years and I posted on other sites about this after I noticed someone wrote about this. All the symptoms are true, I've tried just about everything to get rid of this annoyance. I've found a way to get around the problem but it is temporary with the system at the basic state (no hd, IO cards, etc). Most people would not notice the problem, just that the system is slow(er), my wife had no idea about the issue; I'm just a stickler for a pristine system that runs correctly. I believe there are other people out there that no about this or happening to them but are not coming out because how (crazy) it sounds. My wife thought I was destroying my own systems! I'm not sure how it spreads, I just know that all my cards were pulled, bios battery removed, flashed, new OS and still there. I'm not joking about this, maybe it's our profession, I'm in IT, (government) - thats all I can say. I thought it was some of the folks at the office pranking, but its been months. Long prank if true. Let me just say I worked with hardware (back in Oscope days), software, etc. This is a good one.

  47. Anonymous Coward
    Anonymous Coward

    Interesting

    This beast is an intriguing piece of code if it exists, I'd love to get a copy for analysis.

    BIOS resident malware is making a comeback, a certain manufacturer beginning with A experienced a similar problem on their netbooks which caused the black screen of death.

    It was never solved apart from "replace the motherboard", yet you could reflash it with a pendrive some of the time.

    Who knows, maybe all those dead BIOSs had an early revision of badBIOS that hosed the system because it was badly written and some boards couldn't take it?

    (typing this from a S*su*ng X series with UEFI)

This topic is closed for new posts.

Other stories you might like