* Posts by DWB

1 post • joined 4 Nov 2013

Indestructible, badass rootkit BadBIOS: Is this tech world's Loch Ness Monster? VOTE NOW


Re: I call bullshit

| "simply by plugging in" - Not without some autorun mechanism (none here at all on my Gentoo/Openbox |system). As for exploiting "buffer overflow bugs" in drivers to execute arbitrary code, that would depend on |not only targeting hundreds or thousands of unique drivers across multiple platforms and multiple |architectures, but then also targeting the payload similarly. And we're really supposed to believe this will |magically fit into a thumbdrive's micro-controller firmware? Bollocks.

Since this is talking about BIOS based attack, operating system is irrelevent. So only a few key devices would need to be targeted. This coupled with the reality the there are only a few manufacturers of these key devices, which often reuse routines to save development time, means a much smaller set of devices to attempt to target. So possible yes. As for "Autorun" BIOS requires an autorun routine to function.

|"reprograms [thumbdrive] micro-controller firmware" and "can hook into classic BIOS, EFI, and UEFI |firmware" - Which one? There must be hundreds if not thousands, and they're all different. Again, we're |seriously supposed to believe all that code can be squeezed into a single USB thumbdrive's micro-|controller firmware? Bollocks.

There are thousands of devices, but again a limited set of manufacturers. Again with these manufacturers reusing codebase, narrowing the set of devices to target.

|"survive motherboard firmware rewrites" - Survive where? If it's in RAM then a cold boot and full discharge |will kill it. If it's on disk then it'll need to hook into the startup process, which can be detected and removed. |If it's in a backup BIOS then that can be wiped too. Survive? Maybe, but it wouldn't survive some pretty |rudimentary intervention.

Motherboard rewrites often target the onboard BIOS, but often do not clean all settings and registers. This coupled with other firmwares which do not often get rewritten like video card and other onboard devices, makes a malware capable of hiding more plausible. This has happened in the past with connect printers hosting viruses. Old school.

|"transmitting data encoded in ultrasonic sound" - Transmitting to what? My non-existent microphone? And |note that this isn't an attack vector, both systems must already be compromised, otherwise there's |nothing listening at the other end, even if there is a microphone. What nefarious purpose this would serve |is a mystery.

Most sound cards emulate Soundblaster 16 compatibility, and it is common now for motherboards to have routines built to handle sound at the BIOS level, for things like diagnostics and status indications. As for nonexistent microphones, most target PCs would have microphone attached, so because yours does not, would not make this attack improbable. I still believe that both machines must be infected, but given what I outlined above, entirely possibly. Given that sound can travel quite far, let's say that the malware searches for infected machines connected to a hot connection, so that updates can be transmitted throughout the physical space.

|It sounds to me like some script kiddie has hacked a small collection of hardware and drivers, then |proclaimed this as a universal vulnerability.

Even if a script kiddie did pull this off, it can demonstrate a serious problem, in that old school tactics can still be a problem even today.

Biting the hand that feeds IT © 1998–2019