Every day, I, along with other I.T. security professionals around the world, are at a constant battle against trojans, viruses, etc. There is always some new threat to analyze, understand, and find a way to minimize the impact and protect systems, and the people who use them. Unfortunately, most times, we not only have to fight the actual element of destruction, but also the complacency of the average person, and this is exactly what hackers depend on.
Once in while, something comes along that really raises an eyebrow. The most recent something is “Bad Bios”. When I first became aware of it, it made me stop in my tracks, you will see why. I do not know if the capabilities of “BadBios” are true or not, but if they are, brace yourselves, this may be the real Freakie Deakie.
Apparently discovered by Mr. Dragos Ruiu, a security researcher three years ago in his lab, as he was noticing something very odd happening with his Macbook Air. As Dan Goodin wrote in a recent Ars Technica blog, the Macbook Air spontaneously updated the firmware… the core bios software that allows it to boot. That alone… “something” updating the bios firmware on your computer, is not supposed to happen.
After this, the computer wouldn’t boot from a CD ROM, and the Macbook could erase information and revert config changes by itself.
As time went on, multiple other machines, running a mixture of other OSs, such as Open BSD, Windows, and Linux were modifying their settings, and doing odd things. Some systems that had IPv6 completely disabled, were transmitting data specific for IPv6.
Then the real spooky stuff started happening, for example, infected machines were able to transmit network data with other infected machines, even after, ethernet cables, Wi-Fi, and Bluetooth were removed, the communication still continued.
Now, when something really gets a deep hold on your system, the only way to really eliminate it and feel confident that you have totally eradicated it, is to do a complete wipe of your system and reinstall the operating system from the start. However, computers that went through this process and were completely wiped would start showing signs of strange behavior once again.
Let’s take a moment to digest this so far… We are potentially looking at a virus / malware that out of the blue, spontaneously updates your computer Bios by itself, changes configurations, erases data, communicates with other infected systems even if you unplug ethernet, and remove the Wi-Fi & Bluetooth hardware, and self heals and returns even if you wipe your hard drive and reinstall the Operating system.
Now, just in case I missed something, Mr. Rob Graham of Errata Security has compiled a detailed analysis of each element of the claims about BadBIOS’s capabilities. There are plenty of opinions, for example by Phillip Jaenke, that state it is flat out impossible. In the Ars Technica publication, Mr. Graham is quoted as saying: “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.” Early networking standards used the technique, Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.
Sophos Security also has a nice bullet point layout of what we know to date.
The only real fact we know, at least for now, is we won’t know more for another two weeks when more details are released by Mr. Ruiur.