Last week Dragos Ruiu described a new kind of malware that can spread without network connectivity. Named badBIOS, this malware supposedly uses ultrasonic communications through speakers to communicate with other hosts. This raised a lot of eyebrows, even among us jaded consultants at Anitian.
So, is badBIOS for real? Maybe not, but the origin of badBIOS could be very real.
Logic dictates that extraordinary claims require extraordinary proof. So far, that proof is still a little shaky (references and links are listed below). Ruiu is a well-respected researcher, and we are inclined to give him the benefit of the doubt. Moreover, conceptually, badBIOS seems reasonable. If malware cannot spread via network connections or removable media, it needs another transport mechanism. Speakers and microphones are on just about every laptop out there these days. It makes sense that those components could be used as a distribution method.
The skeptics to badBIOS have started to emerge. Arrigo Triulzi, another respected researcher has attempted to duplicate Ruiu’s findings but been unsuccessful so far. Triulzi is not the only security researcher who is finding problems with badBIOS claims. Other blogs have started to crop up with analysis of Ruiu’s data and been unable to duplicate the infections.
So, is this a real problem or not? Ruiu may be on to something, but it is probably not quite as bad as it seems. But, it is a fascinating new dimension to malware issues. BIOS infected with malware is extremely difficult to clean up.
However, Anitian thinks the real problem is not Ruiu and his infected machines. It is how this infection happened in the first place? System BIOS’s are not preprogrammed with malware…unless they are. Which makes us wonder, what is patient zero in this situation? Where does this infection originate?
Anitian believes the answer is obvious: manufacturing.
If you want to infect things without being noticed, the best way to do it is to insert your code into the hardware while it is being manufactured. With so much of the hardware we use being built all over the world, how easy would it be to slip malicious code into the BIOS of a laptop, video card or iPhone?
Anitian conducted an analysis of this issue for a manufacturing firm about a year ago. While our data is confidential, we can share the basic conclusion: manufacturing plants are extremely insecure from an information security perspective. These places have an emphasis on efficiency and production. Security efforts are overwhelmingly focused on physical security. There is almost no effort made to secure information systems. Modern electronic manufacturing uses some very sophisticated robots and systems. Controlling these robots are garden variety computers, unusually running Windows or some Linux variant.
Our research showed that infecting these manufacturing systems would be trivial. If you factor in state-sponsored hackers, which are looking more and more real, then this problem is even more likely. What is to stop Chinese hacking teams from getting into these manufacturing environments and injecting their own code into the BIOS on laptops, smartphones, or other components.? And when you consider more advanced components, like FPGAs (field programmable gate arrays) which are inside a lot of networking equipment, the problem becomes even more sinister. It would be relatively simple to reprogram the FPGAs inside network routers to keep track of specific traffic or store passwords and then occasionally upload them to a command and control server.
Look down at that Android device in your hand. Where was that made? Most likely, in a factory in China. Do you know what chips or hardware BIOS it runs? Is there even any way for the manufacturer to check that? These devices have extremely detailed specifications, and there is a rigorous testing protocol, but what if the chip itself was compromised before it ever made it into the actual device? What if the development was flawed from the very beginning with chips that have infected code?
If you want to cause a widespread infection, you go to the source. Targeting Facebook accounts and Pinterest is fine for your average hacker thug who wants to steal some credit cards. The real hacks happen at a much deeper level. So deep that they are in the system before the system is even built.
In this regard, we consider Ruiu’s research to be the tip of a potentially very big iceberg. badBIOS might not be the superworm that we all fear, but it may finally shed light on one of the weaker links in our information systems: manufacturing.
Hardware manufacturers have begun to take interest in this problem. Some of the larger manufacturers have started developing compliance programs for their suppliers and vendors. Anitian’s work in this space was related to a large hardware company that specifically wanted hard data on how vulnerable these manufacturing systems are. Our data was definitative, this problem is widespread and largely being ignored.
The next few years will see increased scrutiny over manufacturing environments. In the meantime, there is very little the consumer can do. If your BIOS is hacked, the only way to rid yourself of that infection is to replace the computer. However, the replacement may be even more compromised than the one you have. And honestly, you would never know one way or the other.
In this regard, badBIOS is very real and very scary.
References:
- Original Story: https://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
- Skepticism: https://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/
- Ruiu’s Google Plus Thread: https://plus.google.com/103470457057356043365/posts
- Argument against badBIOS: https://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/
Anitian – Intelligent Information Security. For more information please visit www.anitian.com
Excellent analysis, Mr. Plato. You are right, this is super scary stuff. As soon as I was done reading this I looked down at my Galaxy and wondered what really was inside there. Youre so right, i have no idea what is in there and I am a tech guy! The bios could be doing all sorts of things and the OS would never really know.
Definately like to hear more about Anitian’s research in this area. You guys are always way out in front on these issues. Thanks as always for this.
The research is fascinating and very disturbing. Many of the manufacting facilities we have seen use outdated operating systems and rarely (if ever patch). In many cases these systems are already comprimised with run-of-the-mill malware. Infecting these systems with more sophisticated APT style malware would be a litteral “peice of cake.”
What is most disturbing is how the security industry utterly ignores this issue. The security luminaries are so focused on obsessing over the next sensationalist hack, they totally ignore the mundane realities of organizational security. This, in turn, trains security people to think those mundane details are not important. Thus we are breeding our own vulnerabilities.
Why does this have to be the ONLY rebialle source? Oh well, gj!
The problem with asking the question is what do you do with the answer.
First, you have to prove enough incidents of manufacturing poisoning to justify a large-scale government/corporate move to address the issue. Since no one is even looking, it’s doubtful that will ever become a major issue.
Second, you then have to find a way to make a solution work in the international marketplace – that is, once you HAVE a solution. Frankly, I say, “Good luck with that.”
I suspect this is one of those issue of “security” which will remain unsolveable.
I have a meme, which I gladly repeat at the drop of a hat:
“You have haz better security, you can haz worse security. But you cannot haz ‘security’. There is no security. Deal.”
There are issues related to “security” that simply cannot be effectively addressed. I think that applies here. There isn’t going to be a solution to poisoned manufacturing anytime soon any more than there is a real solution to poisoned consumer products on store shelves. It’s rare enough – so far – that no one cares.
Should we worry more the chinese hacking teams or the NSA? Who is the most able to penetrate facilities to inject malware in BIOS?
As an european, I wonder who is the bigger threat…
I think if the NSA can get into everything, and they build things using the lowest bidder and within a ludicrious bureaucracy, the Chinese who can dedicate serious resouces, can do the same or better.
the CIO’s, the kids with a shitload of ‘security’ certificates who think they know everything, the CSO who put 100% thrust in such kids .. in short, people who lack imagination
The unfortunate reality is that the common component between these motherboards (surprisingly this aspect has been pushed to one side with a whole bunch of unlikely theories) is the low level BIOS hardware. If somebody wanted to infect patient zero they simply require physical access and an MSI TL399 handheld. From here you access the JSPI1 headers and godmode as you please. Because the chip can physically be programmed this way AFTER manufacture it is inherently insecure. Once this takes place, game over; the system block BRR can be modified very easily to ignore a bad checksum or to simply hardcode the original unaltered checksum… aka your BIOS is good. At this point no motherboard currently manufactured has any kind of defense against accessing the NVRAM through an undervolted RTC. Thus you can bootstrap ANY HARDWARE FIRMWARE YOU PLEASE.
This doesn’t explain any transmission mechanism however it does open up every single transmission mechanism you can imagine, almost. Such an infection stub would merely open the door and keep it open, forever. Or until you brick your mobo.