Last week Dragos Ruiu described a new kind of malware that can spread without network connectivity. Named badBIOS, this malware supposedly uses ultrasonic communications through speakers to communicate with other hosts.  This raised a lot of eyebrows, even among us jaded consultants at Anitian.

So, is badBIOS for real? Maybe not, but the origin of badBIOS could be very real.

Logic dictates that extraordinary claims require extraordinary proof.  So far, that proof is still a little shaky (references and links are listed below).  Ruiu is a well-respected researcher, and we are inclined to give him the benefit of the doubt.  Moreover, conceptually, badBIOS seems reasonable.  If malware cannot spread via network connections or removable media, it needs another transport mechanism. Speakers and microphones are on just about every laptop out there these days.  It makes sense that those components could be used as a distribution method.

The skeptics to badBIOS have started to emerge.  Arrigo Triulzi, another respected researcher has attempted to duplicate Ruiu’s findings but been unsuccessful so far.  Triulzi is not the only security researcher who is finding problems with badBIOS claims.  Other blogs have started to crop up with analysis of Ruiu’s data and been unable to duplicate the infections.

So, is this a real problem or not?  Ruiu may be on to something, but it is probably not quite as bad as it seems.  But, it is a fascinating new dimension to malware issues.  BIOS infected with malware is extremely difficult to clean up.

However, Anitian thinks the real problem is not Ruiu and his infected machines.  It is how this infection happened in the first place?  System BIOS’s are not preprogrammed with malware…unless they are.  Which makes us wonder, what is patient zero in this situation?  Where does this infection originate?

Anitian believes the answer is obvious: manufacturing.

If you want to infect things without being noticed, the best way to do it is to insert your code into the hardware while it is being manufactured.  With so much of the hardware we use being built all over the world, how easy would it be to slip malicious code into the BIOS of a laptop, video card or iPhone?

Anitian conducted an analysis of this issue for a manufacturing firm about a year ago.  While our data is confidential, we can share the basic conclusion: manufacturing plants are extremely insecure from an information security perspective.  These places have an emphasis on efficiency and production.  Security efforts are overwhelmingly focused on physical security.  There is almost no effort made to secure information systems.  Modern electronic manufacturing uses some very sophisticated robots and systems.  Controlling these robots are garden variety computers, unusually running Windows or some Linux variant.

Our research showed that infecting these manufacturing systems would be trivial.  If you factor in state-sponsored hackers, which are looking more and more real, then this problem is even more likely.  What is to stop Chinese hacking teams from getting into these manufacturing environments and injecting their own code into the BIOS on laptops, smartphones, or other components.? And when you consider more advanced components, like FPGAs (field programmable gate arrays) which are inside a lot of networking equipment, the problem becomes even more sinister.  It would be relatively simple to reprogram the FPGAs inside network routers to keep track of specific traffic or store passwords and then occasionally upload them to a command and control server.

Look down at that Android device in your hand.  Where was that made?  Most likely, in a factory in China.  Do you know what chips or hardware BIOS it runs?  Is there even any way for the manufacturer to check that?  These devices have extremely detailed specifications, and there is a rigorous testing protocol, but what if the chip itself was compromised before it ever made it into the actual device?  What if the development was flawed from the very beginning with chips that have infected code?

If you want to cause a widespread infection, you go to the source.  Targeting Facebook accounts and Pinterest is fine for your average hacker thug who wants to steal some credit cards.  The real hacks happen at a much deeper level.  So deep that they are in the system before the system is even built.

In this regard, we consider Ruiu’s research to be the tip of a potentially very big iceberg.  badBIOS might not be the superworm that we all fear, but it may finally shed light on one of the weaker links in our information systems: manufacturing.

Hardware manufacturers have begun to take interest in this problem.  Some of the larger manufacturers have started developing compliance programs for their suppliers and vendors.  Anitian’s work in this space was related to a large hardware company that specifically wanted hard data on how vulnerable these manufacturing systems are. Our data was definitative, this problem is widespread and largely being ignored.

The next few years will see increased scrutiny over manufacturing environments.  In the meantime, there is very little the consumer can do.  If your BIOS is hacked, the only way to rid yourself of that infection is to replace the computer.  However, the replacement may be even more compromised than the one you have.  And honestly, you would never know one way or the other.

In this regard, badBIOS is very real and very scary.

References:

Anitian – Intelligent Information Security. For more information please visit www.anitian.com