Security researcher says new malware can affect your BIOS; be transmitted via the air

BadBIOS infects your machine's BIOS -- the small bit of firmware that prepares your machine before booting the operating system.

Rip out your computer's microphone and webcam, turn off your Bluetooth, and put on your tinfoil hats, it's "super amazing crazy security storytime."

A noted security researcher says he has found a new type of malware that can affect some of the lowest levels of your machine. Even more surprising, this bit of nasty code could be the first example of an airborne computer virus.

No, I'm not talking about Wi-Fi downloads, but input signals converted into code by your laptop's microphone. The new malware is dubbed badBIOS by Dragos Ruiu, the security researcher who says he uncovered it.

Ruiu recently told Ars Technica that he's been tracking down badBIOS for the past three years. Since badBIOS is reportedly a crafty piece of code, all he has right now is a working theory about how the malware works.

The thing is...

The one nagging detail about badBIOS is that Ruiu is the only person making these claims, and he has yet to produce enough evidence for other security researchers to independently examine.

But Ruiu, who organizes the CanSecWest and PacWest security conferences , is respected enough that many fellow researchers are hesitant to outright discredit his claims as pure fantasy. Still, without independent verification of Ruiu's claims, it's impossible to know for sure whether badBIOS is the real deal or not.


If you want a more detailed explanation of badBIOS, check out the Ars Technica article linked to above, but here are the basics.

As its name suggests, badBIOS infects your machine's BIOS--the small bit of firmware that prepares your machine before booting the operating system. If you've ever pressed a key like F2 shortly after your computer boots and then gone to a screen that looks like it was built on a Commodore Vic 20, that's the BIOS.

Once a machine is infected, badBIOS gets to work inserting malicious code inside the operating system itself.

Malware that starts by attacking the BIOSisn't unheard of, but most bits of bad code typically attack weaknesses in standard targets that live inside the operating system, such as Adobe Reader or a Java browser plugin.

BIOS malware could be more effective since it's harder to track down, and fixing it is beyond the capabilities of the majority of PC users.

But what really sets badBIOS apart is that it is supposedly capable of resisting erasure if someone reinstalls (known as flashing) the BIOS firmware. BadBIOS is also platform-independent, which means it can infect and work across a wide array of PC operating systems that include Windows, OS X, Linux, and BSD, according to Ruiu.

BadBIOS can infect a machine in one of two ways, according to Ruiu's current theory. It can get onto a machine through an infected USB stick--a textbook infection method--or by sending high-frequency signals that get picked up by an uninfected PC's microphone.

The reality of the badBIOS reality

That certainly sounds like a virus created in the realms of pure fantasy but, if badBIOS is real, it has some serious implications. Ruiu believes badBIOS is just the first wave of further malware payloads. Similar to other bad code, badBIOS would jump onto a machine and then call home for further instructions. What those instructions might be, if they even exist, is unknown.

The verified existence of badBIOS would also throw into serious doubt the viability of air-gap security, where sensitive files are read or created on PCs that never connect to the Internet. Security expert Bruce Schneier who recently assisted the Guardian in looking at documents from NSA leaker Edward Snowden used an air-gap computer for that work.

Without connecting to the Internet, it was believed, the only realistic way you could get a malware infection would be from an infected USB stick or other storage peripheral. Even then, without a live Internet connection, the impact of most malware infections would be mitigated. Spyware such as a keylogger, for example, would have a hard time delivering timely updates to its masters.

But even badBIOS' purported high-frequency infection method could be just the tip of a much larger digital iceberg. Anyone interested in some background information, should check out a blog post by Errata Security's Robert David Graham.

"There are other ways to do air-gapped communications using covert channels," Graham says in the post. "You might exploit blinking LEDs...monitor the voltage on the power supply...The average laptop computer has a godawful number of inputs/outputs that we don't quite realize."

The malware-filled future that badBIOS portends may sound scary, but it's too early to press panic buttons just yet. We can also take heart in the fact that knowing about a piece of malware and how it works is half the battle to defeating it.

And for anyone that loves to admire all things tech, malware or not, you have to admit that badBIOS (if it's real) would be a pretty impressive hack.

Tags malwareviruscomputers

Show Comments