BadBIOS: Worst fears realized or just fearing the worst?

Spread the love

Last week, word hit about a piece of malware referenced as BadBIOS.  Reported by Dragos Ruiu, founder of the Pwn2Own contest and a respected member of the security community, it’s said to be able to communicate with other infected systems by the sound hardware, similar in some ways to a modem.

There are still a TON of questions about this. As far as I’ve read, few if any other people have seen the hardware, but the researcher himself is considered trustworthy. I’ve seen a lot of reports that get the information wrong, like a report that BIOS was infecting BIOS via the sound capabilities, which is not (so far as I can tell) what is being claimed. It seems that what is present is an incredibly resilient and persistent malware that can communicate to other similarly-infected systems via the sound card, and apparently to affect more than one operating system, having successfully affected Apple’s OS X and Windows, as one might expect, but also Linux and even OpenBSD, the latter of which is a very unusual target.

This is, in some ways, what was feared by many when Intel said it wanted to move from BIOS to EFI/UEFI.  Intel had some very good reasons for this as the capabilities of BIOS were interfering in general computing hardware advancement, but when you put what amounts to an operating system in the firmware with room to expand, there stands a good chance that it’s going to be abused.  UEFI sits under everything, and while it’s not quite a virtual machine host (yet), it has many of those same capabilities as it can read what’s going between hardware easily, giving it the ability to alter data at many points.  It also makes it extremely difficult to pry out as few if any malware detection mechanisms can look into the hardware.

Based on a recent (mediocre) book series I’ve been reading, the thought crossed my mind that it may have been secretly sent to one or more researchers so that they would find it specifically in order to derail some secret capability developed by a state-sponsored agency or group. That’s getting into conspiracy theory, something I don’t tend to do, but those happen online more than they happen in meatspace.

In any case, it’s still something I’m watching, and I’m sure there are researchers working to develop similar capabilities. It’s not something I worry about hitting my systems, because the complexities of doing so are enormous. Most computer hardware is built to handle very specific information, but the microphones still start and speakers still end as analog, and the quality of both diverges significantly from one system to the next, even within the same model of hardware. I can see how data can be delivered via sound–we’ve done it for decades with modems–but aside from targets picked very carefully, I have difficulty believing that this could be used for something widespread, especially since the infection mechanism needs a different entry point.

It’s an interesting piece of targeted malware (if real), but it’s not going to take over the world.

Leave a Reply

Your email address will not be published. Required fields are marked *