It sounds like you're saying this lends some weight to the BadBIOS theory. No, the main unbelievable feature attributed to BadBIOS is the ability to jump airgaps via ultrasonic communication, which is not mentioned in this article.
When you've got a BIOS-level rootkit, what's unbelievable about a hardware-level transmission mechanism? If an OS can load device drivers, why not an exploit toolkit?
Again, the problem with the BadBios story (?) from a security-level perspective was that it came from the head of a top-level security consultant - so it's hard to know if it's true or not, because if he was chasing at system ghosts, they were 100% feasible system ghosts, with Proof Of Concepts delivered (eg reception of ultrasonic transmission via laptop speakers [1]). At this point I do believe they were ghosts, but if you want to analyze them - posting about an actively-administered rootkit installation on your LAN on the internet was a mistake, because once detected the attackers would pull back.
And the more we learn about state-level cyberattacks, the more that potential attack rings true. It's just a question of tradeoff - do you really think that at least one party who could mount an A-grade cyberattack would do so against one of the people most likely to detect and analyze it, versus the chance to see what exists in his systems? When you get down to it, once infected you cannot trust so basic a system as a hard drive, and the NSA has attacked that firmware [2]. See: Reflections on Trusting Trust. [3] And that's about 90% of Dragos' sins right there - not trusting systems (or even components) that were exposed to unknown exploits translates as "paranoia" to the average user.
The claim of BadBIOS was that it was supposed to infect new devices through the audio channel.
While Hanspach et al demonstrate the data transmission vector, it's no infection vector.
For that, you'd need to be able to exploit the HD Audio codec (or whatever chip gets to interpret the signal) - and there are dozens of models by different vendors out there. That's a very different claim.
“Dragos believes that two infected computers can communicate with each other over the audio port in frequencies above human hearing, thus allowing an "air gapped" computer to still communicate over the Internet.”
“Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer.”
EDIT: just to be clear, I think this was some sort of mental breakdown but as Rob Graham noted none of what was described was obviously impossible – it would just have had to be executed at a higher level than we've seen before, even with something like Stuxnet, with e.g. exploits & persistent rootkits for huge ranges of hardware.
"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."
There are four claims in here:
- firmware is fresh
- OS is fresh
- system is air-gapped
- infection happened
The next two paragraphs introduce the network-over-audio theory, which requires an already-infected system (although with no causal link).
This could also be HDD firmware infection or similar, or maybe their flashing attempt was unsuccessful (when done internally, not with an external flasher, that would be reasonable).
Still, articles like this are probably the reason for people (myself included) remembering a claim that infection happened through audio channels.
BIOS is not the sum total of all firmware on a computer - for example you can write a rootkit that lives in the southbridge controller [1] [2] and [article]. And you're correct, as you note - unless you're plugged into the JTAG how do you know you actually reflashed with a clean firmware/BIOS?
It's important not to mix the sensational reporting with what Dragos actually claimed - he only claimed an audio sidechannel as an airgap jumper and/or stay-behind re-loader mechanism on previously-infected systems. Which is actually perfectly possible, especially given that many audio chipsets still have native soft-modem capability built in. Could you write a "loader" firmware virus that re-downloads a more substantial rootkit via soft-modem with an ultrasonic carrier? Well, it's not impossible...
That's generally the problem with the BadBios tale - he's a security researcher so his claim was just at the edge of possibility, but it would have to be an very sophisticated piece of work. It's more likely that the guy was jumping at shadows, but then you read stuff like the [article], which I read as implying that BIOS/firmware-level malware is starting to trickle down to small-scale private actors.
> for example you can write a rootkit that lives in the southbridge controller
Those two slides sets don't claim to have a rootkit 'in the southbridge controller'. The second speaks about Option ROMs, which are a well-known attack vector (see practically half the Thunderbolt attack concepts, the other half aiming for the DMA capabilities).
Option ROMs exist on plugin cards (which aren't southbridges) or, for built-in devices like on-board NICs, in the flash part that also hosts the PC firmware (BIOS, UEFI, coreboot, ...) - which sits behind the southbridge, not on the southbridge itself.
There's also firmware for auxiliary processors (eg. IMC or SMU in AMD chipsets), but that also sits in the main firmware flash.
The "security" processors (ME on Intel, PSP on AMD) also fetch their firmware from the main firmware flash (shared with the CPU firmware).
The location of various firmware items is pretty well-known. I'd be more worried about some extra chip (such as a discrete audio codec chip ;-) ) coming with its own rewritable flash memory. But that's unlikely for cost reasons and also not part of the discussion in security research papers, at least as far as I have seen.
I just want to second what paulmd wrote. I think the story is extremely unlikely to be true but it is almost impossible to provably clean a system compromised by a sufficiently advanced attacker.
Part of the problem was the combination of advanced claims and the breathless breaking-news pace of the discussion. I definitely remember people getting confused because the secondary or tertiary coverage had confused points like this as reporters rushed to publish and people often remember those with the same authority as primary sources.
Sure, looks cool. But if you're trying to convince anyone that BadBIOS can work as claimed, I won't be impressed until I see one system running quietnet install quietnet onto another system with a standard fresh install of Windows, Mac OS X, BSD, or Linux; using only ultrasonic communication.
Did Dragos ever claim that BadBIOS used sound as an infection mechanism rather than a side-channel for communications between systems which were already infected?
If memory serves, nothing he claimed was something that hasn't been demonstrated to be possible – only that the combination would have had to be better executed than anything we've ever seen before and, of course, the evidence never materialized. That fits with the current consensus that it was the product of some sort of mental issue – it's the superset of everything a security researcher might know to be theoretically possible.
I agree with your later comment, that it's unclear whether ultrasonic infection was actually claimed. For purposes of this thread, which started by trying to refute the position, "BadBios is totally impossible" -- the "impossible" claim the mainstream is probably referring to is infection purely by ultrasonic transmission. There's no need to prove that ultrasonic communication is plausible, or that rootkits can be installed in BIOS, EFI, harddrive controller, etc. It is impressive to see such exotic attacks actually being used, though.
