“Dragos believes that two infected computers can communicate with each other over the audio port in frequencies above human hearing, thus allowing an "air gapped" computer to still communicate over the Internet.”
“Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer.”
EDIT: just to be clear, I think this was some sort of mental breakdown but as Rob Graham noted none of what was described was obviously impossible – it would just have had to be executed at a higher level than we've seen before, even with something like Stuxnet, with e.g. exploits & persistent rootkits for huge ranges of hardware.
"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."
There are four claims in here:
- firmware is fresh
- OS is fresh
- system is air-gapped
- infection happened
The next two paragraphs introduce the network-over-audio theory, which requires an already-infected system (although with no causal link).
This could also be HDD firmware infection or similar, or maybe their flashing attempt was unsuccessful (when done internally, not with an external flasher, that would be reasonable).
Still, articles like this are probably the reason for people (myself included) remembering a claim that infection happened through audio channels.
BIOS is not the sum total of all firmware on a computer - for example you can write a rootkit that lives in the southbridge controller [1] [2] and [article]. And you're correct, as you note - unless you're plugged into the JTAG how do you know you actually reflashed with a clean firmware/BIOS?
It's important not to mix the sensational reporting with what Dragos actually claimed - he only claimed an audio sidechannel as an airgap jumper and/or stay-behind re-loader mechanism on previously-infected systems. Which is actually perfectly possible, especially given that many audio chipsets still have native soft-modem capability built in. Could you write a "loader" firmware virus that re-downloads a more substantial rootkit via soft-modem with an ultrasonic carrier? Well, it's not impossible...
That's generally the problem with the BadBios tale - he's a security researcher so his claim was just at the edge of possibility, but it would have to be an very sophisticated piece of work. It's more likely that the guy was jumping at shadows, but then you read stuff like the [article], which I read as implying that BIOS/firmware-level malware is starting to trickle down to small-scale private actors.
> for example you can write a rootkit that lives in the southbridge controller
Those two slides sets don't claim to have a rootkit 'in the southbridge controller'. The second speaks about Option ROMs, which are a well-known attack vector (see practically half the Thunderbolt attack concepts, the other half aiming for the DMA capabilities).
Option ROMs exist on plugin cards (which aren't southbridges) or, for built-in devices like on-board NICs, in the flash part that also hosts the PC firmware (BIOS, UEFI, coreboot, ...) - which sits behind the southbridge, not on the southbridge itself.
There's also firmware for auxiliary processors (eg. IMC or SMU in AMD chipsets), but that also sits in the main firmware flash.
The "security" processors (ME on Intel, PSP on AMD) also fetch their firmware from the main firmware flash (shared with the CPU firmware).
The location of various firmware items is pretty well-known. I'd be more worried about some extra chip (such as a discrete audio codec chip ;-) ) coming with its own rewritable flash memory. But that's unlikely for cost reasons and also not part of the discussion in security research papers, at least as far as I have seen.
I just want to second what paulmd wrote. I think the story is extremely unlikely to be true but it is almost impossible to provably clean a system compromised by a sufficiently advanced attacker.
Part of the problem was the combination of advanced claims and the breathless breaking-news pace of the discussion. I definitely remember people getting confused because the secondary or tertiary coverage had confused points like this as reporters rushed to publish and people often remember those with the same authority as primary sources.
http://blog.erratasec.com/2013/10/badbios-features-explained...
“Dragos believes that two infected computers can communicate with each other over the audio port in frequencies above human hearing, thus allowing an "air gapped" computer to still communicate over the Internet.”
http://arstechnica.com/security/2013/10/meet-badbios-the-mys...
“Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer.”
EDIT: just to be clear, I think this was some sort of mental breakdown but as Rob Graham noted none of what was described was obviously impossible – it would just have had to be executed at a higher level than we've seen before, even with something like Stuxnet, with e.g. exploits & persistent rootkits for huge ranges of hardware.