Slashdot Mirror
Ars: Cross-Platform Malware Communicates With Sound
An anonymous reader writes "Do you think an airgap can protect your computer? Maybe not. According to this story at Ars Technica, security consultant Dragos Ruiu is battling malware that communicates with infected computers using computer microphones and speakers." That sounds nuts, but it is a time-tested method of data transfer, after all.
Explaining why the whole thing is probably a hoax.
I'm confused, you mean information can actually be conveyed via air vibrations?
Sorry, that sort of acoustic coupling is bound to be loaded with errors. You might be lucky to get 16 BYTES per second, and even then, those speakers aren't powerful enough to transmit very far.
Airgapped room? Those frequencies from laptop or regular internal computer speakers aren't going to make it past the walls.
Give me a break, slashdot.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Nobody can hear your infected computer's scream.
At this time, I'm taking the whole thing with a handful of salt. It's not totally impossible, though.
I don't care how many tweets this guy's posted about, it doesn't pass the sniff test IMO.
It doesn't mean much now, it's built for the future.
That is how one of the original iPods had their firmware dumped after all, it was played out through the little piezo click speaker at some absurdly low data rate.
Back when I had an altair 8800 we used to play a teletype game called star trek. We kept a radio tuned off channel on in the room. When you fired a laser the code executed a fast loop that emitted EMI in a ramping frequency. the radio would make a phaser noise.
IN Europe it was discovered that the most common brand of voting machine would emit EMI differently depending on whether the character in the displayed name had an umlat or not (special character set). SO you could tell who people voted for when one candidate had an umlat.
Some drink at the fountain of knowledge. Others just gargle.
Besides the many, many stretches of the imagination required for his story (e.g., it infects the firmware on all major brands of USB drives, he never extracted a binary blob or sent the infected device to the manufacturer, the audio communication silliness, the fact that he apparently thinks infection could spread through the power cable, and so on...) the biggest issue to my mind is that if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.
Siri could understand and respond to another instance of Siri on a second iPhone.. so not totally impossible. Audio processing and acoustics have come a long way since the 9600 baud modem.
This story is generating a lot of buzz.
Table-ized A.I.
E-x-t-e-r-m-i-n-a-t-e!
Table-ized A.I.
This will never happen if you are running your gear on the Lunar surface.
Just saying...
Lol. N00bz.
I remember when 300 baud came out and it was an upgrade.
110 baud ftw.
-- Tigger warning: This post may contain tiggers! --
" Dragos Ruiu (@dragosr), the creator of the pwn2own contest"
It would be odd for him to screw up his rep with a hoax like this.
http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en
The Kruger Dunning explains most post on
My first modem was a carrier pigeon, and we liked it.......for dinner.
Table-ized A.I.
At this time, I'm taking the whole thing with a handful of salt. It's not totally impossible, though.
That is next month's article: "Cross-Platform Malware spread through common table salt"
Time Bomber the Book coming soon.
I think many of the commentators both here and on Ars Technica are making a basic mistake. No one claims that the machine is infected through its microphones. Duh! How would it know to listen and interpret noise as instructions. The claim is that once infected, the machines communicate using their speakers and microphones.
Is it possible? Sure. Do I consider it likely? No. It's one Hell of an effort for very little gain... in general. But we all have hobbies, so someone may have written a virus that infects through USB drives, overwrites BIOS, and resists the clean up of physically disconnected machines by communicating via sound.
Do I believe this particular story? Hmm... no. Mostly because, despite the reputation of the author, the article makes it sounds that basic mistakes were made during the cleanup process, and because not enough information has been shared with the community.
But if I was told the story is true, I could come with a great conspiracy theory to explain it. The author tries to keep all the fame for himself, the author is being threatened by the high tech agency that developed the strain but let it escape, the virus has alien origin...
No good deed goes unpunished...
Assuming this is more than a hoax, here's a bit of devil's advocate:
After the initial infection and subsequent cleaning (let's assume it survived somehow - hell, it might have been a compromised USB keyboard), the issue was forgotten for a while until the mentioned symptoms started appearing - since they seemed to be mostly inconveniences that often plague BIOS/UEFI (If I had a buck for each hour I've spent figuring out how to boot with drive X on system Y...) or could be atributed to more mundane causes, the investigation of these issues was considered not prioritary, as there were seemingly more important tasks to do.
More recently, a connection was established that suggested it might be more than just random bad luck - this then took a while to investigate, especially because ruining hardware (desoldering the BIOS chip to extract its firmware) is typically the last resort when investigating something.
Again, this is just speculation as to why this whole story took three years so far.
And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE). If you come to the conclusion that information is being exchanged after removing all network interfaces, it makes perfect sense to try (it's not exactly hard...) to unplug the laptop, to eliminate a potential hardware backdoor. Honestly, what I considered paranoia not too long ago is starting to look more likely every day...
I think the article is complete bollocks, but simple basic DSP isn't that difficult if you use a simple codec. Hell, even a morse code type system with basic CRC checking wouldn't take more than 16k. It doesn't have to deal with echo (high frequency is rather directional), it doesn't have to deal with doppler (few moving objects), and it's obviously a secondary communications channel.
The thing that gives it away for me is that something could embed so deeply without being detected, as USB and networks are heavily scanned these days.
I have written plenty of kernel code, bios code and the like. The effort to get such perfect code running without causing crashes or being detected on the network would be enormous. If it's at all possible, it would certainly require government level funding.
I'm not saying it isn't possible - but it's just very, very unlikely.
I said no... but I missed and it came out yes.
(Bet it'd drive the dogs absolutely nuts though.)
Now there's an idea... use the dogs as a signal amplification device......
Hmm, the humour and sarcasm seem to have been be lost on you.
Name one reason why he didn't send the BIOS or a copy thereof to be examined by the OEM....***after three years of not being able to fix this***.
My next question would be: why did it take him so long to figure out that the USB might be the vector? But before you answer that question ask yourself this also: why hasn't he contacted the major USB drive manufacturers since this seems to be FAR more about a vulnerability at the USB controller level(far, far, far below control of the OS) that has been leveraged to then exploit writing a new firmware?
If this is a USB hardware exploit then the rest of this is superficial but after 3 years, you'd figure that someone would have found another copy of this thing by now yet he's the only one. If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.
IF it's a USB exploit, I'm fucking impressed but since he's played the "how many people can believe that I'm this stupid" card so many times in his "research" on this(I'm saying nothing of his other experience, mind you), I'd say it's likely a hoax of some sort.
Bollocks.
I have a hard time believing that you could pack enough logic into bios that could anticipate and counter your actions in OSX, BSD, and Windows.
Otherwise, this code must maintain a link to the outside world, relying on equipment that may or may not be anywhere near by, and then a human would have to monitor this machine and send commands back. That would take an insane level of commitment.
If this was real, wouldn't every security researcher, hardware manufacturer, and government in the world be at this dude's lab to get in on the action?
Communicating via sound or ultrasound from speakers to microphones. Possible. The rest of it... leaves me dubious.
THL phish sticks
Is that anything like FidoNet? ;-)
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
It has not been my experience that computer speakers are capable of making sounds much outside the range of human hearing, nor computer micophones capable of picking such sounds up. Maybe he buys comptuers with extremely high end sound equipment, but I'm a bit skeptical that nobody noticed the audio.
Maybe he sniffed a little too much of the magic smoke the virus let out.
What about hardware backdoor activation? There had been rumors of intel putting 3G radios in vPro cpus, and there had been backdoors in FPGAs. There had been a nice presentation in DEFCON17 around this topic.
I'm using my 45.5 baudot teletype.
I didn't believe you at first but: http://hardware.slashdot.org/story/05/01/29/2017244/piezo-acoustic-ipod-hack
A staggering number of people commenting on this story seem to have failed to read and comprehend this article. There must be a few dozen comments stating that it's impossible to infect a machine with malware via audio. I can't find any mention of this happening in this article. The section that speaks of the communication via sound is referring to two previously infected machines. They are already infected, so now they communicate.
I don't know if this is complete BS or not, but at least read and comprehend the article before pouncing on it and making yourself look like an idiot for not reading it.
I just tested my PC's speakers / microphone... The power output is rock steady up to 15kHz, then falls to 75% by 20kHz, 50% by 30kHz, and about 10% by 40kHz. Then it stays that way to fiftish kHz, which is as far as my loop went.
I could already not hear it by 14kHz... damn I'm old. Last time I did something like this, I was OK up to 17kHz, and back at the Institute I was fine at 19kHz.
I think that no one hear 30 kHz, and you still get 50% power on my PC... which is nothing special. You can definitely get decent communication outside of hearing range.
No good deed goes unpunished...
Hmm... never mind about my PC not being anything special. Here is a Mac Book Pro graph I just googled:
http://www.gearslutz.com/board/attachments/so-much-gear-so-little-time/285773d1333712202-what-frequency-response-typical-built-laptop-speakers-mbp15.jpg
Clearly desktops have a much better range than laptops.
No good deed goes unpunished...
if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.
Because, he speculates, the the initial infection of a machine must be done via USB stick, and being the professional security researcher that he is, he nonchalantly plugs his USB sticks willy-nilly back and forth between his known infected machines and his brand new machines.
A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it.
This guy apparently has no concept of a clean room for virus research.
I don't discount the ability to use sound for communication between infected machines, but clearly you have to be infected FIRST for that to work.
(Not to mention having a mic plugged in and turned on).
Sig Battery depleted. Reverting to safe mode.
If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.
No doubt his friend or colleagues all have more smarts then to plug in some random jump drive.
I seriously don't even trust these things myself any more. I hate it when someone sends me something on a flash drive.
Sig Battery depleted. Reverting to safe mode.
I've seen her! I've seen that little minx with her yellow dress and using umbrella and rain for cover, with the canister of unspeakable evil under her arm spreading the infection everywhere.
As the article explains: To us in the security community, none of the individual pieces raise an eyebrow. We know USB is an infection vector. We know BIOS/UEFI can be compromised. We know that when it hits the firmware, extraction isn't as easy as a dd anymore. We know communication via power cable and audio is possible - the last shouldn't really surprise anyone as it's been just earlier this year that audio was discussed as an alternative to NFC, because it doesn't require new hardware (every smartphone already has speakers and microphones).
And after Stuxnet and Flame, we know that some of the really advanced malware that we've been talking about at conferences is not only possible, but real.
Still, finding all of this in one package is fascinating, and if it really is 3 years old, I don't want to know what the current version looks like.
Assorted stuff I do sometimes: Lemuria.org
actually... I do want to know.
Funny how a figure of speech sometimes means the opposite of what you really mean.
Assorted stuff I do sometimes: Lemuria.org
Robert Graham has published a well-written response:
http://blog.erratasec.com/2013/10/badbios-features-explained.html
1) The assertion is that this malware infects as many bioses on the machine as it can. But a bios isn't big, so instead of containing code to directly infect the main OS, it contains code to setup a mesh network with it's peers to download the appropriate OS root kit.
2) The air gap was on a laptop (with a battery) in a room with potentially infected machines.
3) There never was a claim that a completely clean machine was infected over any method, just that a machine that had been the recipient of a lot of low level cleaning, and disabling managed to demonstrate a full re infection after spending enough timeout the proximity of other infected machines.
None of things asserted here are particularly novel. Infections at all levels bios, aren't novel. Mesh networking, isn't novel. Acoustic networking isn't novel. The arrangement of them to maximize the effectiveness of them is the novel part. But also in retrospect is also pretty obvious. Rather then try to code for all the bios and OS combinations, and all the OS and device combinations, you code for all the bios and device combinations, and then code for all the OS choices in a one off.
And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE).
Yes, but you need special hardware to do it. I don't see any way to do this with commecial pc/laptop power supples without first hacking the hardware.
I find the idea of using a computers' microphone and speaker as a kind of high frequency modem highly intriguing. I did read enough of TFA to see that once he physically removed the speaker and microphone from his computer the mystery network packets stopped. That's pretty strong evidence this is one of the attack vectors if it is indeed true. I don't know the guy so I'm on the fence regarding whether this is a hoax or not.
oh and if you're such deep in paranoid country it doesn't help much to do those steps since this is already assumpting that they're infecting your firmwares on all devices ;)
Ya, no kidding! For example Dell PowerEdge servers are pretty consistent throughout each generation. They're good servers, but there are many components onboard that have upgradable firmware. I can name more than a few. BIOS, BMC, iDRAC, Broadcom NIC, and PERC (RAID card). I'm not sure if these devices require the firmware to be signed before accepting, but it stands to reason that it might not be impossible to infect an entire network of rack mounted Dell servers of the same make and model.
Life is not for the lazy.
I remember BIOS viruses back when I did support for Windows 95, and damn they were nasty. Plug a loaner floppy into an infected machine and by the end of the day you could infect an entire computer lab. There was one that (IIRC) would infect both Phoenix and AMI BIOS machines, but did nothing to Award boards. I don't see why people think that a cross-platform BIOS infector is so out of the question.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Nope.
Can't be done. Output channels on sound chips can't be read.
You watch too many spy movies.
Sig Battery depleted. Reverting to safe mode.
Firewire yes. Firewire can muck around with system RAM directly.
USB cannot it all has to go via the CPU.
The entire premise of this is ridiculous. No sound card can go beyond about 24khz which is barely ultrasonic and not suitable for data.
Plus hacking many different chips, some which do not even have firmware, seems too unlikely.
No. Not maybe: Can. Does.
Feed a "subwoofer" a 19kHz sine wave. What comes out? Is it all reduced to heat? Go ahead and try, and you'll see: Sound comes out. Measurably. At 19kHz. (probably with a whole lot of nasty harmonics starting at 38kHz, and a great deal of heat compared to other frequencies, but that's not the point.)
Meanwhile, please define "practical."
If "practical" means sending low-speed data between two computers in close proximity at a frequency that is difficult or impossible for an adult to hear over normal ambient noise and/or tinnitus: Yes. Practical.
Common folks were unknowingly solving more difficult problems than this with 486 CPUs doing the heavy lifting for software-based modems in ~1995, using nothing but a DOS TSR for a driver. And other folks have been doing this with tubes, coils, and caps since the dawn of radio.
Moving data from A to B using sound is by no means any great technical challenge, given modern consumer audio hardware and a modern CPU.
Kid-proof tablet..
none of the audio analog circuitry on the frontend will let it pass. Go ahead, look at the output of your best soundcard and a ramp generator and watch it roll off rapidly on the scope when you go above 35khz.
Do not look at laser with remaining good eye.
No there is NO plausibility, Please, Please stop adding credibility to this bullshit in this made up bit of fiction.
None of the electronics in your computer is designed for ultrasonic, and in fact it's freaking filtered out to get rid of problems. I dont care if the chips can do 99ghz, the analog components for filtering on the input and output significantly attenuate it, then you have the fact that the speakers can not generate it nor the microphones having the ability to receive it.
Anyone with even a 101 level in analog electronics or audio design knows that what he is claiming is 100% impossible and has no plausibility. anyone can verify it with a cheap Oscilliscope and a ramp generator. This "virus" cant unsolder and change components.
Do not look at laser with remaining good eye.
http://en.wikipedia.org/wiki/CIH_(computer_virus)
It was the only one ever in the wild and it did not spread very far because it was destructive.
Do not look at laser with remaining good eye.
Just about every sound card ( and everything else ) in the last ten years had been made in a factory in China. What is to stop the PLA from slipping just this kind of malware into a sound card chip? Maybe they can even activate and update using sounds from a television.
The alternative to limited government is unlimited government.