Slashdot Mirror
Ars: Cross-Platform Malware Communicates With Sound
An anonymous reader writes "Do you think an airgap can protect your computer? Maybe not. According to this story at Ars Technica, security consultant Dragos Ruiu is battling malware that communicates with infected computers using computer microphones and speakers." That sounds nuts, but it is a time-tested method of data transfer, after all.
Explaining why the whole thing is probably a hoax.
I'm confused, you mean information can actually be conveyed via air vibrations?
Sorry, that sort of acoustic coupling is bound to be loaded with errors. You might be lucky to get 16 BYTES per second, and even then, those speakers aren't powerful enough to transmit very far.
Airgapped room? Those frequencies from laptop or regular internal computer speakers aren't going to make it past the walls.
Give me a break, slashdot.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Nobody can hear your infected computer's scream.
That is how one of the original iPods had their firmware dumped after all, it was played out through the little piezo click speaker at some absurdly low data rate.
Back when I had an altair 8800 we used to play a teletype game called star trek. We kept a radio tuned off channel on in the room. When you fired a laser the code executed a fast loop that emitted EMI in a ramping frequency. the radio would make a phaser noise.
IN Europe it was discovered that the most common brand of voting machine would emit EMI differently depending on whether the character in the displayed name had an umlat or not (special character set). SO you could tell who people voted for when one candidate had an umlat.
Some drink at the fountain of knowledge. Others just gargle.
Besides the many, many stretches of the imagination required for his story (e.g., it infects the firmware on all major brands of USB drives, he never extracted a binary blob or sent the infected device to the manufacturer, the audio communication silliness, the fact that he apparently thinks infection could spread through the power cable, and so on...) the biggest issue to my mind is that if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.
Siri could understand and respond to another instance of Siri on a second iPhone.. so not totally impossible. Audio processing and acoustics have come a long way since the 9600 baud modem.
This story is generating a lot of buzz.
Table-ized A.I.
" Dragos Ruiu (@dragosr), the creator of the pwn2own contest"
It would be odd for him to screw up his rep with a hoax like this.
http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en
The Kruger Dunning explains most post on
My first modem was a carrier pigeon, and we liked it.......for dinner.
Table-ized A.I.
At this time, I'm taking the whole thing with a handful of salt. It's not totally impossible, though.
That is next month's article: "Cross-Platform Malware spread through common table salt"
Time Bomber the Book coming soon.
I think many of the commentators both here and on Ars Technica are making a basic mistake. No one claims that the machine is infected through its microphones. Duh! How would it know to listen and interpret noise as instructions. The claim is that once infected, the machines communicate using their speakers and microphones.
Is it possible? Sure. Do I consider it likely? No. It's one Hell of an effort for very little gain... in general. But we all have hobbies, so someone may have written a virus that infects through USB drives, overwrites BIOS, and resists the clean up of physically disconnected machines by communicating via sound.
Do I believe this particular story? Hmm... no. Mostly because, despite the reputation of the author, the article makes it sounds that basic mistakes were made during the cleanup process, and because not enough information has been shared with the community.
But if I was told the story is true, I could come with a great conspiracy theory to explain it. The author tries to keep all the fame for himself, the author is being threatened by the high tech agency that developed the strain but let it escape, the virus has alien origin...
No good deed goes unpunished...
Assuming this is more than a hoax, here's a bit of devil's advocate:
After the initial infection and subsequent cleaning (let's assume it survived somehow - hell, it might have been a compromised USB keyboard), the issue was forgotten for a while until the mentioned symptoms started appearing - since they seemed to be mostly inconveniences that often plague BIOS/UEFI (If I had a buck for each hour I've spent figuring out how to boot with drive X on system Y...) or could be atributed to more mundane causes, the investigation of these issues was considered not prioritary, as there were seemingly more important tasks to do.
More recently, a connection was established that suggested it might be more than just random bad luck - this then took a while to investigate, especially because ruining hardware (desoldering the BIOS chip to extract its firmware) is typically the last resort when investigating something.
Again, this is just speculation as to why this whole story took three years so far.
And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE). If you come to the conclusion that information is being exchanged after removing all network interfaces, it makes perfect sense to try (it's not exactly hard...) to unplug the laptop, to eliminate a potential hardware backdoor. Honestly, what I considered paranoia not too long ago is starting to look more likely every day...
Name one reason why he didn't send the BIOS or a copy thereof to be examined by the OEM....***after three years of not being able to fix this***.
My next question would be: why did it take him so long to figure out that the USB might be the vector? But before you answer that question ask yourself this also: why hasn't he contacted the major USB drive manufacturers since this seems to be FAR more about a vulnerability at the USB controller level(far, far, far below control of the OS) that has been leveraged to then exploit writing a new firmware?
If this is a USB hardware exploit then the rest of this is superficial but after 3 years, you'd figure that someone would have found another copy of this thing by now yet he's the only one. If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.
IF it's a USB exploit, I'm fucking impressed but since he's played the "how many people can believe that I'm this stupid" card so many times in his "research" on this(I'm saying nothing of his other experience, mind you), I'd say it's likely a hoax of some sort.
I have a hard time believing that you could pack enough logic into bios that could anticipate and counter your actions in OSX, BSD, and Windows.
Otherwise, this code must maintain a link to the outside world, relying on equipment that may or may not be anywhere near by, and then a human would have to monitor this machine and send commands back. That would take an insane level of commitment.
If this was real, wouldn't every security researcher, hardware manufacturer, and government in the world be at this dude's lab to get in on the action?
Communicating via sound or ultrasound from speakers to microphones. Possible. The rest of it... leaves me dubious.
THL phish sticks
Is that anything like FidoNet? ;-)
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
I didn't believe you at first but: http://hardware.slashdot.org/story/05/01/29/2017244/piezo-acoustic-ipod-hack
A staggering number of people commenting on this story seem to have failed to read and comprehend this article. There must be a few dozen comments stating that it's impossible to infect a machine with malware via audio. I can't find any mention of this happening in this article. The section that speaks of the communication via sound is referring to two previously infected machines. They are already infected, so now they communicate.
I don't know if this is complete BS or not, but at least read and comprehend the article before pouncing on it and making yourself look like an idiot for not reading it.
I just tested my PC's speakers / microphone... The power output is rock steady up to 15kHz, then falls to 75% by 20kHz, 50% by 30kHz, and about 10% by 40kHz. Then it stays that way to fiftish kHz, which is as far as my loop went.
I could already not hear it by 14kHz... damn I'm old. Last time I did something like this, I was OK up to 17kHz, and back at the Institute I was fine at 19kHz.
I think that no one hear 30 kHz, and you still get 50% power on my PC... which is nothing special. You can definitely get decent communication outside of hearing range.
No good deed goes unpunished...
Hmm... never mind about my PC not being anything special. Here is a Mac Book Pro graph I just googled:
http://www.gearslutz.com/board/attachments/so-much-gear-so-little-time/285773d1333712202-what-frequency-response-typical-built-laptop-speakers-mbp15.jpg
Clearly desktops have a much better range than laptops.
No good deed goes unpunished...
As the article explains: To us in the security community, none of the individual pieces raise an eyebrow. We know USB is an infection vector. We know BIOS/UEFI can be compromised. We know that when it hits the firmware, extraction isn't as easy as a dd anymore. We know communication via power cable and audio is possible - the last shouldn't really surprise anyone as it's been just earlier this year that audio was discussed as an alternative to NFC, because it doesn't require new hardware (every smartphone already has speakers and microphones).
And after Stuxnet and Flame, we know that some of the really advanced malware that we've been talking about at conferences is not only possible, but real.
Still, finding all of this in one package is fascinating, and if it really is 3 years old, I don't want to know what the current version looks like.
Assorted stuff I do sometimes: Lemuria.org
1) The assertion is that this malware infects as many bioses on the machine as it can. But a bios isn't big, so instead of containing code to directly infect the main OS, it contains code to setup a mesh network with it's peers to download the appropriate OS root kit.
2) The air gap was on a laptop (with a battery) in a room with potentially infected machines.
3) There never was a claim that a completely clean machine was infected over any method, just that a machine that had been the recipient of a lot of low level cleaning, and disabling managed to demonstrate a full re infection after spending enough timeout the proximity of other infected machines.
None of things asserted here are particularly novel. Infections at all levels bios, aren't novel. Mesh networking, isn't novel. Acoustic networking isn't novel. The arrangement of them to maximize the effectiveness of them is the novel part. But also in retrospect is also pretty obvious. Rather then try to code for all the bios and OS combinations, and all the OS and device combinations, you code for all the bios and device combinations, and then code for all the OS choices in a one off.
I remember BIOS viruses back when I did support for Windows 95, and damn they were nasty. Plug a loaner floppy into an infected machine and by the end of the day you could infect an entire computer lab. There was one that (IIRC) would infect both Phoenix and AMI BIOS machines, but did nothing to Award boards. I don't see why people think that a cross-platform BIOS infector is so out of the question.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Firewire yes. Firewire can muck around with system RAM directly.
USB cannot it all has to go via the CPU.
The entire premise of this is ridiculous. No sound card can go beyond about 24khz which is barely ultrasonic and not suitable for data.
Plus hacking many different chips, some which do not even have firmware, seems too unlikely.