Slashdot Mirror
Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate
Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"
http://tech.slashdot.org/story/13/10/31/1955239/ars-cross-platform-malware-communicates-with-sound
Is it really SO hard to get rid of dupes that are less than 24 hours old? You seriously call yourself editor if you don't even manage to get those basic things straight?
Bust out an oscilloscope and a logic analyzer and start looking at these signals. It shouldn't be hard to get a waveform capture of the audio running over the speaker and the handshake between a USB device and the host.
A certain alphabet agency that's been in trouble for tapping all kinds of folks lately? Or are they too clueless to put together a monster like this?
1. You'd have to write a boot loader that a) loads your bare-metal-level sound and microphone driver, networking driver, sonic network protocol, and payload.
2. You'd have to write the forementioned a) bare-metal-level sound and mic drivers. Network drivers that might as well be bare-metal, implement a sonic network protocol, and then get them to successfully transmit your payload.
3. You have to TEST this combo on many different machines.
We're either looking at someone who has a LOT of free time and hardware on his hands, or a 1st or 2nd world military-level dev team with LOTS of cash to spend, IMO.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
You've discounted the most obvious option - an attention whore who isn't adverse to making shit up.
You can say NSA we're all adults (sic) here. Besides they have a hard time spelling so you're just as likely to not be flagged.
First, no speaker in a Mac can generate "ultrasonic" !!
Second, no mic in a Mac can capture "ultrasonic" !!
Even assuming this were possible, there is no way anything could be conveyed without massive error, so bad nothing even close to 'digital' could be had !! And no, an old-style acoustic modem is not ultrasonic and it very isolated. Ultrasonic BEAMS like light - any deviation from the norm and it is somehting else !!
What a fool can make himself believe, if he doesn't know how things work !!
What is being 'proposed' is NOT anything infecting through the speaker/microphone, but a pre-existing inection (that was probably USB based)
then communication through these methods - a VERY VERY different thing.
The hype and BS layers need to be peeled off this.
There is no possible infection vector via microphone/speaker, or via power cord as semi-implied (unless you had a powerline modem..), it is simply a
way to get data out of the airgapped but INFECTED machine to others that may not be airgapped.
The 'solution' here is simple, remove the infection! there is more to security than just network airgapping!
Time to go back to security 101.
Apparently /. really wants us to believe this bullshit story.
April Fools Day is five months away. Come back and repost this then.
Where, exactly, were these "packets" flowing when the networking cards were removed?
Are they UDP or TCP?
How long does it take you to download a movie over your speaker?
Sheesh, evil *and* a jerk. -- Jade
Anyone who identifies a dupe can be moderated +6 awesome for 7 days.
Anyone who submits a dupe is automatically modded -1 for 7 days.
Karma bonus for both memory over a week, and reading comprehension. And fuck dice for ruining what once was mediocre.
What is the point of having the 'main link' put in the submission form if you're not going to check it?
Slashdot used to check for duped link in the submission, at least, it did, several years ago.
It used to be that you had to put at least ONE original article link to accompany the article submission.
Somehow that requirement was gone - along with the dupe-link check.
Here's a question, if someone goes to such an extent to create cryptic malware, why give away its presence so trivially by disabling functionality in the OS? If your software runs at such an elevated level (above ring 0 that is), you can just spoof whatever the user gets to see.
He should have investigated if he wasn't himself used as a medium of transmission. See a short story Doctor Diagoras in Memoirs of a Space Traveler: Further Reminiscences of Ijon Tichy by Stanisaw Lem.
I read the original article, but I don't see any part where someone recorded what was going out the speaker and looked at it. If someone is sending data over audio, it will show on a scope. Clearly that's not going to do much unless the receiving side has some kind of modem code listening for it.
Then there are claims like "It seemed to send TLS encrypted commands in the HostOptions field of DHCP packets." Attacking via DHCP packets is plausible; DHCP clients get told a lot of things they're supposed to do, and some of the older vendor-specific extensions are very insecure. But TLS? TLS isn't used within the DHCP protocol itself. There's a way to store DHCP configuration info in an LDAP server and have a DHCP server access it via LDAP.
If someone is seeing strange DHCP packets, and reloading the BIOS won't help, it's possible that what's going on involves an attack via the network controller. The fancier network controller parts now have CPUs and EEPROM. This may be an attack which puts code in the network controller which in turn patches the BIOS.
The people studying this need to list exactly what network ICs the machines involved are using. Some network devices are too dumb to be used as an attack vector, but some have whole protocol stacks, WiFi support, remote administration support, etc. It would not be surprising if those were attackable.
I've expected attacks via network controllers for years. That's been used to attack servers. There's a known attack on PCI controllers which can survive rebooting and reloading the BIOS.
If the machine has wireless networking hardware and the attack exploits the network controller, it may be able to do wireless networking even if the user thinks they have the hardware disabled. Time to open up the machine, clip onto the JTAG port on the network controller, and read out the device memory with a JTAG debugger. Compare the dumps with other machines.
Um, why did you "sic" up there? Do you know what sic means and when to use it? I know what it means and I'm confused right now.
Comment removed based on user account deletion
It would be easier and cheaper to pay the manufacturers (or, if you're the Chinese doing the manufacturing, order them) to hide the basic, hardware-specific components, i.e. the network protocol in the sound card, in the chips at the point of manufacture. The virus itself need only be a command/control module that activates private API's in the hardware and stores itself in a ready-made nest that was built into the machine in the factory. That way, the hardware-specific bits can be modularized and isolated from the C&C, reducing complexity and infection difficulty.
Captcha: horror
It's just a ghost using your machines.
With most sound chips attached directly to the PCI(e) bus, it's not out of the question to initiate a DMA into memory before the bootloader can start. Gives you a very nice pre-BIOS vector.
No, you're still wrong.
Here's how it works:
Because you couldn't here my clear my through [sic] when I typed the word adult in reference to the /. community.
See how easy that is?
Required reading for internet skeptics
From the various leaks it appears that such a thing is technology far beyond what the NSA is capable of. After that Star Trek set thing it's starting to look like the Albanian State Washing Machine Company is far more capable in dealing with technology.
But people just beat their chest and ridiculed the people posting, locking and shuffling threads or in some cases on commercial antivirus forums, deleting threads and moving them to hidden sections or trashed them altogether.
I believe this is a huge conspiracy which has been going on for years. People in malware forums have been shouting from the rooftops about this but no one wanted to listen.
What you overlooked and should have read:
1. Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
http://anonymous.livelyblog.com/2012/10/05/nobody-seems-to-notice-and-nobody-seems-to-care-government-stealth-malware/
2. Spy agency ASIO are hacking into personal computers
http://anonymous.livelyblog.com/2013/01/13/spy-agency-asio-are-hacking-into-personal-computers/
3. Will security firms detect police spyware?
http://anonymous.livelyblog.com/2013/09/17/will-security-firms-detect-police-spyware/
And several PDF files on blackhat pages, forums, and conferences.
These attacks against non-networked computers runs deep - some changes are so subtle and appear to blend into normal black box Windows activities people overlook them. Read article #1 which includes the sad state of malware detection on *nix.
When you Google enough for firmware, PCI, AGP, BIOS, sound card malware, SDR, FRS, and why some distros autoload the ax25, rose, and netrom modules by default (including TAILS, check it for yourself with lsmod), it is quite unusual. Why would a distribution like TAILS need hamradio modules? They're in there, too, in addition to the ax25, rose, netrom modules. Batman mesh networking is included in TAILS too.
People repeat the same mantra: the only safe computer is a non-networked computer. This is a lie. The truth is, an entirely shielded TEMPEST room with no network connections and shielding down to every piece of the computer is the best test environment, but who is going to take such precautions? Is the shielded computer in the shielded room bound for other locations outside of this safe room?
Wikileaks have released Spy Files, listing many companies developing malware to root your box beyond detection often aimed at Governments and Military sources. These secret communications are no secret, and some have been detected via FRS, but that's only one source out of many.
"Because you couldn't here my clear my through when I typed the word adult in reference to the /. community. "
I had to read that about 15 times before it started to make sense. I think you were trying to be sarcastic. Is that possible? English doesn't seem to be your first, or even second language, but to indicate sarcasm one uses quotes.
The latin "sic" means THIS, you use it when you are copying something verbatim but you know it is wrong.
"Sorry that one went over your head"
You might want to check your arrogant attitude and tone it down a bit. You aren't as "adult" as you think you are and could benefit from LISTENING to others and maybe LEARN something instead of looking like a complete JACKASS.
As the Ars article points out, the individual pieces needed to do all this have already been proven over the years.
Here's why it makes even more sense to me.
A military minded person cannot allow threats to exist anywhere. If anyone anywhere has a weapon that they don't, they must immediately take steps to duplicate it, and defend against it.
Now take that mindset, combine it with a large team of military hackers. Now every single exploit ever publicly disclosed becomes a checkbox on a list somewhere. As a recent Snowden leak story showed, 0-day vulnerabilities have been purchased by the government. We can be sure they run the largest honeypot networks in existence and immediately dissect every new worm, root kit and exploit that touches them.
Every theoretical exploit must be tested for feasibility, turned into a proof-of-concept and then packaged as a tool.
And all that $$ and hacker power is under the command of someone who wants turnkey solutions and "kill switches" for everything.
So it's definitely possible that such tools exist. But why would he be a target? I dunno, maybe someone wants advance notice on what the presenters at upcoming security conferences might be talking about so they can Barnaby Jack them?
Sometimes people will claim something they strongly believe already exists in order to motivate people to look for it and find their proof. Sometimes they get lucky and proof is found, other times they get exposed for it. I hope he's wrong, I really want him to be wrong, but part of me believes it's real because it's definitely possible. After all, if it's just a few years out, then "they" have had it for a decade or more.
Cwm, fjord-bank glyphs vext quiz
These machines do two things:
1. They try to infect other machines. They seem to use several methods for this. One is infecting USB sticks and other media. They have been observed abusing an old windows exploit that uses true type fonts as the vector for that.
2. They are trying to communicate with other infected machines. They use some rather inventive carriers for that it seems. One of these appears to be sound. How it works isn't published yet. Another seems to be to use out-of-band communication by putting data inside host-option packets in DHCP. It's obvious that the malware uses such side channels to avoid detection. The OOB communication is done purely to keep in touch with "the swarm" and is not used to infect other machines.
The real nastiness appears to be that this malware is able to infect multiple operating systems that are usually passed by malware manufacturers and also happens to be able to nest itself on the eeprom of infected machines. Both are more or less "a first" and the combination hasn't been seen in the wild either.
Right now, there's a lot of discovery being done and a lot of speculation taking place as to who made it, what it can do, how it gets itself in eeprom and prevents itself from being overwritten during reflashing of the bios. It's not known if the virus will attempt to infect virtual machines, or will only infect machines that will let it nest in it's bios. Also, anything malicious apart from infecting and communicating hasn't been observed. For all we know, it may be a true worm that does nothing but replicate and is an out of control experiment.
So far, no infections appear to have been seen on virtual machines, or machines that don't have an intel chipset. I haven't seen any linux infected machines mentioned, but don't hold your breath on that, if *BSD and OSX have been infected, Linux may very well be infected too. Windows is infected for certain, but what versions are exactly vulnerable isn't clear to me at this time.
Thus far, the only thing that can be advised to prevent infection is the usual; don't trust content/media from sources that could be spreading infections, knowingly or not and keep your system up to date. If applicable, set your bios read-only with hardware switches or jumpers and if at all possible, put passwords on bioses and put software blocks on updates as well. To this date it's not known if and what software blocks will prevent the malware, but it's best to give it as few attack surfaces as possible.
I was promised a flying car. Where is my flying car?
"You have to TEST this combo on many different machines."
I'm calling hoax as fuck on this whole thing, but for just your microphone and speakers, the majority of laptops are using RealTek. Bare metal for that shouldn't be too hard to handle, as the driverset remains the same across all AC97 models and HD models. Two compliant bare-metal drivers shouldn't be too hard to fit in. Now, transmitting over ultrasonic is a whole different beast, and to do this through a supposedly truly airgapped room via noise should be impossible, as real airgaps will easily kill those frequencies.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
https://github.com/djrbliss/rose-exploit
Why go to such lengths to make the malware difficult to detect when you're going to disable features inside the OS making it obvious malware is present?
This is just fucking stupid. Why would anyone post this drivel? If you didn't realize this was just risible, abject fucking dipshittery after reading about 2 sentences of this god damn idiocy then you should not work anywhere in the field of computing.
This actually makes me angry. Unaccountable nerd rage.
I haven't yet seen mention of someone setting up microphones sensitive to ultrasonic frequencies to check to see what, if any, odd sounds are being made by the computers. A lot of extraordinary claims are being made and I just don't see the requisite extraordinary evidence.
For an engineer with embedded programming experience, this shouldn't be that big of a deal. The challenge isn't only in coding it up, it is also in looking up and comprehending possibly vast documentation needed to pull it off. The code, presumably, runs in system management mode on x86 machines.
A successful API design takes a mixture of software design and pedagogy.
It really isn't as hard as it sounds. A dedicated engineer (or perhaps two, depending on how many chipsets one wishes to support) could pull it off in a year. Presumably one could leech some driver code from open-source kernels like Linux or FreeBSD.
A successful API design takes a mixture of software design and pedagogy.
An air gap merely means that no network or other data cables cross it. It doesn't mean keeping things physically away!
A successful API design takes a mixture of software design and pedagogy.
Why do you think network security engineers always have headphones on? They're not listening to music, they're packet-sniffing.
GrpA
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
Or an NSA asshole that is trying to discredit these 5% of us society that has any objections to fascists in US gov. It seems to me that today all options are possible.
It is.
That comment USED to work, before Snowden proved it all.
The conspiracy theorists were right. All bets are now off.
Considering the formal aspects of the content above and below, this threat already has a speculative quality of almost e p i c proportion .......
- Gpu based paravirtualization rootkit, all os vulne
http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html
see the thread here where it says you were warned for years about this problem
and -
#BADBIOS - You Were Warned About This For Years!
http://slexy.org/view/s2BLnoBPxn
And being so bright, he allows easy detection that somthing is wrong by breaking booting from a CD. Could be, but... not so likely, no.
Also, you'd need to be infected before communication would be possible. For an actual attack I would suggest malware (not the BIOS) that uses the speaker when it is prodded (this is the malware that should learn about the way it is researched) and there is no other way to communicate, and other malware (perhaps on a phone even or on other lab equipment, which may be on an unsafe network) that listens in.
Infecing everything on a BIOS level and making visible machine changes just does not make much sense. Putting malware on a machine that spits out bits as sound does.
Is this why my smart phones battery life is so bad?
While ultra-sonic communication seems plausible at first, it fails to take into account that the audio-system is not up to it. For one thing, most microphones are of the ElCheapo variant, and cannot handle signals above the highest frequencies humans can hear in any meaningful way. For another, the typical, sane audio-design has cutoff-filters that prevent ultra-sonics from being processed. Then, the speakers are pretty unsuitable for generating ultra-sonics. All this leads to very, very bad signal transmission capabilities with very, very low bandwidth.
On the other hand, no "packets" sent are visible anywhere when using a channel not known to the OS, and this one is certainly not known to the OS as a data-transmission channel. And ultra-sonics are easy to measure: Just get a ultra-sonics sensor (basically a microphone with a different than normal frequency range) and hook it up to a cheap digital oscilloscope. The signals will be very, very obvious. That this test has not been done indicates the possible/likely fraudulent nature of this story.
The article also seems to suggest that infections can come in that way, which is complete nonsense. Audio-input channels can take _any_ audio signal without buffer overflow or the like and turning an audio signal into code would require advanced demodulation software which is just not available on the target before infection.
I think somebody is looking for some cheap press-exposure and people are (as usual) to gullible to see the obvious large implausibilities and gaps in the explanation given.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Misspellings, grammatical errors. Yet more evidence of NSA shills swarming this thread. fnord.
Um, why did you "sic" up there? Do you know what sic means and when to use it? I know what it means and I'm confused right now.
[sic]: someone is confused, spanglish is confusing, stupidity is contagious, santa is coming, sarah is cumming, sublimely in coitus, she is cool, sinsemilla is cooler, state is corrupt (sic semper tyrannis), sic em fido, and the ever popular "thus was it written" and I'm not shittin'.
Did you sample your office full of identical models from the same manufacturer to come up with that statistic?
Dell laptop here (so not an unusual brand), using an audio codec from IDT.
If we start to have always-on phones listening to "OK Google" all the time, then direct infection over sound becomes very well possible!
This could either new abused in public (just make a manual announcement over PA) or play some audio from another device automatically.
What about a backdoor in the audio DSP running extra code for this kind of detection?
Working with this tech is *literally* my job. The speakers in a common laptop or smartphone can reliably create signals up to 21kHz. Likewise, the microphones found on these devices can hear frequencies in this range. The modulation schemes for inaudible data over audio hardware are limited, but they exist and work pretty damn well.
Actually "sic" means "thus" or "so", as it is an adverb and not a pronoun or a determiner.
The common usage of sic is as an abbreviated form of "sic erat scriptum" ("thus it was written" / "it was written in that way") so your point about not being the right way to use it is still valid.
You watch, this will be proved to be nonsense.
You can't INFECT a machine via an alleged 'ultrasonic' signal which its microphone picks up, because there is no software running on the uninfected machine which will DO anything with the incoming signal. Hence it's impossible, and this story is pure fiction.
What they need now is electronics engineer with scope to see how that "voice"-coms is working. Just suprised we havent seen this sooner... After all it was analog modems that used sounds as carrier in 80's... Nice to see someone able to duplicate that functionality in modern hadrware, even if its for bad things...
..
There's even an official "dupe" song that you can sing along with. It's very repetitive... just like a real dupe!
I propose we link to this every time we need to celebrate a dupe. :-)
#Dupe dupe, dupe dupe, dupe dupe dupe... Dupey dupe dupe dupe, dupe dupe dupe#..... Ah, they don't write them like that any more.
Sudden surge in sales for security manufacturer Sonicwall.
This dupe is caused by the need to pay attention. Scoff, if you like. Bluster. Detract. But argue the effing point and so make sure you explore the topic properly.
Yes, it's duped.
Butt fucking why?
could benefit from LISTENING to others and maybe LEARN something instead of looking like a complete JACKASS.
RTFA -- that is now known to be a source of malware! In order to prevent future infections, I have decided to stop listening to others!
Why would a machine that is designed to be air-gapped and kept so secure need a microphone or other audio inputs?
I seem to recall some anecdote from at least 10 years ago in which an artificial life program, running/evolving on a desktop machine 'learned' to use the power hardware in the computer to signal externally using emf to an adjacent system (I think the neighboring system was a monitoring system that was empowered to 'dump' "food" into the primary when it hit certain breakpoints, and the AI was triggering that faster or something).
That could be apocryphal, though, as I've never seen anything more about it and can't find anything on the web about it (well, it could be buried under other web hits as anything relating to artificial life/intelligence gets buried in educational hits).
-Styopa
Just so everyone doesn't have to read it 15 times:
"Because you couldn't hear me clear my throat when I typed the word adult in reference to the /. community. "
Proper spelling really helps communication....
i know the clincher was to put the apple prodduct in there. Anyone that was scratching their head, caved at that point. Very nice touch.
For those of you relying on physics to justify how it is possible, you need more engineering experience.
For you engineers that think you can do it, you need to take a few more physics classes, ok maybe ONE more.
Then hand it over to a programmer, haha yeah, maybe an H1-B.
You fuckin morons.
Oh my $deity... thank you for the correction. I could not figure out what "thought" was.
Great. So then we'll have a race to be more annoying than "Frist P0st!".
or did it go below his knees?
Still .....: Considering the formal aspects of the content above and below, this threat already has a speculative quality of almost e p i c proportion .......
Um, why did you "sic" up there?
Because there should be punctuation between "NSA" and "we're" and there was none, perhaps?
When our name is on the back of your car, we're behind you all the way!
What? You didn't know that the NSA was really a front for the Albanian State Washing Machine Company?
They've been running the world all along.
That someone used audio to spread malware is impressive, that they were able to gain control of the machines is even more impressive.
"If any question why we died, Tell them because our fathers lied."
What a stupid prank article. Oh yeah, my uninfected computer interpreted ultrasonic sounds and saved them as an executable file on the root drive on its own. Ah huh. I can't believe anyone is stupid enough to believe this. The BIOS chip can't even send data directly to the speakers. This is such complete sci-fi nonsense, how are any of you taking this seriously?
It's not a dupe, it's a ghost. whooooo whoooo BOOO!
Some drink at the fountain of knowledge. Others just gargle.
It's using Microcode in the CPU that is received over 3G cellular.
Remember SandyBridge advertised this capability for supposedly stopping theft....
But it's really just a backdoor so they always have a network connection to your box. They can run compiler trust attacks or just read arbitrary data from memory after scanning application fingerprints.
I've been saying for awhile now that this is the next attack vector but the last few times I've mentioned it, you trolls downmodded me to infinity.
So please listen again. It's not the sound card.... they use that to detect when people are close to avoid transmitting if I were to guess. His tinkering proved they should stop before being detected.
What about trying to continuously run a program that puts a high frequency tone into the speakers.
If it's using some sort of communications ("ultrasonic networking") it's **NOT** airgapped in any way, shape, or form.
"Airgapped" means no remote automated communications of ANY kind would be possible. You can't interact with it by remote, period- you have to have a human being log into a local console to do things with it. This is a failure of the airgapping measures being exploited is all- or it was never really airgapped to begin with.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Dude...lay down the crack pipe. It's making you post bullshit- and Anonymously at that.
Any OS? Really? This would mean you're using OpenCL or OpenGL/OpenGLES to do things- just for starters. But, in truth, there's no inbound/outbound pathway from or to the GPU (The GPU generally doesn't have I/O access to things and for good reasons...) without an additional OpenGL/OpenCL application as a front-end. Which would be VERY OS specific.
Sorry, but the person in question that claimed that it was possible hasn't the foggiest about what he was talking about. But...nice try.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
You also have to get the target machines to successfully RECEIVE and IMPLEMENT the payload.
Ultrasonic communications should be possible, but remote exploits with them is complete BS...It shouldn't be too hard to capture these signals if regular computer mics are picking them up.
"When information is power, privacy is freedom" - Jah-Wren Ryel
This problem will solve itself just as soon as the RIAA lawyers decide the malware is transmitting copyrighted works.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Could this infection be a way for someone in the NSA to leak NSA methods? Why else infect someone like Dan?
You've discounted the most obvious option - an attention whore who isn't adverse to making shit up.
Says a random person on a random site. Let's see your fantastic work that makes Ruiu's body of work nothing more than that of a small-fry amateur who has to resort to lying to make a name for himself. Oh wait, Ruiu is actually a seasoned security researcher, running multiple well-known cons and contests? Who already gets more attention than anything but a handful of other security researchers?
I think the only thing your post does is demonstrate your own thinking: that the only way to make waves in the world is to be an attention whore.
Those who can, do. Those who can't, sue.
"Did you sample your office full of identical models from the same manufacturer to come up with that statistic?"
I build every computer myself. What identical model? What fucking manufacturer? This is slashdot, if you aren't building your own system, you should be shutting the fuck up.
Did you bother to ensure your brain was functioning this morning before making such a smart-ass and obviously wrong question?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
A real secure air gapped room allows NOTHING in or out without permission. This includes sound.
I know someone who will never obtain a security clearance.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Fact-check: the "star trek set thing" concerned Keith Alexander's time at the Army's Intelligence and Security Command. Alexander is now head of the NSA, yes. And it was intelligence-related. It was not, however, the NSA.
http://www.theguardian.com/commentisfree/2013/sep/15/nsa-mind-keith-alexander-star-trek
but nobody ever took it seriously.
A.K.A. "call the modem library," A.K.A. "done in 30 seconds with a quick Google search."
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
When he said the main indication of infection was being unable to read a CD-Rom, I immediately thought of SONY Corporation. They had a pretty good rootkit for DRM (digital rights management) last century that they were trying to get installed everyplace possible (just to ensure profits so we know it was legal).
They would have a vested interest in not reading CDs and having Bulgarians or Disney over-write Sony's DRM.
When they finally had to let it go, their engineers probably contracted for some security work with another shell company owned by the Chinese or the NSA.
...Ruiu is actually a seasoned security researcher, running multiple well-known cons and contests...
whut?
What? You didn't know that the NSA was really a front for the Albanian State Washing Machine Company?
They've been running the world all along.
I for one welcome our spin-cycle overlords!
We're either looking at someone who has a LOT of free time and hardware on his hands, or a 1st or 2nd world military-level dev team with LOTS of cash to spend, IMO.
Or a corporation like Sony looking to really fix DRM or like Apple looking at easier ways to update bad software without letting any of its customers know there actually was a problem. There was never a problem because it's not happening now and all the comments about the problem were removed. It's a Chinese way of doing things, like yin-yank, I mean yin-yang.
What? You didn't know that the NSA was really a front for the Albanian State Washing Machine Company?
They've been running the world all along.
Well thank God someone's in charge. Sometimes it seems as if everything is just running on its own with no planning or forethought, just everybody trying to grab as much sex and money as possible ;-)
Anyone who identifies a dupe can be moderated +6 awesome for 7 days.
Anyone who submits a dupe is automatically modded -1 for 7 days.
So, I submit a story and you submit a story. Mine is accepted in five minutes, yours in two hours and they're both the same story. Why should you be penalized for submitting a story? However, I've tagged dupes in the firehose before, how about of you spot a dupe you get mod points (to moderate others) as a reward?
Free Martian Whores!
I agree that this may be possible. But after reading the article there are several things that don't pass the sniff test. Hopefully this will get the peer review it needs.
My first thought was the website for this story was infected with a browser virus, and the incredible story was there as candy to draw us in.
Infecting multiple OS, using some common hidden/unknown USB feature seems difficult to believe. What is the commonality in chipsets? The virus would have to run at the BIOS level.. right? Under the OS? Injecting itself up into OS' that it supports? Sure, there are few motherboards. and I've also heard of viruses that live in RAM/GPU and survive reboots. I'll also forgive people for possible misusing "ultrasonic" when they might mean - higher/lower frequencies than humans can hear but the PC can generate. Also don't forget - video cards and other electronics make noises too - I had a video card that when drawing at high FPS made a very high pitch sound that could be manipulated (I'm one of those weirdos who can "hear" CRTs). Maybe the fan is sending Morse-code.
This is also an interesting network driver. I assume he was doing packet sniffing from within the OS. I can see the following - the OS sends data packets to the network card (which go nowhere because the cable is pulled out) - but the infected BIOS sees those and copies them out the speaker. However, he pulled the network card... so I would expect the OS to shutdown all connectivity features - so what was the sniffer attaching to? (or rather - what was he sniffing? - no pun) Either that or a software driver had to be installed (or hook the virtual loopback). All possible. Although on my laptop only the wifi/bluetooth can come out - the Ethernet is on the mainboard.
All of it may be hypothetically possible. I can't wait for an update and see the results. Need to think simple - those kinds of attacks tend to work.
To quote Carl Sagan, "Extraordinary claims require extraordinary evidence."
A story about a laptop having it's bios and os remotely compromised using only a portable audio player would be almost as amazing as news about someone having BSD installed on a laptop outside of a research facility.
The author on Ars is Dan Goodin, not Goodwin.
Except that's not what the article is saying. The article doesn't claim that the system's bios was remotely compromised using audio. What it is saying is that a system that _has been compromised_ is using its sound equipment to communicate with other systems that have likewise been compromised, allowing infected systems to maintain communication with one another despite an airgap.
This could be viewed as 'extraordinary' in the sense of 'something that does not ordinarily happen', but it is not 'extraordinary' in the sense of 'something that defies conventional belief'. As many people have pointed out this is the same basic principle that modems use, merely in a somewhat different 'packaging'.
In that sense it is no more extraordinary than claiming that someone has painted an elephant blue. It is not something which commonly happens yet the possibility of its existence hardly defy belief.
Just curious, was assembly tank game Tank Wars or Scorched Earth?
Everyone swears by Scorched Earth - there's even a Scorched Earth 3D version now, but I always preferred Tank Wars.
Thanksgiving is going to involve a lot of eating crow for most of you guys. Good luck with that!
Maybe this is the new "hearing voices"
Some minor problems:
In general: laptop speakers and microphones are optimized for recording and producing sounds the human ear can detect. Lousy for networking.
Laptop speakers and microphones are also not calibrated with a high degree of precision.
You would need access to the boot loader which would have to come from a different "virus" or at the factory -- in which case, you already "own" the computer.
Recommendations:
Decent anti-virus software and a reasonable security policy.
Tin Foil lined Laptop Bag.
-Dan
Well, he didn't explicitly consider it, but I doubt he would deny the possibility. I wouldn't.
OTOH...if, as reported, many different people have already examined the case that's probably not the most likely alternative.
Still, I don't think the evidence I've heard supports some of the more extreme suppositions. Personally, I'd start looking for a Java, Javascript, or Mono/NET application. One that can demonize itself. I think that infection from a USB stick sound highly plausible, but that's not a sufficient explanation of the mechanism. After that, there's nothing particularly unreasonable about ultrasonic communications, just unexpected.
P.S.: As for those who say you wouldn't expect to find OpenBSD on a system outside of a laboratory, I believe that that's where he's working. He *was* reported as a security researcher.
I think we've pushed this "anyone can grow up to be president" thing too far.
That can be done, but that's a lot more extreme than a simple air gap. An air gap just means there's no electrical or radio connection, i.e., the signal has to go over air. Isolated is what I would call what you're referring to, and I have no reason to believe that that was meant.
I think we've pushed this "anyone can grow up to be president" thing too far.
It's using Microcode in the CPU that is received over 3G cellular.
Remember SandyBridge advertised this capability for supposedly stopping theft....
But it's really just a backdoor so they always have a network connection to your box. They can run compiler trust attacks or just read arbitrary data from memory after scanning application fingerprints.
I've been saying for awhile now that this is the next attack vector but the last few times I've mentioned it, you trolls downmodded me to infinity.
So please listen again. It's not the sound card.... they use that to detect when people are close to avoid transmitting if I were to guess. His tinkering proved they should stop before being detected.
Yeah, I thought of this, too. Here's some background info on the tech involved. It seems to fit, the article doesn't specifically say only certain newer intel processors are at risk, but it doesn't give any counterexamples that would rule it out, either. This is an obscure deliberately OOB data transmission channel that seems like it could well be the hidden vector, only... Surely a security specialist would be aware of this as a possible mechanism? Also, why would disconnecting the mic/speakers stop a transmission if it's really using 3G? Could be wrong, but I've reluctantly concluded that this line of investigation is probably a red herring in regards to the case at hand, although it's certainly alarming enough in its own right.
To my mind, airgapping is not severe enoough. The proper term should be "vacuum gapping" There is nothing but air between your system and any other. Having a microphone and/or speakers breaks that rule! After all, they can use the air to make a connection between two systems! One of my old friends did a lot of work on Tempest-qualified computer terminals in the 1980's. CRTs, and especially standard keyboards (even when well shielded for EM) put out enough radiation to spy on them. The keyboard (actually, the cable between the keyboard and system unit) was the worst. His solution? Using led's in the keyboard, and light pipes to transmit optical pulses (the keys simply broke the light flow) to photo-optic detectors inside the main system unit, which could be well shielded from EM spying. Problem solved! His terminal design (and prototype) was the first to pass all the Tempest testing requirements on the first pass!
Oh - so you mean the place is OK because it's only the guy at the top that's a complete loony?
OK, you have a point, I've seen a few places where the new CEO was a complete loony and it took a while for everything to go bad, however this is just one thing out of many that happens to sum up that shambolic web of subcontractors who should have been a tight knit group of professionals.
They were talking about laptops, dumbass.
Interesting concept, but I call bullshit. In order to be re-programmed through sound the program to do that has to be built into the receiving software to receive code through audio devices. While these technologies do exist to translate voice into text or commands this feature has to be activated to be functional. It would also be writing to the hard drive not the bios and since each bios is different to re-write the bios code it would have to copy the existing bios and then have a sentient cognitive ability to re-write code on the fly so that it could inject itself into an unfamiliar bios in a way that would not brick the computer. A virus that already contained scripting for every bios out there would be so large that it would not fit into a single bios and to transmit it through ultrasound would take months. So if this rootkit does exist we are talking about one of the first living computer programs. Furthermore most servers don't have a microphone or speakers and I doubt these sounds could permeate the white noise generated by a typical server. For this to be possible I would say there would have to be an infection of some other form on the computer through a typical means first that would allow it to receive/transmit this audio code. The audio would not have been the initial source of infection.
Another problem is that all sound cards are software driven with drivers and have no hardware to directly interact with, nor have they for over a decade. The virus would also have to contain in itself the audio drivers for hundreds of models of sound cards to allow it to use the audio hardware from a bios level. This would further increase it's size making it's existence even more impossible.
makes a fine covert channel to get data to or from a compromised router, and NSA has shown interest in mass-pwning routers.
/. -- the Free Republic of technology.
I haven't seen that apostrophe in two decades or more
The new right fascists are bilingual. They speak English and Bullshit.
the speakers and microphone might simply have been utilized by an additional device which was targeting the computer, something like a directional antennae or tower resource could be used to deliver or generate packet traffic, audible or high frequencies could also be utilized, as were mentioned, to potentially initiate as a logic-bomb or an abort..
Load thumb drive on a Raspberry Pi and watch what it tries to do.
it has no BIOS.