Slashdot Mirror

← Back to Stories (view on slashdot.org)

Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate

Posted by samzenpus on from the protect-ya-neck dept.

Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"

3 of 265 comments (clear)

  1. Re: So? by Anonymous Coward · · Score: 5, Interesting

    I work for a company specializing in this tech on mobile devices. It's startlingly reliable but very low bandwidth.

    Check out Yamaha Infosound, Sonic Notify, and LISNR for real world uses.

  2. Re:Complexity, Resources and Skill. Could it be... by Khyber · · Score: 5, Interesting

    "You have to TEST this combo on many different machines."

    I'm calling hoax as fuck on this whole thing, but for just your microphone and speakers, the majority of laptops are using RealTek. Bare metal for that shouldn't be too hard to handle, as the driverset remains the same across all AC97 models and HD models. Two compliant bare-metal drivers shouldn't be too hard to fit in. Now, transmitting over ultrasonic is a whole different beast, and to do this through a supposedly truly airgapped room via noise should be impossible, as real airgaps will easily kill those frequencies.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  3. Re:What a load of complete rubbish! by cnettel · · Score: 5, Interesting

    It all depends on what timespan you have. All you need to do is to emit sounds that are quite inaudible or at least indistinguishable from high frequency noise that we have been trained to accept (PWM noise from LCD brightness control etc). If you have plenty of time, you can reduce your bitrate heavily in the handshaking step, basically looking for just a few bits of signature in a very wide span of frequencies and encodings. When you have a basic channel, you can tell your counterpart what SNR you are getting and successively tune the channel.

    You would never want this for regular networking with any kind of latency demands. If you are rather just trying to get a specific updated payload across at some point, with any number of retransmissions, then I find it quite believable.