…and from the “whatever happened to” department…

Just about a year ago, the Infotech security space was all ablaze with noise about this thing called “BadBIOS.”  This was a scary bug, for several reasons. First, it was new, which meant that before the security researchers could come up with the cure for it, it could do a lot of damage; but that’s not unique. Second, it had a researcher completely stumped and concerned. THAT is different.  And third, and this is the scariest part of it, evidently it did not require a network connection of any kind to replicate and spread. Yeah, that is scary.

The researcher’s name is Dragos Ruiu (say ROO-Yoo). He’s well-known and well-respected in the field of information security. He runs a clean shop. He doesn’t make mistakes, he isn’t careless, he doesn’t leave the drawbridge down. So when he saw something curious happening on his Mac, he paid attention. His freshly-imaged machine (that means it hasn’t really had time to get infected with anything yet) decided on its own to update the firmware that allows the boot process to initialize.

Let’s start with some basics: It is not at all unusual for a virus or malware to spread via USB drives, CD’s, floppies (yes, there are still just a few in use), network cables, bluetooth, any possible way for one machine to communicate with another machine can be used to spread bad stuff. We go deep into the guts of the communications protocols to try to make it more difficult for bad stuff to spread, but we also know we’re always playing a game of catch-up. So we would expect that an experienced researcher would eliminate all those possibilities.

He did. On the protocol front, he found that the infected machine was transmitting data using a transmission protocol that had not been enabled on that machine. Furthermore, he saw that other machines were becoming infected even without the Mac being connected to a network–“air gapped,” as we call it. After a full reimage of all the infected machines, they got infected again–without the Mac being plugged into a power source!

The platforms affected were Mac, Linux, and Windows–that pretty much covers most of the world. So this bad boy needed to do something before the operating system kicked in, in order to execute its payload; reimaging wasn’t going to clear the problem, because the problem wasn’t in the part that gets reimaged.

Ruiu’s conclusion was that the systems were communicating via ultrasonic waves, and that the instruction set was being written to BIOS.  That’s bad.

Several other security experts have weighed in on the matter, and some I seriously respect (Steve Gibson, Bruce Schneier, to name just two who took opposing positions) fall on each side of the subject.  But the heavier half was on the “I just don’t see it” side of the scale. It didn’t take very long to start the watercooler quarterbacking on it. Actually, Schneier didn’t come out and say, “I believe it all, we should be shaking in our boots.” He did say that it seemed plausible, and there have in fact been experiments on transmitting data via sound waves.

Here’s why I don’t think much of Ruiu’s claims:

1. The evidence that Ruiu has shared, having been gone over with a fine-toothed comb, really doesn’t demonstrate what Ruiu claims it demonstrates. The secondary witnesses actually saw no aberrations in the evidence provided.

2. Other researchers have pointed out that he took the presence of collaboration as proof of causation. Two things being in the same room doesn’t necessarily indicate that one caused the other to be there, or even that the same thing caused them both to be there. It doesn’t indicate any causation at all.

3. Ruiu says he was fighting this for three years before he brought it out to light. That means it’s now about four years old. Why is he the only one who’s seen it?

4. This post by a BIOS-level expert (I understand just enough of this post to realize that he knows what he’s talking about) demonstrates exactly why Ruiu’s research can’t possibly mean what he thinks it means.

5. and I think this is the most important of all, in the almost-year since this broke, it’s been almost-a-year-minus-one-month since we heard anything more about it. In other words, it was all the buzz for a couple of weeks, then,pffffft…...off into the ozone.

There are some really bad viruses out there. There are some really badly-written configurations that let bad things happen. There are some bad people who will exploit things and do bad things.

Fortunately, I think it’s now safe to say, this wasn’t any of those.


Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.