Most malware is designed to attack your computer at the application or operating system (OS) level. Viruses, worms and Trojans do their dirty work alongside your regular applications on top of the operating system while rootkits get installed as kernel modules inside your operating system. Much of this malware can be blocked before being installed or removed after installation, if you have good security software. In extreme cases, you can wipe your hard drive clean then re-install your OS and other apps, painful though this might be.
However, there is a class of malware that can attack your system’s BIOS – basic input/output system – which resides in the firmware of the computer’s circuitry below your applications and the operating system itself. Down there malware is beyond the reach of conventional security software. Any hope of eradicating it involves re-installing clean firmware or even replacing damaged system hardware.
The viability of BIOS level malware has been known in the security community for a while. Back in 2008, researcher Arrigo Triulizi developed proof-of-concept malware that can infect network interface cards enabling the attacker to stealthily sniff packets and open login shells to the infected systems that were virtually undetectable. His conclusion was that the growing sophistication of peripheral controller chips provided a new attack surface for determined hackers.
Then a couple of years later, security consultant Drago Ruiu noticed his MacBook Air was behaving strangely.
The Discovery of badBIOS
Without prompting, Ruiu’s Mac spontaneously updated its firmware. He also discovered that the system deleted data and changed configurations settings on its own without prompting. Later Ruius observed other systems – Windows and Linux based alike – behaving in a similar manner. Many of the systems were not plugged into an Ethernet network nor were they WiFi enabled and had no Bluetooth cards. Ruiu concluded that the malware – which he termed badBIOS – must have propagated by jumping the air gaps between the systems using high-frequency transmissions of the computers’ speakers and microphones.
Although the idea sounds like the stuff of science fiction, researchers at MIT have done research on ultrasonic local area networking, where computers communicate through high-frequency radio signals. The Flame espionage malware that was unleashed on Iranian and other Middle Eastern networks used Bluetooth to communicate with targeted systems, sometime miles away from each other. German security researchers Michael Hanspach and Michael Goetz reported in the Journal of Communications that they created proof-of-concept of software that enabled them to send and monitor keystroke data between Lenovo T-400 notebooks using the built-in microphones and speakers. Their technique was based on software developed for underwater communications.
Even the NSA has gotten into the act. The New York Times recently reported that the NSA has planted micro-transceivers in nearly 100,000 computers worldwide that enable the agency to monitor or transmit malware to these systems remotely over secret radio frequency transmissions. The transceivers are embedded in USB cables that plug into the target systems. In some cases the devices are physically implanted. Apparently the NSA has been doing this since 2008, but the radio surveillance technology they are using has been around for a long time.
No Physical Contact Required
While Drago Ruiu labors away in his security laboratory studying badBIOS and other security threats, some wonder whether badBIOS even exists. His computers seem to be the only ones affected and there have been no other reports of the malware surfacing in the wild.
Still, Ruiu is well respected in the security community. Security researchers, like Triulizi, have demonstrated that a computer’s BIOS can be compromised. More conclusively, the work of Hanspach and Goetz proves that, like many airborne biological viruses, malware does not necessarily require physical contact to infect other computer systems.
Please add your thoughts in the comments below or follow me on Twitter; @vichargrave.