Secret whispers in the air – badBIOS

Air gapping is a technique of physically isolating a secure computer or network from an insecure network such as the internet. It is used in the highest security environments, such as where the military completely separate classified and unclassified data on independent systems. It has been thought that data cannot flow between unconnected systems separated by an air gap. Bruce Schneier developed 10 rules for setting up and maintaining an air gapped computer.

However, Canadian security technologist Dragos Ruiu, has noticed some really weird things occurring on his air-gapped laptop. Dragos had reformatted and reinstalled the operating system on an unconnected laptop. Then he noticed that subsequent to the installation, a BIOS setting on the machine had changed, preventing him from booting from CD. Something had somehow changed the BIOS setting on an air-gapped system. Ruiu labelled that something, badBIOS, and set about finding out what was happening.

The air-gapped laptop was connected to mains power, so to rule out malware communication through the power cable, Ruiu disconnected the power and ran the computer off batteries. However, the BIOS setting still changed, indicating the communication was through some other channel. Ruiu repeated the exercise while removing various pieces of hardware, such as the Wi-Fi card and Bluetooth capability. It was only when he disconnected the speakers and microphone that the BIOS setting did not change.

Ruiu surmised that the computer was communicating data with nearby computers using the speakers and microphone to transmit through high frequency sound waves, inaudible to humans. Although he has not discovered the source file for the malware and does not know how the laptop became infected in the first place, he believes that the malware is communicating with nearby infected computers via ultrasonic sound, crossing the air gap.

There are several concepts relating to air gap communication which we already know. For example, the transmission of digital data through analogue sound was performed by a standard modem (modulator/demodulator) in the early days of internet connection over telephone lines. Data was transmitted using an audible screeching sound. It is also known that all electronic equipment produces electromagnetic interference (EMI) which can be remotely harvested and analysed to reveal information. And we use twisted pair cabling (UTP) for networking, in order to reduce crosstalk, where data jumps the air gap from one wire to another. The Flame malware (a sequel to Stuxnet) used Bluetooth technology to identify and infect all smartphone’s in the vicinity. However, what Ruiu may have discovered here looks to be a new application of these known concepts of air gap communication.

Is Ruiu’s air gap-breacher malware a reality or science fiction? Time will tell. Ruiu is an experienced and respected security technologist. Security practitioners should always apply Occam’s razor and require comprehensive evidence to reduce assumptions, before coming to conclusions. We need to confirm that malware on Ruiu’s laptop is indeed communicating via ultrasonic sound. It is quite possible for malware to survive complete wipes of the system, including wipes of the primary BIOS, and to then subsequently communicate with nearby air gapped systems.

Researchers have examined the feasibility of breaching an air gap. Hanspach and Goetz demonstrated that covert ultrasonic communication can be established between air gapped systems. They speculate that this mechanism can be utilised for transmitting keystrokes from an infected system, through a network of drone computers via ultrasonic communication, to be eventually delivered to the attacker.

If malware can breach an air gap, it would certainly be weapons-grade malware, a big step up in sophistication from Stuxnet and Flame, and capable of causing significant damage. This communication mechanism would not be detected by any currently known protection mechanism, such as anti-virus, firewalls or intrusion detection systems (IDS). Some speculate that the level of sophistication involved in badBIOS points toward a State-actor as originator, perhaps the NSA. The navy are concerned about these developments. Malware capable of breaching the air gap could disable the navigation, communication, weapons, and electronic controls on a warship, neutralising it during battle.

The potential for our computers to be quietly whispering to each other in frequencies we cannot hear, is certainly intriguing. Chinese whispers could take on a new meaning. This new vulnerability needs to be urgently further investigated.

Leave a Reply

%d bloggers like this: