On Thursday, Ars Technica ran a story about badBIOS, a nasty piece of malware allegedly discovered three years ago by security consultant Dragos Ruiu on an Apple laptop. The malware is so sophisticated that some wonder if the story is real or just a hoax.The rootkit appears to be advanced and highly persistent, with “self-healing” capabilities. It can infect computers running almost any operating system by changing the device’s firmware, including the Basic Input/Output System (BIOS) and the Unified Extensible Firmware Interface (UEFI).
It can spread even if the computer’s power cords and Ethernet cables are unplugged, and even if Wi-Fi and Bluetooth communications are disabled. It can even “jump air gaps” via computer speakers and microphones.
The initial infection vector appears to be through USB drives, but this hasn’t been confirmed.
The factsDragos Ruiu is a reputable researcher. He is the organizer of CanSecWest and PacSec and the founder of Pwn2Own, the renowned hacking competition. Several other respected infosec professionals have vouched for him regarding badBIOS.
Furthermore, Ars’ Dan Gooding, the editor who ran the story, says it’s not a Halloween hoax.
“I have tried to make clear that many of the details of this article sounded far-fetched to me. They still do. I have also tried to be transparent that no one has independently corroborated Ruiu's findings. That said, these same details have been publicly available for more than two weeks, and a large number of Ruiu's peers find them believable,” Gooding noted.
The story could also be true since the malware’s behavior and capabilities are technologically possible. Hackers can overwrite the BIOS flash memory, infection via USB is clearly plausible because there are numerous threats that use this method.
In addition, covertly transmitting data across the network via IPv6 even when the protocol is disabled is also plausible. Communications via high definition audio is also possible. Errata Security’s Robert Graham provides details on each of these technical aspects.
The questionsWhile this could very well be a true story, there are several things that don’t add up. Researchers have seen advanced pieces of malware used in state-sponsored espionage operations, such as Flame or Stuxnet. However, the story as a whole simply sounds like something from Trend Micro’s 2020 web series.
For one, Ruiu hasn’t presented any concrete evidence to demonstrate the existence of the badBIOS malware.
Users on MetaFilter and Reddit have analyzed the claims and many of them point to a lot of questionable things.
For instance, security expert Igor Skochinsky, who has dedicated much of his work to investigating rootkits, says he has analyzed the BIOS dump provided by Ruiu and he hasn’t found anything suspicious.
Another suspicious thing is related to the USB infection. Ruiu says he will analyze the USB traffic more thoroughly once he gets his hands on some “expensive equipment.” As many point out, USB protocol analyzers are not very expensive.
Jacob Kaplan-Moss, co-creator of Django, makes an interesting point on MetaFilter regarding communications via audio channels as described by Ruiu.
“The theoretical bandwidth for audio-based networking is something like 600 bytes per second. (And I think to get that rate you'd need to send data in using audible frequencies, so you'd hear your speakers squealing like a modem),” Kaplan-Moss noted.
“That's two seconds for a single TCP packet. It would take quite a long time to distribute anything, especially a virus as sophisticated as the one he's alleging,” he added.
“If the ‘virus’ is really communicating over audio, the equipment necessary to detect this is even cheaper: a freaking microphone. He hasn't made any attempt to capture the ‘networking’; that's super-suspect.”
So is badBIOS real or a hoax? Time will tell. Ruiu will either have to provide some concrete evidence or allow others to take a crack at the allegedly infected computers, or he’ll have to come forward with a confession.
As some point out, another possible scenario is that Ruiu is not making this up. However, he might have simply misinterpreted the results of his research.