Ars: Cross-Platform Malware Communicates With Sound 245
An anonymous reader writes "Do you think an airgap can protect your computer? Maybe not. According to this story at Ars Technica, security consultant Dragos Ruiu is battling malware that communicates with infected computers using computer microphones and speakers." That sounds nuts, but it is a time-tested method of data transfer, after all.
And there's a whole series of comments at Ars... (Score:5, Informative)
Not all THAT impossible (Score:4, Informative)
Re:Summary is contradictory. (Score:4, Informative)
Re:Hoax (Score:4, Informative)
If you are working with a modern laptop that's not an option.
Using FM above what most people can hear you can blast a squarewave at full power that could easily fill the room, if the door is open you could probably receive it in adjoining rooms. Come to think of it you could probably transmit in parallel on a number of different frequencies as long as they arent multiples of each other. It wouldn't be gigabit but it would be plenty fast for sending command and control information.
Re:And there's a whole series of comments at Ars.. (Score:5, Informative)
" Dragos Ruiu (@dragosr), the creator of the pwn2own contest"
It would be odd for him to screw up his rep with a hoax like this.
http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en [securityartwork.es]
Re:Or EMI (Score:2, Informative)
That's a good implication, as not everyone in Europe has an umlaut in their name...
Re:Hoax (Score:4, Informative)
"If you are working with a modern laptop that's not an option. "
Actually, it's a very easy option. Usually the microphone cable (and conveniently, the camera cable if there's a bezel camera) are directly underneath the keyboard. In most non-Apple laptops, that's easy access with just a few underside screws and under-battery screws. And funnily enough, you usually get speaker access while going for those cables anyways, so it's an all-in-one trip maybe involving 8 or 9 screws.
Re:Hoax (Score:5, Informative)
You know that ultrasonics are precisely how a modern Furby communicates with its companion iPhone app? (There's even perl code implementing it so you can hack them.)
Found it! (Score:4, Informative)
I didn't believe you at first but: http://hardware.slashdot.org/story/05/01/29/2017244/piezo-acoustic-ipod-hack [slashdot.org]
Re:And there's a whole series of comments at Ars.. (Score:5, Informative)
I just tested my PC's speakers / microphone... The power output is rock steady up to 15kHz, then falls to 75% by 20kHz, 50% by 30kHz, and about 10% by 40kHz. Then it stays that way to fiftish kHz, which is as far as my loop went.
I could already not hear it by 14kHz... damn I'm old. Last time I did something like this, I was OK up to 17kHz, and back at the Institute I was fine at 19kHz.
I think that no one hear 30 kHz, and you still get 50% power on my PC... which is nothing special. You can definitely get decent communication outside of hearing range.
Let me get that for you... (Score:4, Informative)
Re:And there's a whole series of comments at Ars.. (Score:4, Informative)
Hmm... never mind about my PC not being anything special. Here is a Mac Book Pro graph I just googled:
http://www.gearslutz.com/board/attachments/so-much-gear-so-little-time/285773d1333712202-what-frequency-response-typical-built-laptop-speakers-mbp15.jpg [gearslutz.com]
Clearly desktops have a much better range than laptops.
Response by Robert Graham (Score:2, Informative)
Robert Graham has published a well-written response:
http://blog.erratasec.com/2013/10/badbios-features-explained.html [erratasec.com]
Read the article! (Score:5, Informative)
2) The air gap was on a laptop (with a battery) in a room with potentially infected machines.
3) There never was a claim that a completely clean machine was infected over any method, just that a machine that had been the recipient of a lot of low level cleaning, and disabling managed to demonstrate a full re infection after spending enough timeout the proximity of other infected machines.
None of things asserted here are particularly novel. Infections at all levels bios, aren't novel. Mesh networking, isn't novel. Acoustic networking isn't novel. The arrangement of them to maximize the effectiveness of them is the novel part. But also in retrospect is also pretty obvious. Rather then try to code for all the bios and OS combinations, and all the OS and device combinations, you code for all the bios and device combinations, and then code for all the OS choices in a one off.