Ars: Cross-Platform Malware Communicates With Sound

An anonymous reader writes "Do you think an airgap can protect your computer? Maybe not. According to this story at Ars Technica, security consultant Dragos Ruiu is battling malware that communicates with infected computers using computer microphones and speakers." That sounds nuts, but it is a time-tested method of data transfer, after all.

Or EMI

[goombah99]

Back when I had an altair 8800 we used to play a teletype game called star trek. We kept a radio tuned off channel on in the room. When you fired a laser the code executed a fast loop that emitted EMI in a ramping frequency. the radio would make a phaser noise.

IN Europe it was discovered that the most common brand of voting machine would emit EMI differently depending on whether the character in the displayed name had an umlat or not (special character set). SO you could tell who people voted for when one candidate had an umlat.

Re:And there's a whole series of comments at Ars..

[NeverWorker1]

Besides the many, many stretches of the imagination required for his story (e.g., it infects the firmware on all major brands of USB drives, he never extracted a binary blob or sent the infected device to the manufacturer, the audio communication silliness, the fact that he apparently thinks infection could spread through the power cable, and so on...) the biggest issue to my mind is that if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.

Re:And there's a whole series of comments at Ars..

[ericloewe]

Assuming this is more than a hoax, here's a bit of devil's advocate:

After the initial infection and subsequent cleaning (let's assume it survived somehow - hell, it might have been a compromised USB keyboard), the issue was forgotten for a while until the mentioned symptoms started appearing - since they seemed to be mostly inconveniences that often plague BIOS/UEFI (If I had a buck for each hour I've spent figuring out how to boot with drive X on system Y...) or could be atributed to more mundane causes, the investigation of these issues was considered not prioritary, as there were seemingly more important tasks to do.

More recently, a connection was established that suggested it might be more than just random bad luck - this then took a while to investigate, especially because ruining hardware (desoldering the BIOS chip to extract its firmware) is typically the last resort when investigating something.

Again, this is just speculation as to why this whole story took three years so far.

And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE). If you come to the conclusion that information is being exchanged after removing all network interfaces, it makes perfect sense to try (it's not exactly hard...) to unplug the laptop, to eliminate a potential hardware backdoor. Honestly, what I considered paranoia not too long ago is starting to look more likely every day...

Re:And there's a whole series of comments at Ars..

[gandhi_2]

I have a hard time believing that you could pack enough logic into bios that could anticipate and counter your actions in OSX, BSD, and Windows.

Otherwise, this code must maintain a link to the outside world, relying on equipment that may or may not be anywhere near by, and then a human would have to monitor this machine and send commands back. That would take an insane level of commitment.

If this was real, wouldn't every security researcher, hardware manufacturer, and government in the world be at this dude's lab to get in on the action?

Communicating via sound or ultrasound from speakers to microphones. Possible. The rest of it... leaves me dubious.

Re:And there's a whole series of comments at Ars..

[Tom]

As the article explains: To us in the security community, none of the individual pieces raise an eyebrow. We know USB is an infection vector. We know BIOS/UEFI can be compromised. We know that when it hits the firmware, extraction isn't as easy as a dd anymore. We know communication via power cable and audio is possible - the last shouldn't really surprise anyone as it's been just earlier this year that audio was discussed as an alternative to NFC, because it doesn't require new hardware (every smartphone already has speakers and microphones).

And after Stuxnet and Flame, we know that some of the really advanced malware that we've been talking about at conferences is not only possible, but real.

Still, finding all of this in one package is fascinating, and if it really is 3 years old, I don't want to know what the current version looks like.

Re:And there's a whole series of comments at Ars..

[cusco]

I remember BIOS viruses back when I did support for Windows 95, and damn they were nasty. Plug a loaner floppy into an infected machine and by the end of the day you could infect an entire computer lab. There was one that (IIRC) would infect both Phoenix and AMI BIOS machines, but did nothing to Award boards. I don't see why people think that a cross-platform BIOS infector is so out of the question.

Re:And there's a whole series of comments at Ars..

[cheater512]

Firewire yes. Firewire can muck around with system RAM directly.
USB cannot it all has to go via the CPU.

The entire premise of this is ridiculous. No sound card can go beyond about 24khz which is barely ultrasonic and not suitable for data.
Plus hacking many different chips, some which do not even have firmware, seems too unlikely.