Ars: Cross-Platform Malware Communicates With Sound 245
An anonymous reader writes "Do you think an airgap can protect your computer? Maybe not. According to this story at Ars Technica, security consultant Dragos Ruiu is battling malware that communicates with infected computers using computer microphones and speakers." That sounds nuts, but it is a time-tested method of data transfer, after all.
And there's a whole series of comments at Ars... (Score:5, Informative)
Re: (Score:3)
At this time, I'm taking the whole thing with a handful of salt. It's not totally impossible, though.
Re:And there's a whole series of comments at Ars.. (Score:5, Interesting)
Re:And there's a whole series of comments at Ars.. (Score:5, Informative)
" Dragos Ruiu (@dragosr), the creator of the pwn2own contest"
It would be odd for him to screw up his rep with a hoax like this.
http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en [securityartwork.es]
Re:And there's a whole series of comments at Ars.. (Score:5, Insightful)
Name one reason why he didn't send the BIOS or a copy thereof to be examined by the OEM....***after three years of not being able to fix this***.
My next question would be: why did it take him so long to figure out that the USB might be the vector? But before you answer that question ask yourself this also: why hasn't he contacted the major USB drive manufacturers since this seems to be FAR more about a vulnerability at the USB controller level(far, far, far below control of the OS) that has been leveraged to then exploit writing a new firmware?
If this is a USB hardware exploit then the rest of this is superficial but after 3 years, you'd figure that someone would have found another copy of this thing by now yet he's the only one. If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.
IF it's a USB exploit, I'm fucking impressed but since he's played the "how many people can believe that I'm this stupid" card so many times in his "research" on this(I'm saying nothing of his other experience, mind you), I'd say it's likely a hoax of some sort.
Re: (Score:3)
If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.
No doubt his friend or colleagues all have more smarts then to plug in some random jump drive.
I seriously don't even trust these things myself any more. I hate it when someone sends me something on a flash drive.
Re: (Score:2)
Never the less, his friends and colleagues didn't get infected from his jump drive, which leads me to believe they are considerably more clever then he is, and are probably wary about letting him near their computers.
It took him 3 years to figure it out while machine after machine was getting infected in his lab.
Re:And there's a whole series of comments at Ars.. (Score:4, Interesting)
Firewire yes. Firewire can muck around with system RAM directly.
USB cannot it all has to go via the CPU.
The entire premise of this is ridiculous. No sound card can go beyond about 24khz which is barely ultrasonic and not suitable for data.
Plus hacking many different chips, some which do not even have firmware, seems too unlikely.
Re: (Score:3)
none of the audio analog circuitry on the frontend will let it pass. Go ahead, look at the output of your best soundcard and a ramp generator and watch it roll off rapidly on the scope when you go above 35khz.
Re: (Score:3)
No there is NO plausibility, Please, Please stop adding credibility to this bullshit in this made up bit of fiction.
None of the electronics in your computer is designed for ultrasonic, and in fact it's freaking filtered out to get rid of problems. I dont care if the chips can do 99ghz, the analog components for filtering on the input and output significantly attenuate it, then you have the fact that the speakers can not generate it nor the microphones having the ability to receive it.
Anyone with even a 1
Re: (Score:2)
" Dragos Ruiu (@dragosr), the creator of the pwn2own contest"
It would be odd for him to screw up his rep with a hoax like this.
http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en [securityartwork.es]
Dunno, but in order for it to work, you'd need to park the infection on the airgapped machine in the first place.
To top that off, good luck making such an arrangement work in a server room, where ambient noise would pretty much destroy any hope of receiving an audible signal...
Re: (Score:2)
Server rooms seldom have mics, most don't even have speakers.
Re: (Score:3)
Nope.
Can't be done. Output channels on sound chips can't be read.
You watch too many spy movies.
Re:And there's a whole series of comments at Ars.. (Score:5, Insightful)
I think many of the commentators both here and on Ars Technica are making a basic mistake. No one claims that the machine is infected through its microphones. Duh! How would it know to listen and interpret noise as instructions. The claim is that once infected, the machines communicate using their speakers and microphones.
Is it possible? Sure. Do I consider it likely? No. It's one Hell of an effort for very little gain... in general. But we all have hobbies, so someone may have written a virus that infects through USB drives, overwrites BIOS, and resists the clean up of physically disconnected machines by communicating via sound.
Do I believe this particular story? Hmm... no. Mostly because, despite the reputation of the author, the article makes it sounds that basic mistakes were made during the cleanup process, and because not enough information has been shared with the community.
But if I was told the story is true, I could come with a great conspiracy theory to explain it. The author tries to keep all the fame for himself, the author is being threatened by the high tech agency that developed the strain but let it escape, the virus has alien origin...
Re: (Score:3)
It has not been my experience that computer speakers are capable of making sounds much outside the range of human hearing, nor computer micophones capable of picking such sounds up. Maybe he buys comptuers with extremely high end sound equipment, but I'm a bit skeptical that nobody noticed the audio.
Maybe he sniffed a little too much of the magic smoke the virus let out.
Re: (Score:2)
Re:And there's a whole series of comments at Ars.. (Score:5, Informative)
I just tested my PC's speakers / microphone... The power output is rock steady up to 15kHz, then falls to 75% by 20kHz, 50% by 30kHz, and about 10% by 40kHz. Then it stays that way to fiftish kHz, which is as far as my loop went.
I could already not hear it by 14kHz... damn I'm old. Last time I did something like this, I was OK up to 17kHz, and back at the Institute I was fine at 19kHz.
I think that no one hear 30 kHz, and you still get 50% power on my PC... which is nothing special. You can definitely get decent communication outside of hearing range.
Re:And there's a whole series of comments at Ars.. (Score:4, Informative)
Hmm... never mind about my PC not being anything special. Here is a Mac Book Pro graph I just googled:
http://www.gearslutz.com/board/attachments/so-much-gear-so-little-time/285773d1333712202-what-frequency-response-typical-built-laptop-speakers-mbp15.jpg [gearslutz.com]
Clearly desktops have a much better range than laptops.
Re: (Score:3)
No. Not maybe: Can. Does.
Feed a "subwoofer" a 19kHz sine wave. What comes out? Is it all reduced to heat? Go ahead and try, and you'll see: Sound comes out. Measurably. At 19kHz. (probably with a whole lot of nasty harmonics starting at 38kHz, and a great deal of heat compared to other frequencies, but that's not the point.)
Meanwhile, please define "practical."
If "practical" means sending low-speed data between two computers in close proximity at a frequency that is difficult or impossible for an
Re: (Score:2)
I think many of the commentators both here and on Ars Technica are making a basic mistake. No one claims that the machine is infected through its microphones.
Not many here are making that mistake. Several have already posted how silly it was for him to be plugging in thumb drives.
Re:And there's a whole series of comments at Ars.. (Score:5, Interesting)
Assuming this is more than a hoax, here's a bit of devil's advocate:
After the initial infection and subsequent cleaning (let's assume it survived somehow - hell, it might have been a compromised USB keyboard), the issue was forgotten for a while until the mentioned symptoms started appearing - since they seemed to be mostly inconveniences that often plague BIOS/UEFI (If I had a buck for each hour I've spent figuring out how to boot with drive X on system Y...) or could be atributed to more mundane causes, the investigation of these issues was considered not prioritary, as there were seemingly more important tasks to do.
More recently, a connection was established that suggested it might be more than just random bad luck - this then took a while to investigate, especially because ruining hardware (desoldering the BIOS chip to extract its firmware) is typically the last resort when investigating something.
Again, this is just speculation as to why this whole story took three years so far.
And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE). If you come to the conclusion that information is being exchanged after removing all network interfaces, it makes perfect sense to try (it's not exactly hard...) to unplug the laptop, to eliminate a potential hardware backdoor. Honestly, what I considered paranoia not too long ago is starting to look more likely every day...
Re: And there's a whole series of comments at Ars. (Score:2)
Umm... powerline networking, are you referring to a method developed by power monitors, Inc, communicating data as the voltage crosses through zero, then disconnecting as the voltage spikes high?
Re: (Score:3)
And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE).
Yes, but you need special hardware to do it. I don't see any way to do this with commecial pc/laptop power supples without first hacking the hardware.
I find the idea of using a computers' microphone and speaker as a kind of high frequency modem highly intriguing. I did read enough of TFA to see that once he physically removed the speaker and microphone from his computer the mystery network packets stopped. That's pretty strong evidence this is one of the attack vectors if it is indeed true. I don't know the
Re: (Score:3)
Re: (Score:3)
if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.
Because, he speculates, the the initial infection of a machine must be done via USB stick, and being the professional security researcher that he is, he nonchalantly plugs his USB sticks willy-nilly back and forth between his known infected machines and his brand new machines.
A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it.
This guy apparently has no concept of a clean room for virus research.
I don't discount the ability to use sound for communication between infected machines, but clearly you have to be infected FIRST for that to work.
(Not to mention hav
Re:And there's a whole series of comments at Ars.. (Score:5, Interesting)
As the article explains: To us in the security community, none of the individual pieces raise an eyebrow. We know USB is an infection vector. We know BIOS/UEFI can be compromised. We know that when it hits the firmware, extraction isn't as easy as a dd anymore. We know communication via power cable and audio is possible - the last shouldn't really surprise anyone as it's been just earlier this year that audio was discussed as an alternative to NFC, because it doesn't require new hardware (every smartphone already has speakers and microphones).
And after Stuxnet and Flame, we know that some of the really advanced malware that we've been talking about at conferences is not only possible, but real.
Still, finding all of this in one package is fascinating, and if it really is 3 years old, I don't want to know what the current version looks like.
Re: (Score:3)
actually... I do want to know.
Funny how a figure of speech sometimes means the opposite of what you really mean.
Re:And there's a whole series of comments at Ars.. (Score:4, Interesting)
I remember BIOS viruses back when I did support for Windows 95, and damn they were nasty. Plug a loaner floppy into an infected machine and by the end of the day you could infect an entire computer lab. There was one that (IIRC) would infect both Phoenix and AMI BIOS machines, but did nothing to Award boards. I don't see why people think that a cross-platform BIOS infector is so out of the question.
Re: (Score:3)
http://en.wikipedia.org/wiki/CIH_(computer_virus) [wikipedia.org]
It was the only one ever in the wild and it did not spread very far because it was destructive.
Re:And there's a whole series of comments at Ars.. (Score:5, Funny)
At this time, I'm taking the whole thing with a handful of salt. It's not totally impossible, though.
That is next month's article: "Cross-Platform Malware spread through common table salt"
Re: (Score:2)
I've seen her! I've seen that little minx with her yellow dress and using umbrella and rain for cover, with the canister of unspeakable evil under her arm spreading the infection everywhere.
Re:And there's a whole series of comments at Ars.. (Score:5, Interesting)
I have a hard time believing that you could pack enough logic into bios that could anticipate and counter your actions in OSX, BSD, and Windows.
Otherwise, this code must maintain a link to the outside world, relying on equipment that may or may not be anywhere near by, and then a human would have to monitor this machine and send commands back. That would take an insane level of commitment.
If this was real, wouldn't every security researcher, hardware manufacturer, and government in the world be at this dude's lab to get in on the action?
Communicating via sound or ultrasound from speakers to microphones. Possible. The rest of it... leaves me dubious.
Or EMI (Score:5, Interesting)
Back when I had an altair 8800 we used to play a teletype game called star trek. We kept a radio tuned off channel on in the room. When you fired a laser the code executed a fast loop that emitted EMI in a ramping frequency. the radio would make a phaser noise.
IN Europe it was discovered that the most common brand of voting machine would emit EMI differently depending on whether the character in the displayed name had an umlat or not (special character set). SO you could tell who people voted for when one candidate had an umlat.
Re:Or EMI (Score:4, Funny)
SO you could tell who people voted for when one candidate had an umlat.
>implying everyone in Europe doesn't have an umlaut in their name.
Re: (Score:2, Informative)
That's a good implication, as not everyone in Europe has an umlaut in their name...
Re: (Score:2)
...that's just Slashdot's lack of Unicode support talking. You just can't see the umlauts.
Re: (Score:2)
Re: comments at Ars... (Score:2)
Article: "Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped."
OK, so now you have a single action (eliminating acoustic duplex mechanism) and suddenly the data transmission ceases. That is pretty convincing that an 'entity' has wound up programming a system to manage/infect/reinfect computers near each other even when all I/O methods are turne
Pooch to the rescue (Score:2)
...it'd also be stupid simple to detect. All you need is a sound meter.
Or, a dog.
Re: (Score:2)
It's called a battery. Most laptops have them.
Re: (Score:2)
The IT guy says I can't use my thumb drive. He's just being paranoid.
Infected at the factory ... (Score:2)
How the airgapped computer got infected in the first place is the real issue here...
It came that way from the factory. It happens.
Time tested? (Score:5, Funny)
I'm confused, you mean information can actually be conveyed via air vibrations?
Re:Time tested? (Score:5, Funny)
I'm confused, you mean information can actually be conveyed via air vibrations?
If you'd only listened in school, you'd know that . . .
Hoax (Score:4, Insightful)
Sorry, that sort of acoustic coupling is bound to be loaded with errors. You might be lucky to get 16 BYTES per second, and even then, those speakers aren't powerful enough to transmit very far.
Airgapped room? Those frequencies from laptop or regular internal computer speakers aren't going to make it past the walls.
Give me a break, slashdot.
Re: (Score:2)
Re: (Score:2)
Now tell me what acoustic modems transmitted at for POTS lines, even up to today.
If you use higher & higher frequencies, your data rate goes up & UP!
Re: (Score:2)
But the transmission distance goes down. generally.
Re: (Score:2)
wow. simply... wow.
16 BYTES(it could be much higher) could allow for a lot of data to exchange. Depending on the time.
And it's exchanging information with another infected system.
This is coming form an expert who runs pwn2own(Dragos Ruiu), so I would give it a little more thinking if I where you.
http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en [securityartwork.es]
Re: (Score:2)
I don't give blatant trolling any thought. Airgapped room? You're not bypassing walls at those frequencies, not with laptop speakers or internal computer speakers. Even if you had speakers powerful enough to get past that, you'd need a hellaciously sensitive microphone on the other side, and equally powerful speakers to transmit back if desired. Can we say feedback loop? Not only must the microphones deal with trying to pick up a faint noise through an airgap, they're also trying to ignore the noise of thei
Re: (Score:2)
Amtor mode b is FEC running at 100 baud, transfers some 70 words a minute.
Re:Hoax (Score:5, Informative)
You know that ultrasonics are precisely how a modern Furby communicates with its companion iPhone app? (There's even perl code implementing it so you can hack them.)
Re:Hoax (Score:4, Informative)
If you are working with a modern laptop that's not an option.
Using FM above what most people can hear you can blast a squarewave at full power that could easily fill the room, if the door is open you could probably receive it in adjoining rooms. Come to think of it you could probably transmit in parallel on a number of different frequencies as long as they arent multiples of each other. It wouldn't be gigabit but it would be plenty fast for sending command and control information.
Re:Hoax (Score:4, Informative)
"If you are working with a modern laptop that's not an option. "
Actually, it's a very easy option. Usually the microphone cable (and conveniently, the camera cable if there's a bezel camera) are directly underneath the keyboard. In most non-Apple laptops, that's easy access with just a few underside screws and under-battery screws. And funnily enough, you usually get speaker access while going for those cables anyways, so it's an all-in-one trip maybe involving 8 or 9 screws.
Re:Hoax (Score:4, Funny)
In Space (Score:4, Funny)
Nobody can hear your infected computer's scream.
Re: (Score:2)
Dont' forget, HAL also reads lips.
Summary is contradictory. (Score:2)
Giving the C64 Datasette as an example of reliable data transfer has to be the most ridiculous thing I have even read.
LOAD
PRESS PLAY ON TAPE
?LOAD ERROR
READY.
Was an all familiar message for C64 users. Hell I managed to type it from memory after 30 years.
Re:Summary is contradictory. (Score:4, Informative)
Re: (Score:2)
Meh - I'll be impressed when I can "write code" by telling my computer what I want it to do, ST:TNG style.
Re: (Score:2)
Isn't that what coding in Prolog is like? You define the problem and the system figures it out for you.
Oh and you get assimilated by the Borg in the process.
Re: (Score:2)
Lol. N00bz.
I remember when 300 baud came out and it was an upgrade.
110 baud ftw.
Re: (Score:2)
n00b, I still have my 110/75 baud acoustic coupler. It's out on my lawn, and I'll thank you both to get off it ;P
Get off my lawn. (Score:3)
I'm using my 45.5 baudot teletype.
Re: Summary is contradictory. (Score:2)
Navy still uses magnetic cores. It's se rom EMPs.
Re: (Score:2)
1200! you were lucky. We use to listen to Satan's wind chimes at 300..and we were glad for it!
Re: (Score:3, Funny)
My first modem was a carrier pigeon, and we liked it.......for dinner.
Smells like BS (Score:3, Insightful)
I don't care how many tweets this guy's posted about, it doesn't pass the sniff test IMO.
Re: (Score:3)
I know Dragos personally. He's not the guy to run an April Fools in October, and he's got too much reputation to lose to bullshit everyone for a few minutes of fame.
Not all THAT impossible (Score:4, Informative)
Found it! (Score:4, Informative)
I didn't believe you at first but: http://hardware.slashdot.org/story/05/01/29/2017244/piezo-acoustic-ipod-hack [slashdot.org]
Plop Plop, Fizz Fizz, Oh What a Hack it is. (Score:4, Funny)
This story is generating a lot of buzz.
First command given: (Score:2)
E-x-t-e-r-m-i-n-a-t-e!
This fails the simplest of tests... (Score:2)
This assumes two airgapped computers, both with compromised BIOS capable of sending and receiving ultrasonic messages from hardware and the ability to infect USB drives.
Therefore, it would be trivial to infect a new machine, and compare BIOS before and after.
It would be further trivial to not only test with and without speakers, but with speaker with a bandpass filter applied.
Why (Score:2)
Re: (Score:2)
Re: (Score:2)
Please, I'm as dumb as a blade of grass and I see why this explanation is hooey. Target is not connected to the network. What on the target got the audio network up and running? Magick? USB stick? That's sneakernet. Nothing? then the audio on the target isn't talking or listening.
But I'm still trying to figure out where March went to...
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Vacuum Gap (Score:3)
This will never happen if you are running your gear on the Lunar surface.
Just saying...
Re: (Score:2)
Re: (Score:2)
Not sure if meant to make music joke or just misspelling...but if so, bravo.
So you can defeat it by... (Score:2)
What is possible and what is not (Score:2)
Seriously? (Score:2)
Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.
This is as far as you need to read. Geez, Clearly this virus has infected the system and re-written power management subsystems to utilize the CMOS battery to provide enough juice, probably reprogramming an EEPROM on the I2C system to execute code and infect other systems.
Wa
Re: (Score:3)
Bollocks.
Re: (Score:2)
System was a laptop.
Re: (Score:2)
I was thinking the same thing...then I realized the author of the article probably just did a crappy job of making it clear that he was talking about laptops that had their power cords unplugged to rule out powerline networking and the like. I'm willing to give them the benefit of the doubt on that one, since claiming that an unpowered computer can receive signals from an infected machine is patently absurd.
Re: (Score:2)
Clearly this virus has infected the system and re-written power management subsystems to utilize the CMOS battery to provide enough juice, ...
CLEARLY the article mentioned it was a laptop machine, with a laptop battery in it...
Technology doesn't stop working when it's obsolete (Score:2)
That sounds nuts, but it is a time-tested method of data transfer, after all.
And it can be expected to be a handy way to bypass firewalls far into the future [schlockmercenary.com] as well. B-)
The audio is NOT the infection mechanism. (Score:3, Insightful)
A staggering number of people commenting on this story seem to have failed to read and comprehend this article. There must be a few dozen comments stating that it's impossible to infect a machine with malware via audio. I can't find any mention of this happening in this article. The section that speaks of the communication via sound is referring to two previously infected machines. They are already infected, so now they communicate.
I don't know if this is complete BS or not, but at least read and comprehend the article before pouncing on it and making yourself look like an idiot for not reading it.
Let me get that for you... (Score:4, Informative)
Read the article! (Score:5, Informative)
2) The air gap was on a laptop (with a battery) in a room with potentially infected machines.
3) There never was a claim that a completely clean machine was infected over any method, just that a machine that had been the recipient of a lot of low level cleaning, and disabling managed to demonstrate a full re infection after spending enough timeout the proximity of other infected machines.
None of things asserted here are particularly novel. Infections at all levels bios, aren't novel. Mesh networking, isn't novel. Acoustic networking isn't novel. The arrangement of them to maximize the effectiveness of them is the novel part. But also in retrospect is also pretty obvious. Rather then try to code for all the bios and OS combinations, and all the OS and device combinations, you code for all the bios and device combinations, and then code for all the OS choices in a one off.
I would be suspicious of the hardware (Score:3)
Just about every sound card ( and everything else ) in the last ten years had been made in a factory in China. What is to stop the PLA from slipping just this kind of malware into a sound card chip? Maybe they can even activate and update using sounds from a television.
Re: (Score:2)
Why not use IR? you can make nice p2p links, without all that irritating noise.
Hey - it worked for the Romans.
Re: (Score:3)
(Bet it'd drive the dogs absolutely nuts though.)
Now there's an idea... use the dogs as a signal amplification device......
I'll keep it rolling.... (Score:4, Funny)
Is that anything like FidoNet? ;-)
Re: (Score:3)
I think the article is complete bollocks, but simple basic DSP isn't that difficult if you use a simple codec. Hell, even a morse code type system with basic CRC checking wouldn't take more than 16k. It doesn't have to deal with echo (high frequency is rather directional), it doesn't have to deal with doppler (few moving objects), and it's obviously a secondary communications channel.
The thing that gives it away for me is that something could embed so deeply without being detected, as USB and networks are
Re: (Score:2)