Skip

Meet badBIOS, the multi-platform malware that jumps airgaps.
October 31, 2013 10:28 AM   Subscribe


 
I am loving the security threads popping up here over the past few days.
posted by Annika Cicada at 10:34 AM on October 31, 2013


Damn that George Spelvin!
posted by Malory Archer at 10:34 AM on October 31, 2013


These kind of seasonal/humorous hoax articles are not helpful, and actually cause a lot of problems for people who actually have to deal with end-users who don't know that this is a hoax and treat it as real.
posted by Old'n'Busted at 10:35 AM on October 31, 2013 [1 favorite]


Not sure if hoax, or Dragos being Dragos.
posted by Pruitt-Igoe at 10:36 AM on October 31, 2013 [1 favorite]


As far as I can tell it's not a hoax, but I don't think it's true, either.

Some good skeptical discussion of this on HackerNews. Long story short, the researcher in question hasn't posted much evidence to back up his extraordinary claims, and he hasn't done much to rule out more benign explanations. I'd expect more critical reporting from Ars...
posted by bbuda at 10:37 AM on October 31, 2013 [2 favorites]


Arse Technica.
posted by ZenMasterThis at 10:41 AM on October 31, 2013 [3 favorites]


I'm super-skeptical that this is legit. This guy sounds like a crank, and he hasn't presented a shred of evidence.

It's not that this attack isn't theoretically possible -- there's been demonstrations of the networking-over-audio idea a number of times, and also owning-via-USB, and also compromised bioses. But again: no evidence has been presented here, and there should be evidence here if this was legit. Specifically:

* He says he hasn't analyzed the USB traffic because he needs "expensive equipment". That's bullshit; USB protocol analyzers are relatively inexpensive. Saying he hasn't been able to buy one or borrow one for years is like a programmer saying they'd have implemented this algorithm already but a computer is expensive and they can't find one to borrow.

* The theoretical bandwidth for audio-based networking is something like 600 bytes per second. (And I think to get that rate you'd need to send data in using audible frequencies, so you'd hear your speakers squealing like a modem.) That's two seconds for a single TCP packet. It would take quite a long time to distribute anything, especially a virus as sophisticated as the one he's alleging.

* If the "virus" is really communicating over audio, the equipment necessary to detect this is even cheaper: a freaking microphone. He hasn't made any attempt to capture the "networking"; that's super-suspect.

So. I call bullshit.
posted by jacobian at 10:42 AM on October 31, 2013 [18 favorites]


He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.

BeOS 4 LYFE! Security through obsolescence!
posted by filthy light thief at 10:42 AM on October 31, 2013 [9 favorites]


The First Airgap Bender
posted by It's Raining Florence Henderson at 10:44 AM on October 31, 2013 [6 favorites]


Yeah this is fuckin' bizarre.
posted by grobstein at 10:47 AM on October 31, 2013


I'm currently on security-news gathering detail at my job (I work at an internet security VAR, and one of my duties consists of making a daily "newsletter" of links to interesting tech news to keep our sales reps informed.), and as soon as the Ars story appeared in my feed I knew something fishy was up. I might still pass this along as a classic example of a FUD hoax.
posted by Strange Interlude at 10:49 AM on October 31, 2013


Is Halloween the new spooky April Fools now?
posted by Joh at 10:50 AM on October 31, 2013 [2 favorites]


It would be pretty cool if there was an attack that worked over audio. I guess it's possible. There are memory leaks everywhere, right?
posted by grobstein at 10:50 AM on October 31, 2013


This is hilarious. Part of me wants to believe...
posted by Annika Cicada at 10:51 AM on October 31, 2013


I assume it's going to turn out that his network is haunted.
posted by figurant at 10:51 AM on October 31, 2013 [6 favorites]


If you record the audio and feed it into a ZX Spectrum it runs "Horace Goes Skiing"
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 10:52 AM on October 31, 2013 [6 favorites]


I assume it's going to turn out that his network is haunted.

... and the packets were coming from 127.0.0.1 the whole time!
posted by gauche at 10:53 AM on October 31, 2013 [81 favorites]


I can't really take this seriously until someone else duplicates his findings. Given that he thinks he can make USB memory sticks which carry to infection, why hasn't he given copies of it to other researchers?
posted by Chocolate Pickle at 10:54 AM on October 31, 2013


he suspects badBIOS is only the initial module of a multi-staged payload that has has the ability to infect the Windows, Mac OS X, BSD, and Linux

what is the basis for this suspicion exactly
posted by ook at 10:54 AM on October 31, 2013


I was hoping someone would bring this here and analyze it to death. It's showing up on my Facebook feed and I'm seeing a lot of what looks like "Male Agreement Syndrome" (Male Answer Syndrome that needs a Snopes check) about how srs bzns this attack obviously is because of who's reporting it.
posted by immlass at 10:55 AM on October 31, 2013


Looks very fishy to me.

The audio stuff... exactly how is that supposed to work? I can just about imagine it's possible to squirt ultrasound out of a speaker that you wouldn't notice (assuming lots of things that may well not be true), but for a receiver to work the target machine would already have to be infected by something that can configure the audio input. There is no path from microphone to memory otherwise; you can't buffer-overflow with valid code without something there that can decode ultrasonic packets, and that's not functionality already present in any system I know of. You can't subvert something that isn't there.

The rest is so bloody hazy and arm-wavy, and assumes so many things that would be trivial to detect or analyse, that I have no problem in calling BS.
posted by Devonian at 10:57 AM on October 31, 2013


Assuming this is not a deliberate hoax on his part, I think either the gentleman is suffering from an Ailment or he is being gaslighted by co-workers.

Assuming this attack is currently possible as described (e.g. under other than carefully controlled experimental conditions with lots of assumptions) - why would the lizard people deploy their state of the art attack against him rather than a target with valuable intelligence?
posted by Inspector.Gadget at 10:58 AM on October 31, 2013 [5 favorites]


I'm not buying this either. How would an extremely high pitched signal be able to overcome nominal background noise in a room to the point where it can act as an acoustic link?

If you recall the old modems,they had cups around the ear and mouthpieces specifically to block out extraneous noise that would interfere with the signal.

Lastly, wouldn't it drive the animals berserk?
posted by dr_dank at 11:03 AM on October 31, 2013


Isn't it more likely that the program disables the ability to disable the internet connection?
posted by Potomac Avenue at 11:03 AM on October 31, 2013


More from Dragos. Reading this doesn't make me any less skeptical.
posted by notbuddha at 11:04 AM on October 31, 2013


Lastly, wouldn't it drive the animals berserk?

Ha ha ha ha! Shows what you know. Who do you think is behind it? On the Internet, nobody knows you're being h4x0rd by a dog!
posted by It's Raining Florence Henderson at 11:06 AM on October 31, 2013 [8 favorites]


How would an extremely high pitched signal be able to overcome nominal background noise in a room to the point where it can act as an acoustic link?

Especially on laptop speakers, which might even be incapable of producing sound at a normal volume out of the normal 0-20kHz range.
posted by Pruitt-Igoe at 11:07 AM on October 31, 2013 [2 favorites]


Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. . . . "We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch, take off and nuke the site from orbit.'"

It's the only way to be sure.
posted by The Bellman at 11:08 AM on October 31, 2013 [2 favorites]


I'm wondering what the frequency response of a laptop's speakers and microphone is. I'd be surprised if there's much output or sensitivity above, say 8000 Hz or so.
posted by sfred at 11:08 AM on October 31, 2013


wouldn't it drive the animals berserk?

If the owners of cats and dogs haven't updated their security patches lately, it installs on them too. If your dog is difficult to train, it's a sign their brain's been rootkitted. It's harder to tell if your cat's been rootdogged.
posted by Drastic at 11:09 AM on October 31, 2013 [15 favorites]


Aethernet?

The metaphysical connection!
posted by mygoditsbob at 11:10 AM on October 31, 2013 [9 favorites]


I think there are even hardware limitations on the kinds of high frequency sounds that could be output by a card and regular microphones can't generally pick up those frequencies either.

So I'm going with hoax/October-fools at least on the idea of using ultrasound in this case.
posted by delicious-luncheon at 11:11 AM on October 31, 2013 [1 favorite]


If your dog is difficult to train, it's a sign their brain's been rootkitted. It's harder to tell if your cat's been rootdogged.

It's not that hard to tell. Just put him in your scanner. Of course I have no idea how you would get your cat wedged in your scanner. But at least now we know why.
posted by The Bellman at 11:11 AM on October 31, 2013 [13 favorites]


More from Dragos. Reading this doesn't make me any less skeptical.

If he claims a USB stick is a vector for infection, it should be trivial to post a snapshot of its data and let the community investigate, right?
posted by Blazecock Pileon at 11:12 AM on October 31, 2013 [1 favorite]


Joh: "Is Halloween the new spooky April Fools now?"

Once I got to "self healing capabilities" I started to picture a devious AI and then thought HAPPY HALLOWEEN! So, apparently? Because that's the vibe I'm getting. Seems absolutely absurd otherwise. Show us the proof, bring in the forensics experts from outside.

Otherwise it's just a bunch of Cold Fusion wankery style claims.
posted by symbioid at 11:13 AM on October 31, 2013


"Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest," security researcher Arrigo Triulzi told Ars.

I'm sure people said similar things about Hans Reiser in the past, too.
posted by symbioid at 11:15 AM on October 31, 2013 [1 favorite]


"The scary thing about #badBIOS is that only children can hear high frequencies, so IT'S INFECTING OUR KIDS NOW. RUN!" - Twitter


This whole thing is great..

If he claims a USB stick is a vector for infection

He's claiming the device firmware, the "U" that lets the "SB" talk to multiple computers, is infected. It's all very plausible and interesting, but needs way more information from other eyes, otherwise its very 'War of the Worlds'.
posted by anti social order at 11:20 AM on October 31, 2013 [3 favorites]


So, for those of us who don't have the tech know-how to tell if this is hoax-y or not, (and wouldn't that be a douche move if it is) is Ars Technica just a site we should be skeptical of, in general?

Also, is this the kind of thing the Mythbusters guys could help with, or is there not enough exploding for them to be interested?
posted by emjaybee at 11:21 AM on October 31, 2013


If he claims a USB stick is a vector for infection, it should be trivial to post a snapshot of its data and let the community investigate, right?

The claim is that it is not the data on the USB drive, but the firmaware of the USB stick controller that has been compromised.

Also, as far as I can tell, he is not claiming that the audio is an attack vector, just that the audio is being used as a communication/command and control channel.
posted by notbuddha at 11:22 AM on October 31, 2013 [3 favorites]


Lastly, wouldn't it drive the animals berserk?

So if your dog starts barking at your PC, or your cat's hair stands on end and it runs away hissing, that means your PC is possessed pwned by the forces of darkness?
posted by acb at 11:22 AM on October 31, 2013



He's claiming the device firmware, the "U" that lets the "SB" talk to multiple computers, is infected. It's all very plausible and interesting, but needs way more information from other eyes, otherwise its very 'War of the Worlds'.


An infected USB stick doesn't have to be a dumb file store with an AUTORUN.INF or anything so crude. It can have a microcontroller programmed to imitate a few gadgets with known buggy drivers on Windows/OSX/Linux, wait for the OS to helpfully install the driver and then pwn it through a buffer overrun or something. And at the same time, it can pretend to be an innocent and completely empty Flash drive as well, as USB allows multiple endpoints.
posted by acb at 11:24 AM on October 31, 2013 [6 favorites]


"Works when the power cord is unplugged" == hoax, or free energy.
posted by Old'n'Busted at 11:25 AM on October 31, 2013 [1 favorite]


This pretty much sounds like a mental breakdown to me. Especially the parts where he sends supposedly infected files to various people and they turn out to be 100% identical to the clean ones, as discussed in the Hacker News link upthread.
posted by ymgve at 11:26 AM on October 31, 2013


I've known about this since it was called RickRolling.
posted by srboisvert at 11:27 AM on October 31, 2013 [2 favorites]


I'm typing on a computer with the power cord unplugged. It's called a laptop.
posted by fings at 11:27 AM on October 31, 2013 [6 favorites]


"Works when the power cord is unplugged" refers to the laptop running on battery power. This was done to eliminate the possibility of receiving data over the power line, which has been done.

Also, as a few people have pointed out, the claim that data is being sent over audio channels was not a claim that it was infecting computers through the microphone. He claims two already infected machines were communicating this way.
posted by Peccable at 11:27 AM on October 31, 2013 [1 favorite]


"Works when the power cord is unplugged" == hoax, or free energy.

Or, laptop.
posted by ymgve at 11:27 AM on October 31, 2013 [3 favorites]


Yeah, I have actually toyed with the audio end of this hypothesis - and I'm a home-studio music nut with audiophile speakers and really good mics. I think that the "infected via speaker" hypothesis is maybe bunk.

But I would be less surprised if the Windows disc itself carried the infection straight from the pressing plant, and it was, I dunno, running an overvoltage somewhere on the mobo to broadcast data over RF and fake up a wifi connection. Yeah, I know that the foregoing sounds like it came out of a '90s Neal Stephenson novel but it's a tiny bit more plausible than infection by ultrasonic broadcast decoded by pinhole speaker.
posted by BrunoLatourFanclub at 11:31 AM on October 31, 2013 [3 favorites]


This guy sounds like a crank, and he hasn't presented a shred of evidence.
This is not entirely true. I agree that the symptoms as described in the Ars article are pretty goofy, but Dragos is a pretty well-known dude in the security world and he has involved a lot of big names in the community now via Twitter. He has shared some data (infected USB sticks and dumps of procmon output) although a lot of people would like to see more information. There are claims that the BIOS is thwarting attempts to read or write to its data (which is certainly technically possible), but it is relatively trivial to pull the flash memory and get dumps of its content.

He also isn't claiming, as many here seem to think, that machines can infect themselves with the speaker microphone trick -- just that machines already infected use this to communicate. This is certainly technically possible, I've seen it demonstrated, but it is unclear that it offers practical value.

In any event, as more and more heavy hitters get drawn into the analysis, this will pretty quickly get dismissed as a hoax and his reputation will be trashed or people will be able to confirm it for themselves.
posted by Lame_username at 11:33 AM on October 31, 2013 [3 favorites]


So, this is like some kind of ... ghost in the machine? Right? Right? Spooky-scary!And a sci-fi anime reference!
posted by filthy light thief at 11:33 AM on October 31, 2013 [1 favorite]


Upon further investigation this is not real do not believe the lies of this man Drago.
posted by Potomac Avenue at 11:36 AM on October 31, 2013


I made a program once that let computers in the office whisper to each other. It was more of a presence detection than a data transfer channel. It used very lower power spread spectrum techniques in the audio band (I basically copied the signal coding used in GPS).

If you put your ear up to the speaker, the signal sounded like faint white noise. You'd never notice it playing on your computer because it sounded just like the background hiss of any cheap computer speaker. Even with sophisticated audio analysis, I doubt you'd find the signal. You'd probably just blame your motherboard's crappy built-in sound chip.

This nigh-undetectable spread spectrum hiss was enough to do presence detection between different rooms 75 feet apart in a noisy office with the HVAC running, San Francisco rush-hour traffic right outside, etc. I'm sure I could have sent tens of bits per second anywhere in the building using this technique.


That said, none of this works unless you have the software already installed on the target machine. I think this article is a hoax / paranoid.
posted by ryanrs at 11:37 AM on October 31, 2013 [13 favorites]


I wonder if it's the software equivalent of Percival Lowell's Martian canals - a trained professional straining too hard to find marginal data, seeing patterns that aren't really there.
posted by Kevin Street at 11:37 AM on October 31, 2013


Upon-------------------------------------------------------

------------------
------------------
------------------------------------------------------
------------------------------------------------------
------------------
------------------
------------------
------------------------------------------------------
------------------
------------------------------------
------------------


----------------------------
--------------
----------------------------
-

------------------------------------seen with your own eyes dont trust them they

------------------
------------------------------------------------------
------------------
------------------
------------------
------------------
------------------------------------further investigation this is not real do not believe the lies of this man Drago.
posted by Potomac Avenue at 11:39 AM on October 31, 2013


The claim is that it is not the data on the USB drive, but the firmaware of the USB stick controller that has been compromised.

So if he claims that a USB stick is a vector for infection, it should be trivial to post a snapshot of its data (firmware and main storage) and let the community investigate, right?
posted by Blazecock Pileon at 11:43 AM on October 31, 2013


well, you use software to make snapshots like that, right

and software runs on operating systems, usually the one on the computer that's getting compromised...
posted by LogicalDash at 11:47 AM on October 31, 2013


is Ars Technica just a site we should be skeptical of, in general?

No, generally they're quite good.
posted by Chocolate Pickle at 11:49 AM on October 31, 2013 [1 favorite]


> I agree that the symptoms as described in the Ars article are pretty goofy,


The best part of this is that they really aren't. This site has the bullet list and its not... impossible.

>it should be trivial to post a snapshot of its data

If you assume this list above is true, how do you get a clean snapshot?
posted by anti social order at 11:50 AM on October 31, 2013


Nobody's ever infected a computer over its power supply. Power line communications needs a lot of custom hardware.

Spread spectrum comms over audio is an intriguing idea, Doubtless if Drago had heard of it, he'd be saying it was that instead of ultrasound; however, although the comms channel would be stealthy the overhead of generating and receiving it is not - it's computationally intensive - ryanrs, what was your experience here?

But regardless of every other factor in this untestable, infeasible, story, there's the small question of who would produce such a thing, and why would it be confined to Drago's lab for years and years? We know how much effort went into Stuxnet, which is far less sophisticated in key areas than this thing - not cross-platform, used understood attack vectors - and the reason it was produced. We also know that because it was so good at infection, it ended up in all sorts of places that were not its intended target.

The implausibility meter is pegged.
posted by Devonian at 11:51 AM on October 31, 2013 [1 favorite]


So if he claims that a USB stick is a vector for infection, it should be trivial to post a snapshot of its data (firmware and main storage) and let the community investigate, right?

But how? The claim is merely inserting the infected USB drive (not even mounting it) infects the computer that the drive is inserted into. At that point, the system lies to you about what is on the drive.

If this were true, the only way to get at that data would be to plug the USB drive into a system that it can't infect, and he doesn't seem to have found one yet. That, or to build out a custom reader that fools the stick into thinking it is a normal USB connection and records the interaction. Or probably one of several other methods.
posted by notbuddha at 11:51 AM on October 31, 2013 [1 favorite]


There's a reason I don't want neural implants.
posted by symbioid at 11:51 AM on October 31, 2013 [1 favorite]


I knew it was a hoax when someone said they ran OpenBSD.
posted by wenestvedt at 11:57 AM on October 31, 2013 [9 favorites]


"Nobody's ever infected a computer over its power supply. Power line communications needs a lot of custom hardware."

Agreed, but at that point it looks like he had physically removed all the wireless networking hardware and was just about to remove the speakers and microphone, which also don't have a history of transmitting infections. Seems like he had exhausted all the more plausible options.
posted by Peccable at 11:58 AM on October 31, 2013


But how? The claim is merely inserting the infected USB drive (not even mounting it) infects the computer that the drive is inserted into. At that point, the system lies to you about what is on the drive.

Then you desolder the firmware and put it in a dedicated flash memory reader. I'm 100% certain no malware has ever been created that infects flash memory readers.
posted by ymgve at 11:58 AM on October 31, 2013 [2 favorites]


If this were true, the only way to get at that data would be to plug the USB drive into a system that it can't infect, and he doesn't seem to have found one yet.

Shouldn't any Linux kernel without kernel module capabilities and with only the lowest-level USB drivers (i.e., the ones that allow user-space programs to speak the protocol in unprivileged mode) be able to do it? Plug the drive in, enumerate what it claims to be, and perhaps pretend to be an unpatched Windows XP box to see what it does.

As for extracting the firmware from the flash drive without its cooperation, is that possible? I'm guessing consumer-level flash drives don't have JTAG headers and, if it's possible to reprogram the firmware on them to add hidden features, it'd also be possible to program them to not respond to further reprogramming attempts.
posted by acb at 11:59 AM on October 31, 2013


"...there's the small question of who would produce such a thing, and why would it be confined to Drago's lab for years and years?"

He's a security consultant, so the virus presumably came from the infected machine of a client. And if it is real, then it's been out there in the wild for at least three years. He's just the first person to notice.
posted by Kevin Street at 12:00 PM on October 31, 2013 [1 favorite]


Aethernet?

Nay, entirely attributable to the influence of phlogiston.
posted by rdone at 12:01 PM on October 31, 2013 [10 favorites]


it's computationally intensive - ryanrs, what was your experience here?

Ha ha, it uses a lot of cpu if you're doing your signal processing in a hacked together python script.

Generating the signals is super easy since you can precompute a couple parts and mix them together for playback. Receiving the signal after you've locked on to it is not too bad. Searching for the signal though can be computationally intensive, although I'm not sure you'd notice it in a modern system unless you're looking for it. I suspect you could hide the cpu load, maybe.

The signal processing routines needed for decoding the audio are some of the first things you implement if you're putting together a GPGPU or SSE signal processing library (convolution and correlation and such). I imagine Windows has built-in software libraries that can accelerate it quite well. Mac OS certainly does.
posted by ryanrs at 12:06 PM on October 31, 2013


emjaybee: So, for those of us who don't have the tech know-how to tell if this is hoax-y or not, (and wouldn't that be a douche move if it is) is Ars Technica just a site we should be skeptical of, in general?

Chocolate Pickle: No, generally they're quite good.

Yes, Ars Technica is one of the best outlets for detailed technology reporting, stripped of (most of the) hype and shilling found on other tech sites. To find this article there, I give the topic a bit more credit. Note that the author, Dan Goodin, notes that badBIOS is something of an urban legend, likened to Bigfoot, so he's clearly skeptical, too.
posted by filthy light thief at 12:08 PM on October 31, 2013 [1 favorite]


I think people are misreading the whole audio networking 'thing". He is absolutely not claiming that you can infect machines that have been "air-gapped" by using the device's audio system.

The idea seems to be that an air-gapped machine that's already been infected - by other means - can connect to the network and greater internet by creating an ad-hoc audio network with other machines that are already infected. So even "safe" machines can theoretically transmit data back to a server somewhere if they're sitting in a room with another network-enabled infected machine. These machines can also continue to be controlled, modified, and re-secured by the black hat infecting them.

So if you really want to have a safe air-gap, you need to keep a machine in a sound-proof room, preferably also EM-isolated?
posted by Nutri-Matic Drinks Synthesizer at 12:11 PM on October 31, 2013 [1 favorite]


Morgellons now infects computers?
posted by justkevin at 12:15 PM on October 31, 2013 [20 favorites]


Just the other day I saw some whiskers on my motherboard's silicon...
posted by symbioid at 12:16 PM on October 31, 2013 [5 favorites]


Wait - is Drago the guy whose son was kidnapped by the Russian Mafia or whatever?
posted by symbioid at 12:18 PM on October 31, 2013


Nevermind - that was Kaspersky.
posted by symbioid at 12:19 PM on October 31, 2013


The call is coming from inside the faraday cage!
posted by blue_beetle at 12:23 PM on October 31, 2013 [6 favorites]


The USB stuff could only work if the USB stick responded to the standard initiation protocol with something that immediately subverted the USB interface chip in a way that then managed to insert code into main memory.

That may be possible for one particular system, after an awful lot of work, although I'm not aware of any reports. But it would be extremely dependant on - among other things - specific bugs in the USB controller chip, the details of its interface through to the main memory bus, the OS itself, and so on. The idea of a universal system that somehow manages to reliably do this on many different platforms with many different USB interface chips is vastly implausible. It would also be very amenable to detection by a number of feasible approaches; just watching the USB bus with a reasonably capable digital storage scope (which cost hundreds, not thousands, of dollars these days) and decoding the initial packets by hand would reveal the attack in maybe a couple of hours of work.

There's also the small issue of infecting other USB sticks, which are also very diverse and do not in general have complex controllers with big attack surfaces. You can find some very interesting work online with people hacking SSD and hard drives to create storage peripherals that subvert their hosts through disguising what's in the storage or detecting forensic analysis attempts and sending false returns: these are very dependant on the precise details of the storage device itself and the presence of quite a lot of smart hardware there which isn't, again as far as I'm aware, present in bog standard thumb drives.

So the whole thing seems dependant on conflating some 'possible in the lab' attack vectors and extrapolating well past the point where the assumptions inherent in those vectors cease to apply. And then making it all far, far stealthier than the basic physics of IT hardware would allow.

Ryanrs - it was the correlation part I was thinking about (yes, of course you can pre-compute anything at leisure and play it out with no particular computation requirements). How much CPU did your system need, and how did it work in the very non-real-time environment of an otherwise functioning mainstream OS? I'm of the opinion (not having implemented anything like this myself) that the timing requirements are really quite strict, and quite small errors severely degrade the channel - what was your lock-up time?
posted by Devonian at 12:28 PM on October 31, 2013 [1 favorite]


For some reason I always thought firmware in small, cheap stuff like USB sticks was saved once, at the factory, on read-only memory chips. If the USB 1.0/2.0 standards are stable (I think?), why would you even want to offer upgradable firmware?
posted by slater at 12:34 PM on October 31, 2013


So if you really want to have a safe air-gap, you need to keep a machine in a sound-proof room, preferably also EM-isolated?

Why not just disconnect the mic and/or speakers?
posted by Foosnark at 12:42 PM on October 31, 2013


Devonian, I recorded the audio to a file, then processed it offline. This wasn't a nicely polished app; this was me learning about GPS signals by experimenting in the audio band.

I'm pretty sure a modern systems could search and decode the signal without much difficulty. It's a tradeoff between processing time, correlation time, signal-to-noise ratio, how shitty your USB microphone's clock is, etc. There isn't a hard threshold for the amount of cpu you need.

People were running winmodems on Pentiums in the late 1990s, so I don't think this kind of audio processing is going to run into major CPU bottlenecks. If you're looking at available CPU resources as a reason this technique won't work, well that's not true.
posted by ryanrs at 12:44 PM on October 31, 2013


Virus Alert !!!!!!!!!!!!!!

If you receive an e-mail with a subject of Badtimes, delete it immediately WITHOUT READING IT. This is the most DANGEROUS e-mail virus ever.

It will rewrite your hard drive and scramble any disks that are even close to your computer. It will recalibrate your freezer's coolness setting so all your ice cream melts. It will demagnetize the strips on all your credit cards, screw up the tracking on your VCR, and use subspace field harmonics to render any CDs you try to play unreadable.

It will give your ex-boy/girlfriend/ex-husband/wife your new phone number. It will mix antifreeze into your fishtank. It will drink all your beer and leave its socks out on the coffee table when company comes over. It will put a kitten in the back pocket of your good suit and hide your car keys when you are late for work.

Badtimes will make you fall in love with a penguin. It will give you nightmares about circus midgets. It will pour sugar in your gas tank and shave off both your eyebrows while dating your current boy/girlfriend behind your back and billing the dinner and hotel room to your Visa card.

It moves your car randomly around parking lots so you can't find it. It will tease your dog. It will leave strange messages on your boss's voicemail in your voice. It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve.

Badtimes will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of methamphetamine in your bathtub and leave bacon cooking on the stove while it goes out to chase high school kids with your snowblower.

These are just a few of the signs. Be very, very afraid!
posted by Cookiebastard at 12:45 PM on October 31, 2013 [17 favorites]


Metafilter: it goes out to chase high school kids with your snowblower.
posted by wenestvedt at 12:48 PM on October 31, 2013 [2 favorites]


Virus Alert !!!!!!!!!!!!!!

Don't worry guys, Weird Al is on it.
posted by sparklemotion at 12:52 PM on October 31, 2013


It will make a batch of methamphetamine in your bathtub and leave bacon cooking on the stove while it goes out to chase high school kids with your snowblower.

BreakingBadTimes
posted by Apocryphon at 12:54 PM on October 31, 2013 [3 favorites]


Foosnark: "So if you really want to have a safe air-gap, you need to keep a machine in a sound-proof room, preferably also EM-isolated?

Why not just disconnect the mic and/or speakers?
"

What if it decides it needs to drop a dope rhyme? We would deprive the world!
posted by symbioid at 1:01 PM on October 31, 2013 [1 favorite]


All hail to the wacky--and more-or-less tech-savvy--MeFites! A most interesting and entertaining thread.

Truly the best of the Web. . . after all these years
posted by rdone at 1:04 PM on October 31, 2013


No, I'm not saying it's not possible - I'm sure it is, I was there when winmodems rose and fell - but that it's not possible to do it stealthily in real time on a standard PC with no hardware assist. That there's plenty of CPU on a modern machine, sure, especially ones with all the nice SSID DSP-esque instructions that have been included to decode high bandwidth video streams without shooting the pooch. It's just that I suspect there's a gotcha there to do with determinism and sample acquisition latencies across the chain that would need a lot more work in reality than could be hidden from view. Malware isn't in general computationally intensive.

I ask because I'm really intrigued by the possibility of using spread spectrum in audio. I've always loved spread-spectrum; it seems truly magic, and I've seen demos of things like a receiver with a tiny opto-diode locking on to a slowly pulsing tiny LED barely visible across a large, brightly-lit room. You're the first person I've seen mentioning it, and I'd love to know if it's really feasible as a stealthy comms system in a compromised PC.
posted by Devonian at 1:04 PM on October 31, 2013


Finally, a reason to clean up the confusion surrounding 'airgapped'. To truly stop these terrible hyper-sonic communications, computers will have to be handled in vacuum and no one will ever be confused again.

Except by the rest of the article.
posted by Slackermagee at 1:05 PM on October 31, 2013


He tweeted that he can't provide much more detail as he is getting ready to leave for PacSec, which is in two weeks. Maybe there will be some answers after that.
posted by exogenous at 1:11 PM on October 31, 2013


The best part of this is that they really aren't. This site has the bullet list and its not... impossible.
I agree. The list isn't goofy because its impossible, its goofy because it is just barely possible. Many of the attack vectors have been discussed as theoretical possibilities, they just haven't been seen in the wild. Dragos would have us believe that not only has someone succeeded in building a viable exemplar of three or four spectacular new hacks, but that they did it three years ago and no one else has ever seen it and he never got around to mentioning such an extraordinary attack until now.

Dragos is more than smart enough not to claim he's something that is simply impossible. As I mentioned earlier, it has now snowballed to such an extent that we are likely to have clarity one way or another before very long. He apparently has a vast collection of borked USB sticks which he believes to be the infection vector and has distributed at least two of them that I've heard of, so people should be able to replicate his results very soon.
posted by Lame_username at 1:16 PM on October 31, 2013 [1 favorite]


Determinism and latency are irrelevant because this is not two-way communication, therefore there is no required response time. As long as you can record audio without dropping packets, you should be fine. I would do my recordings during the day so I would get a reasonable cross section of typical office noise. I did the analysis later on the weekend while tinkering with the code.

Whatever latency constraints you are thinking of must arise from the communication requirements of the malware, not the spread spectrum techniques themselves. If one infected machine wants to send 1kb to another infected machine, who's to say it's not ok if the second machine records 5 minutes of audio then chews on it slowly for the rest of the day?
posted by ryanrs at 1:16 PM on October 31, 2013


Meanwhile.

Cyber criminals are planting chips in electric irons and kettles to launch spam attacks, reports in Russia suggest.
http://www.bbc.co.uk/news/blogs-news-from-elsewhere-24707337
posted by usagizero at 1:18 PM on October 31, 2013 [2 favorites]


I thought the spooky story on today's installment from the Daily WTF was a better read, actually
posted by radwolf76 at 1:20 PM on October 31, 2013 [1 favorite]


C:\>It puts the lotion on its skin.exe > lpt1

posted by blue_beetle at 1:23 PM on October 31, 2013 [2 favorites]


The list isn't goofy because its impossible, its goofy because it is just barely possible.

Well, I mean, if a jack o' lantern can be made to send text messages, anything is possible!
posted by wenestvedt at 1:28 PM on October 31, 2013


Well, quite. You can communicate almost anything over almost any channel, if you're freed from constraints of useful bandwidth or latencies. But that's a bit like saying any Turing machine can do anything that any other Turing machine can do - true, but largely useless (see Turing Tarpit). There has to be an assumption that any sort of stealth comms channel exists to do something useful that can't be done better any other way.

Perhaps you'd want to steal a 1024-bit key, say, and slowly hop it out of a secure zone via infected PCs that were in earshot of each other but were otherwise unable to communicate. That seems unreasonable. It's more reasonable, perhaps, to arrange for all infected PCs to constantly broadcast sensitive yet small amounts of data in an area where you're going to be at some point with your smartphone, so you can sample the audio environment and then decode the stuff at your leisure. Or even more plausible, that are running near a telephone that you can ring up and engage your mark in lengthy conversations from afar, all the while recording the background noise.

At this point, the idea is probably good enough to plug into the plot of a SF techno-thriller. So, thanks for that!
posted by Devonian at 1:29 PM on October 31, 2013


Hrmm, psychoacoustic audio compression on cellphone and skype links would mask the spread spectrum signal. You really do want an uncompressed recording.
posted by ryanrs at 1:37 PM on October 31, 2013


As to the question of whether or not a USB device can talk to an OS agnostic host and transmit data, in the USB spec, there is a protocol for DFU, or Device Firmware Upgrade, which is implemented in the USB spec. Notedly a lot of device manufacturers DO NOT actually conform to this spec (this is why sometime you get USB devices that do not work with certain types of computers), but if the device is generic enough and they just implemented the USB spec "to spec", then there is a chance that they did. Most host manufacturers do implement the USB DFU, because it is a 2 way communication between the device and the host, since you need a host to be able to write the upgrade to the device, or, you might need the host to pull the firmware form the device (or have the device push it's firmware to the host), and this is implemented at the chip level communication, meaning before it is passed to the OS. To detect this data, you would need a non-host based USB protocol analyzer. I do not know of any off the top of my head, but I do know that the devices exist and are probably not cheap (niche market and all that). But for the most part, I think the heavy lifting of getting a USB device to infect a host computer, agnostic of the host OS is quite feasible. You do not have to be able to write to main memory. You just need to be able to reach the host BIOS NVRAM store. I don't know that you'd be able to alter the BIOS while the system is booted, but upon reboot, you can very easily rewrite the NVRAM of the BIOS (this is how most BIOS firmware updates occur anyway).

The issue could be limited if a BIOS password is enabled on the host computer prior to connecting the infected USB drive. That would make it impossible for the host NVRAM to be overwritten without entering the BIOS password. But, well, almost no one does that (except maybe some corporate IT that is extremely security conscious, or government agencies, but even then, there are ways around BIOS firmware passwords using specialized tools).
posted by daq at 1:40 PM on October 31, 2013 [1 favorite]


Also, the audio networking is more of a bell and whistle, versus anything really interesting.

What I am curious about is whether the infected hosts can transmit IPv6 data over network hardware that has IPv6 turned off or blocked. That would be an interesting trick.
posted by daq at 1:41 PM on October 31, 2013


It's IT Morgellons.

I've been in the "industry" for 20 years and that Ars article just screams BS and FUD.
posted by mrbill at 1:55 PM on October 31, 2013


ryanrs, please tell me you have a github repo with your code.

This story reminded me of the time I discovered that the air-gapped PCs used to burn the master images for all 20th Century Fox Blu-rays were both infected with a virus (via USB thumb drives, of course). That was a nervous few minutes of proving to myself to some degree of confidence that the end result wouldn't be infected.
posted by jjwiseman at 1:56 PM on October 31, 2013


Daq - hes saying the host would still use IPv6 with the network protocol disabled or the network adapter disabled. Not that a router/firewall on the network would pass IPv6 traffic from an infected host when otherwise configured to block it. the first is a simple issue for any rootkit or hypervisor type malware to pull off. The second is a bit more far-fetched.

>there are ways around BIOS firmware passwords using specialized tools

assuming any of this is true, this would suggest to me that the creators of the "badbios" had access to or assistance from the hardware designers and manufacturers. For the sake of that argument, remember the NSA and their involvement in weakening various crypto standards is well known. The US has already had public hearings regarding the threat of Chinese manufacturers doing near-impossible to detect hardware back doors. Not implausible its already being done by someone.

>He tweeted that he can't provide much more detail as he is getting ready to leave for PacSec, which is in two weeks

this, of all of it, is the biggest red flag in the story. If true, this is an amazing find, and yet he's sitting on it.
posted by anti social order at 2:06 PM on October 31, 2013 [2 favorites]


The thing that I don't get is: why?

The options are "Legit, Liar, Lunatic" to paraphrase a Mr Lewis.

1) He's straight up lying. Why? To punk a whole industry? To besmirch his name? To go out with a bang of some sort? It's... odd.

2) Lunatic... He's starting to lose his grip on reality and either seeing patterns that aren't there or people are pranking him and making him "go crazy" (see gaslamp theory someone posited earlier in thread)

3) Legit. The most seemingly implausible. Yet, because of his rep it almost seems like maybe just maybe it is legit.

Personally I'm going with 2. But I think the fact other researchers are trying to investigate gives me comfort to know that there's someone else trying to sort this out.
posted by symbioid at 2:08 PM on October 31, 2013 [1 favorite]


Annika Cicada: "I am loving the security threads popping up here over the past few days."

Well, methinks it is due to all the NSA crap, and the MeFi crowd tending to skew high in intelligence, IT skills, and love of freedom, civil rights, and privacy to enjoy said freedom and civil rights.

I could just be full of crap as usual, though.
posted by Samizdata at 2:19 PM on October 31, 2013


Ryanrs - you don't call over Skype or mobile, you use POTS. In fiction, you can arrange such things easily enough...

As for the DFU stuff - I've only seen this on portable devices, and you have to explicitly enter DFU mode by holding down buttons and suchlike at switchon. Are there really PCs out there that will silently use DFU to flash their BIOS from a USB stick at power-up (let alone when powered up, just when the stick is plugged in)? I've never seen one, and a quick canter around Google can't find any.

If there are, then this is a very serious security hole and I'm astonished it hasn't been used before!
posted by Devonian at 2:36 PM on October 31, 2013


Maybe he's being lied to. The client he has hoaxed him by providing an elaborate proof-of-concept prototype virus. Happens to the best of us.

I really don't like how the discussion both here and on HN jumped to conclusions about his state of mind, likening him to John Nash. From what I've read, Dragos hasn't accused anyone of being the mastermind behind the virus.
posted by Apocryphon at 2:37 PM on October 31, 2013


It is completely possible that a virus could use audio to exfiltrate data. It doesn't make sense to me though, since I think only a government would have the capability to pull this off (with zero-days for many platforms and bioses) and secure government machines would never ever have microphones or speakers. My guess would be that this dude is confusing a lot of little problems for an attack.
posted by miyabo at 2:53 PM on October 31, 2013


Hmm, here's one way that comes to mind: When enumerated by BIOS, the device enumerates as storage + keyboard. The keyboard sends a sequence of keystrokes designed to enter the flashing process in as many BIOSes/EFIs as possible, and the storage holds a bunch of images.

The subverted BIOS doesn't respond to any of these keyboard sequences, and some other trick is used to not enumerate the keyboard when talking to a booted OS (USB HID has a separate "boot keyboard" protocol, but I don't recall the details or know whether modern BIOS/EFI have the limitations that led to the design of the special Boot Keyboard spec) (USB HID spec version 1.11 Appendix F)

Of course, I think most BIOS/EFIs are now signed, so you've also got to have stolen the signing keys or have a signature-evading exploit, so maybe this isn't a good attack vector.

And FWIW put me in the camp who thinks that whatever's actually going on with the so-called badBIOS is not as interesting as how it's been presented. But I'll still be looking forward to any updates.
posted by jepler at 3:03 PM on October 31, 2013


If you read carefully, none of the claims are, technically speaking, impossible.

Unfortunately poor writing, combined with fantastic claims, make it far too easy to write this off as a hoax, while not examining the claims made.

USB dumps (which can be done for as cheaply as $1200) have not been provided, nor has the full BIOS been dumped to provide concrete proof, is most damning to the veracity of these claims.
posted by fragmede at 3:05 PM on October 31, 2013 [2 favorites]


I'm in total agreement with Lame_username: "Many of the attack vectors have been discussed as theoretical possibilities, they just haven't been seen in the wild."

There have been many BlackHat/ShmooCon/OHM/etc talks that are just waiting to be weaponized. Things like Thunderbolt/Firewire, HDD controllers, USB fuzzing, laptop batteries, or even malicious chargers. Combination attacks like Stepping P3wns have been demonstrated that move from printers to VOIP phones to routers to computers.

I've been experimenting with EFI and DMA attacks over Thunderbolt and it is truly horrifying how poorly implemented the security is when devices are connected to the internal busses. Makes me want to fill every I/O port with epoxy, encase the computers in concrete, dump them in the river and go back to pencil on paper. And even then I'm not sure about the pencils.
posted by autopilot at 3:15 PM on October 31, 2013 [9 favorites]


I like the enumerate-as-keyboard idea, but it would be very obvious what was happening to any observer and the chances are slim that you'd hit the right magic for any particular PC before you sent the wrong stuff with random but harmless and obvious results. Even if you did, BIOS flashes are quite noisy with progress bars, warnings and other admirable outputs to screen, and I can't see offhand how to suppress that. It also doesn't address the problem that there's no standard way to change how a USB device enumerates, so replication to $randomkey remains a very high hurdle.
posted by Devonian at 3:21 PM on October 31, 2013


It's possible Dragos wants to meet with his client to give them some advance notice before he releases this THING onto the internet. There will be certain kinds of people reverse engineering it once it appears, and Dragos is the kind to have opinions on who should get a head start.
posted by LogicalDash at 3:21 PM on October 31, 2013


The story led off with our guy noticing an unexpected EFI update, didn't it? That's what made me think of deliberately triggering the update process via simulated keystrokes...
posted by jepler at 3:29 PM on October 31, 2013 [1 favorite]


It did, but curiously only the once. It's like Star Trek, where the Random Big Thing from each episode has absolutely no effect on any subsequent episodes.

Also, as you point out, it's rather a big clue to a very obvious line of enquiry.
posted by Devonian at 3:40 PM on October 31, 2013


If this isn't a prank, then why publicize it today? If that was Dragos's choice to call attention to it today, then it makes me call shenanigans. If it was Ars Technica's choice to finally get around to publishing the article today, after following Dragos's tweets for a few weeks/months, then they just did him a major disservice.
posted by Joh at 4:01 PM on October 31, 2013


Why the assumption that they've been following all along, perhaps they saw it the past couple days then followed up on it to tell the story that apparently has been going on for a while, it doesn't mean they were with it from the beginning.
posted by symbioid at 4:03 PM on October 31, 2013


One distinction that needs to be made -- from my reading he's claiming this infects off the shelf usb drives. Obviously if you have a micro controlled computer emulating a usb device (e.g. linux + gadget stack, though you could imagine a much more lightweight implementation) that would require a usb drive that's fairly custom. A lot of the attacks people are discussing above (thunderbolt, power, etc) are mostly cases (all? I haven't read all of them...) where there is a smart device emulating a usb stack, not a dumb usb device ferrying data.

If you have a computer emulating a usb stack a lot more things are possible in terms of anti-forensics and exploitation, but as I said, I don't think that's what he's claiming here.
posted by yeahwhatever at 4:32 PM on October 31, 2013


Thinking aloud, news management is a real thing, yes? And we live in a time when some tinfoil-hatted theories are proving truer than expected. That said, not sure anyone would benefit from popularising an extreme and discreditable idea as a mucky brush with which future factual examples of electronic espionage could be smeared.

Story also reminds me that when everything was super-quiet my old PC could be heard making a noise right on the edge of hearing which was like the classic old modem/tape-loading screech. Not really a hardware person, so always put it down to dodgy internals (network card too close to speaker? hard drive dying again?) or something analogous to that weird psychological phenomenon that makes people hear phantom ringtones. Perhaps even tinnitus. Amusing to think of it as actual audio shenanigans.

"COMPUTER OVER. VIRUS = VERY YES"
posted by comealongpole at 4:51 PM on October 31, 2013 [1 favorite]


This has been boiling under for a couple of days; his Google+ page was linked to on Hacker News briefly and then disappeared.

It's pretty weird though. That he doesn't have any hard evidence beyond "these fonts files are slightly larger than they ought to be!" make it pretty hard to believe. Extraordinary claims, etc. Especially its apparent ability to infect everything but its only apparent effects are weird, like certain .ru sites "returning 404"? Can't you poke your way through the network stack* and work out what's going on? Why haven't you dumped the firmware of an affected thumbdrive yet? Or one that's been bricked by being pulled out halfway through being "infected"? Just buy two identical thumb drives and diff their firmwares. It's been three years. FedEx the thumb drive to a friend with the right hardware to do it. And so on.

Honestly if it were a plot of a TV show I would, first, be briefly impressed that they had done their homework making it pseudo-believable, and second, not actually believe it.

*handwaving


PS if this has been around for three years+, it's not that much newer than Stuxnet which was beyond anything anyone had seen at the time. So that's weird, because if all his claims are true, it's way way way beyond Stuxnet.
posted by BungaDunga at 5:14 PM on October 31, 2013


From a technical point of view, there are a number of things here that don't add up (to me). Whether this is an intentional hoax (if so he's been building at it for at least a few weeks), or some form of mental health breakdown I can't really say, but I was skeptical when I saw his G+ discussion a couple of days ago, and this article just makes me moreso.

* If I were writing a stealth communication channel over UHF audio, I would -not- hook it into the TCP/IP stack directly, which seems to be what is implied by the discussion of "packets" being sent and received until the speaker and mic were disconnected. (Maybe I'm reading too much in there, but...)

* A seasoned infosec researcher claims to have been investigating something like this for 3 years, but hasn't bothered to grab a $400 USB analyzer?

* Claiming that code to infect multiple classes of hardware and multiple operating systems can fit in the controller EEPROM of a stock USB flash drive seems ... dubious. (Plus I would even question if the controller code of most flash drives is actually re-programmable in that fashion. True SSDs, sure, but bog-standard thumb drives?) Of course, there is the main memory memory of the flash drive but I question if that could be used for bytecode storage. (Probably, now that I think about it.)

* Why not get second opinions for some of the claims -before- disclosure?

I'm not a hardware InfoSec guy - I live in software and network worlds - but I travel in some of these circles, and there's a lot here that just doesn't hold up IMO.
posted by jferg at 5:36 PM on October 31, 2013


yeahwhatever, not all of the attacks are "smart device[s] emulating a usb stack, not a dumb usb device ferrying data" -- many of them modify normal existing controllers (like the multi-core ARM in the HDD, or the option ROM in the gigabit ethernet adapter). And as more modern devices get shoe-horned into smaller packages we've ended up with video cables that have full ARM CPUs built literally into the cable housing. Things that we don't think of as "smart" have become programable and potential attacks vectors.
posted by autopilot at 5:44 PM on October 31, 2013 [1 favorite]


Yeah, but as far as I can tell, he's claiming the attack is spread via USB drive, thus hopping the air gap. I'm just trying to point out that -that- device is likely dumb. I fully agree that a bunch of device we think of as traditionally dumb now have cpus in them and are liable to infection.
posted by yeahwhatever at 6:05 PM on October 31, 2013 [1 favorite]


Oh yeah, and the font thing on a Windows machine isn't as crazy as it sounds because fonts are rendered in ring 0. Because Reasons That Totally Make Sense.

For example: http://cansecwest.com/slides/2013/Analysis%20of%20a%20Windows%20Kernel%20Vuln.pdf
posted by yeahwhatever at 6:13 PM on October 31, 2013 [7 favorites]


Yeahwhatever - that document is priceless. Hey, let's build a Turing-complete interpreter in ring 0 and let anyone feed it any sort of unchecked data, because we've got hardware memory protection and thus nothing can go wrong. And lets put this data structure it uses right next to the main page descriptor tables. It'll go really fast.

After all, it's only fonts. Fonts are harmless. Pass the bong...
posted by Devonian at 7:15 PM on October 31, 2013 [6 favorites]


Here is what I don't understand-- why is it supposed to be an amazing that that this virus transfers via USB? It's not like viruses that propagate via removable media are a new invention. My collection of pirated Amiga games got absolutely wrecked by a floppy-transmitted virus in like 1989. If you're plugging USB drives into your 'air-gapped' computer, you're no longer safe.
posted by empath at 8:43 PM on October 31, 2013


empath - Because they're claiming it's doing it in an OS agnostic way not via autorun or similar. With autorun disabled plugging a USB drive should be -mostly- safe. And the reasons it's historically been unsafe has been from usb stack vulnerabilities which would be OS specific (for example, a malformed file that executed code on icon rendering). Dragos is claiming there is an OS agnostic rootkit which is installing itself via USB and without hitting the host OS, which while possible would indicate a firmware/hardware exploit. This, if true, would be the first public confirmation of a rootkit using these techniques.
posted by yeahwhatever at 11:24 PM on October 31, 2013 [1 favorite]


This is a hoax. Further investigation is unwarranted.

There is no need to unplug your microphones from your computer.
posted by NSA at 11:30 PM on October 31, 2013 [13 favorites]


I think this is a hoax. Why would something so sneaky that it can creep around in the BIOS and peripheral firmware reveal itself so blatantly by disabling CD-booting and registry editing?
posted by cosmic.osmo at 12:05 AM on November 1, 2013 [1 favorite]


I think my laptop has a virus that transforms my witty, informed and relevant metafilter comments into barely coherent non-sequiturs. On my ipad, it's probably just auto-correct.
posted by empath at 12:41 AM on November 1, 2013 [1 favorite]


Slightly better writeup, which also brings up the three choices symbioid enumerated.
posted by fragmede at 12:10 PM on November 1, 2013 [6 favorites]


I haven't read fragmede's link yet (and look forward to doing so, because I repect ErrataSec), but this post: http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

touches on some of the more questionable aspects of the original article.
posted by jferg at 2:01 PM on November 2, 2013


We got mentioned in this article!
posted by symbioid at 8:10 AM on November 5, 2013


Increasingly, people I know and respect are saying that they are unable to replicate his claims on any of the data he has provided thus far, including people that initially defended him. He continues to stick with his story, suggesting that it isn't a hoax, but either he went off the rails a bit or no one has yet cracked the code.
posted by Lame_username at 9:14 AM on November 6, 2013


« Older oh gosh oh gosh oh gosh   |   A Freeform Chicken-Flavor Explosion Newer »


This thread has been archived and is closed to new comments



Post