topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday December 13, 2024, 6:12 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: badBIOS revisited - it is possible to bridge the airgap after all  (Read 7728 times)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
This topic came up in an earlier DoCo post started by Renegade here.

puppy.png

It's a far cry from being a viable vector for in-the-wild malware. But researchers in Germany have apparently developed a 'proof of concept' piece of malware that can bridge the "air gap" between unconnected PCs at distances up to 65 feet using the internal speakers and microphone found in most modern laptops - with longer distances possible using an acoustic mesh network made up of previously infected machines.

Full ArsTechnica write-up here.

Scientist-developed malware covertly jumps air gaps using inaudible sound
Malware communicates at a distance of 65 feet using built-in mics and speakers.


by Dan Goodin - Dec 2 2013, 2:29pm EST

Computer scientists have developed a malware prototype that uses inaudible audio signals to communicate, a capability that allows the malware to covertly transmit keystrokes and other sensitive data even when infected machines have no network connection.

The proof-of-concept software—or malicious trojans that adopt the same high-frequency communication methods—could prove especially adept in penetrating highly sensitive environments that routinely place an "air gap" between computers and the outside world. Using nothing more than the built-in microphones and speakers of standard computers, the researchers were able to transmit passwords and other small amounts of data from distances of almost 65 feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlled devices that repeat the audio signals.

Interesting reading. Especially some of the more knowledgeable comments attached to the main article.

Check it out! 8)
« Last Edit: December 03, 2013, 02:15 PM by 40hz »

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #1 on: December 03, 2013, 06:00 PM »
Nice find.

With a higher bandwidth, it might be interesting to use as an alternative network :)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #2 on: December 03, 2013, 06:27 PM »
^Yeah. My thoughts exactly. An acoustic mesh network sounded intruguing - and useful

 8)

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #3 on: December 03, 2013, 08:57 PM »
Could we practice injecting into the network by voicce? ;)

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #4 on: December 03, 2013, 09:01 PM »
Could we practice injecting into the network by voicce? ;)
How about with a whistle?  Maybe a nice cheap one from a box of crunchy sugar-laden cereal...
vi vi vi - editor of the beast

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #5 on: December 03, 2013, 09:26 PM »
Is that a historical reference?  Perhaps it's actually doable as may be it's doubtful humans can produce the necessary sounds with their in-born equipment :)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #6 on: December 03, 2013, 10:03 PM »
@x16wda- LOL! Worked for Mr. Draper (aka Cap'n Crunch). It could work for us!  ;D

--------------------

Is that a historical reference?

You betcha! Look here.

john_draper.jpg

John Draper - THE Man! :Thmbsup:
« Last Edit: December 04, 2013, 06:37 AM by 40hz »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #7 on: December 04, 2013, 07:17 AM »
Zoiks! 20bps is a lot more respectable a speed than previously thought. Even with a high overhead you can still pack a lot of sneaky in a pipe that size.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #8 on: December 04, 2013, 09:29 AM »
Zoiks! 20bps is a lot more respectable a speed than previously thought. Even with a high overhead you can still pack a lot of sneaky in a pipe that size.

Yup. Something small. Maybe a fork bomb such as [# {‘s -m (){ :| :& };:] y'know?

(Note: I pooched the above string. It's purely for illustration purposes. It doesn't run as is. :P)


Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #9 on: December 04, 2013, 11:44 AM »
Zoiks! 20bps is a lot more respectable a speed than previously thought. Even with a high overhead you can still pack a lot of sneaky in a pipe that size.

Yup. Something small. Maybe a fork bomb such as [# {‘s -m (){ :| :& };:] y'know?

(Note: I pooched the above string. It's purely for illustration purposes. It doesn't run as is. :P)

So...I wonder how many watch lists I'm on now for googling that?? :D ...Not really a "Linux Guy" so the term didn't ring a bell right away.

There are actually some much shorter variants on that theme ... that I may play with this evening using a VM as a target.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #10 on: December 04, 2013, 12:19 PM »
There are actually some much shorter variants on that theme ... that I may play with this evening using a VM as a target.

Knock yourself out...or just blow some poor VM off the face of the earth. I sure did when I first learned about that sort of exploit! ;D

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #11 on: December 06, 2013, 03:45 PM »
First time I played with a fork bomb, I turned it loose on a benchtop machine. Poor old Sparc-powered Sun4U, the linux load was up to 2600 and it was still stable. A sign? Maybe.

What interests me is how it is able to infect other machines on the other side of the airgap. Somehow I don't think most computers routinely check their microphones for incoming data, let alone execute data recorded from the air.

You would have to first breach the airgrap, but once you did you could control stuff across it.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #12 on: December 06, 2013, 04:01 PM »
What interests me is how it is able to infect other machines on the other side of the airgap. Somehow I don't think most computers routinely check their microphones for incoming data, let alone execute data recorded from the air.

Correct. The problem is primarily on machines that do have (and leave) the microphone enabled. The paper mentioned Skype and related users. But any infection that availed itself of this concept would not need to be limited to acoustic communications. It merely adds yet another vector for infection (as you noted) to the palette of methods we're already familiar with.

For example, suppose you could infect a machine in the usual way (i.e. wire, wireless, media, download), and covertly enable the sound system to transmit keystroke data. And also have the microphone listening for an "I'm listening" signal from a zombie routing machine to start playing it. Then that same zombie device could start recording and transmitting your keystrokes elsewhere via whatever network it's connected to for analysis and possible later use.

It's not so much what this can do now. But give it some time. Just sitting with some of my "in the biz" cronies, we came up with a few dozen viable ideas. That was without even trying. And none of us are real hacker types. Just imagine what the real professional 'naughty folks' will come up with.
 8)

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #13 on: December 09, 2013, 11:01 AM »
(see attachment in previous post)
John Draper - THE Man! :Thmbsup:

This guy looks like he protected his PCs from this acoustic malware by blaring the Grateful Dead at loud volumes while he was computing.

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: badBIOS revisited - it is possible to bridge the airgap after all
« Reply #14 on: December 09, 2013, 09:21 PM »
I'll stick with Motorhead for my malware protection.   :D
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.