Feeds

Hear that? It's the sound of BadBIOS wannabe chatting over air gaps

LANs-free prototype mimics notorious rootkit

Reducing security risks from open source software

Computer scientists have brewed up prototype malware that's capable of communicating across air gaps using inaudible sounds.

The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems for robust underwater communication.

In the system, communications could be maintained over multiple hops for purposes including managing malware-infected machines, as the abstract of a paper for a recent edition of the Journal of Communications explains. The researchers go on to outline possible countermeasures against such fiendish malware, including shielding systems from exposure to high frequency sounds.

Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilises audio modulation/demodulation to exchange data between the computing systems over the air medium.

The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilising the near ultrasonic frequency range.

We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications.

Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analysing audio input and output in order to detect any irregularities.

The two German researchers explain how their proof-of-concept malicious code can use a computer’s built-in sound card, speakers and microphone as sending and receiving devices to move information from one infected node to another in similarly compromised machines, providing bot systems are within 20 metres of each other.

They continue:

Two computers that are not connected to each other via established types of network interfaces (e.g. IEEE 802.3 Ethernet [2] or IEEE 802.11 WLAN [3]) or that are prohibited from communicating with each other over these established types of network interfaces are, nevertheless, able to communicate with each other by using their audio input and output devices (microphones and speakers).

A painfully slow speed of just 20 bps was achieved using the method but nonetheless it might be workable for a keylogger, providing there's no external interference.

The possibility of malware that can communicate over air-gapped machines, or worse still, spread onto them, is a nightmare scenario for those in charge of otherwise well designed ultra-secure networks (think some military systems, power plants etc). Why? Because a "covert acoustical mesh network" wouldn't respond to any of the well-established security measures typically taken by organisations, and disabling the audio components is not always feasible.

The type of malware outlined by the researchers bears an uncanny resemblance to features of the BadBIOS malware said to have afflicted machines run by computer security researcher Dragos Ruiu.

Dubbed BadBIOS, the mysterious rootkit can supposedly jump over air gaps, screw with a number of different operating systems, and even survive motherboard firmware rewrites. Ruiu (AKA @dragosr) – who organises the annual popular Pwn2Own hacking contest at the CanSecWest conference – said he had come across the malware after it infected his computers but nobody else has seen it. The Register asked Ruiu about his progress in looking into BadBIOS on Tuesday but have yet to hear back.

Adam Kujawa, a security researcher at antivirus firm MalwareBytes, reckons the research shows that it's possible for malware-infected machines to chat to each other across an air gap. But he's far from convinced any infection is possible via the method. He suggests it is far more practical to attempt to use an infected USB stick for a targeted attack against an air-gapped network, the presumed method the ultra sophisticated Flame cyber-munition used to spread. Flame was reportedly cooked up under the same US-Israeli Operation Olympic Games programme that spawned Stuxnet.

"My theory is that this technology could be used to provide targeted malware a means of external communication for contact with a command and control server," Kujawa writes in a blog post. "The infected system would receive commands from the server and assuming that the initial infection on the covert system was via USB drive, perhaps the malware could store stolen data on the USB.

"That data would be sent out later once the USB is able to plugged into  an outward facing system. This is similar to how Flame worked when extracting sensitive data from closed-off networks," he added. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.