Hear that? It's the sound of BadBIOS wannabe chatting over air gaps

LANs-free prototype mimics notorious rootkit

High performance access to file storage

Computer scientists have brewed up prototype malware that's capable of communicating across air gaps using inaudible sounds.

The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems for robust underwater communication.

In the system, communications could be maintained over multiple hops for purposes including managing malware-infected machines, as the abstract of a paper for a recent edition of the Journal of Communications explains. The researchers go on to outline possible countermeasures against such fiendish malware, including shielding systems from exposure to high frequency sounds.

Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilises audio modulation/demodulation to exchange data between the computing systems over the air medium.

The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilising the near ultrasonic frequency range.

We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications.

Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analysing audio input and output in order to detect any irregularities.

The two German researchers explain how their proof-of-concept malicious code can use a computer’s built-in sound card, speakers and microphone as sending and receiving devices to move information from one infected node to another in similarly compromised machines, providing bot systems are within 20 metres of each other.

They continue:

Two computers that are not connected to each other via established types of network interfaces (e.g. IEEE 802.3 Ethernet [2] or IEEE 802.11 WLAN [3]) or that are prohibited from communicating with each other over these established types of network interfaces are, nevertheless, able to communicate with each other by using their audio input and output devices (microphones and speakers).

A painfully slow speed of just 20 bps was achieved using the method but nonetheless it might be workable for a keylogger, providing there's no external interference.

The possibility of malware that can communicate over air-gapped machines, or worse still, spread onto them, is a nightmare scenario for those in charge of otherwise well designed ultra-secure networks (think some military systems, power plants etc). Why? Because a "covert acoustical mesh network" wouldn't respond to any of the well-established security measures typically taken by organisations, and disabling the audio components is not always feasible.

The type of malware outlined by the researchers bears an uncanny resemblance to features of the BadBIOS malware said to have afflicted machines run by computer security researcher Dragos Ruiu.

Dubbed BadBIOS, the mysterious rootkit can supposedly jump over air gaps, screw with a number of different operating systems, and even survive motherboard firmware rewrites. Ruiu (AKA @dragosr) – who organises the annual popular Pwn2Own hacking contest at the CanSecWest conference – said he had come across the malware after it infected his computers but nobody else has seen it. The Register asked Ruiu about his progress in looking into BadBIOS on Tuesday but have yet to hear back.

Adam Kujawa, a security researcher at antivirus firm MalwareBytes, reckons the research shows that it's possible for malware-infected machines to chat to each other across an air gap. But he's far from convinced any infection is possible via the method. He suggests it is far more practical to attempt to use an infected USB stick for a targeted attack against an air-gapped network, the presumed method the ultra sophisticated Flame cyber-munition used to spread. Flame was reportedly cooked up under the same US-Israeli Operation Olympic Games programme that spawned Stuxnet.

"My theory is that this technology could be used to provide targeted malware a means of external communication for contact with a command and control server," Kujawa writes in a blog post. "The infected system would receive commands from the server and assuming that the initial infection on the covert system was via USB drive, perhaps the malware could store stolen data on the USB.

"That data would be sent out later once the USB is able to plugged into  an outward facing system. This is similar to how Flame worked when extracting sensitive data from closed-off networks," he added. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.