Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate 265
Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"
Complexity, Resources and Skill. Could it be...? (Score:5, Interesting)
A certain alphabet agency that's been in trouble for tapping all kinds of folks lately? Or are they too clueless to put together a monster like this?
1. You'd have to write a boot loader that a) loads your bare-metal-level sound and microphone driver, networking driver, sonic network protocol, and payload.
2. You'd have to write the forementioned a) bare-metal-level sound and mic drivers. Network drivers that might as well be bare-metal, implement a sonic network protocol, and then get them to successfully transmit your payload.
3. You have to TEST this combo on many different machines.
We're either looking at someone who has a LOT of free time and hardware on his hands, or a 1st or 2nd world military-level dev team with LOTS of cash to spend, IMO.
You were all warned about this malware for years (Score:4, Interesting)
But people just beat their chest and ridiculed the people posting, locking and shuffling threads or in some cases on commercial antivirus forums, deleting threads and moving them to hidden sections or trashed them altogether.
I believe this is a huge conspiracy which has been going on for years. People in malware forums have been shouting from the rooftops about this but no one wanted to listen.
What you overlooked and should have read:
1. Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
http://anonymous.livelyblog.com/2012/10/05/nobody-seems-to-notice-and-nobody-seems-to-care-government-stealth-malware/ [livelyblog.com]
2. Spy agency ASIO are hacking into personal computers
http://anonymous.livelyblog.com/2013/01/13/spy-agency-asio-are-hacking-into-personal-computers/ [livelyblog.com]
3. Will security firms detect police spyware?
http://anonymous.livelyblog.com/2013/09/17/will-security-firms-detect-police-spyware/ [livelyblog.com]
And several PDF files on blackhat pages, forums, and conferences.
These attacks against non-networked computers runs deep - some changes are so subtle and appear to blend into normal black box Windows activities people overlook them. Read article #1 which includes the sad state of malware detection on *nix.
When you Google enough for firmware, PCI, AGP, BIOS, sound card malware, SDR, FRS, and why some distros autoload the ax25, rose, and netrom modules by default (including TAILS, check it for yourself with lsmod), it is quite unusual. Why would a distribution like TAILS need hamradio modules? They're in there, too, in addition to the ax25, rose, netrom modules. Batman mesh networking is included in TAILS too.
People repeat the same mantra: the only safe computer is a non-networked computer. This is a lie. The truth is, an entirely shielded TEMPEST room with no network connections and shielding down to every piece of the computer is the best test environment, but who is going to take such precautions? Is the shielded computer in the shielded room bound for other locations outside of this safe room?
Wikileaks have released Spy Files, listing many companies developing malware to root your box beyond detection often aimed at Governments and Military sources. These secret communications are no secret, and some have been detected via FRS, but that's only one source out of many.
It's definitely possible... (Score:4, Interesting)
As the Ars article points out, the individual pieces needed to do all this have already been proven over the years.
Here's why it makes even more sense to me.
A military minded person cannot allow threats to exist anywhere. If anyone anywhere has a weapon that they don't, they must immediately take steps to duplicate it, and defend against it.
Now take that mindset, combine it with a large team of military hackers. Now every single exploit ever publicly disclosed becomes a checkbox on a list somewhere. As a recent Snowden leak story showed, 0-day vulnerabilities have been purchased by the government. We can be sure they run the largest honeypot networks in existence and immediately dissect every new worm, root kit and exploit that touches them.
Every theoretical exploit must be tested for feasibility, turned into a proof-of-concept and then packaged as a tool.
And all that $$ and hacker power is under the command of someone who wants turnkey solutions and "kill switches" for everything.
So it's definitely possible that such tools exist. But why would he be a target? I dunno, maybe someone wants advance notice on what the presenters at upcoming security conferences might be talking about so they can Barnaby Jack them?
Sometimes people will claim something they strongly believe already exists in order to motivate people to look for it and find their proof. Sometimes they get lucky and proof is found, other times they get exposed for it. I hope he's wrong, I really want him to be wrong, but part of me believes it's real because it's definitely possible. After all, if it's just a few years out, then "they" have had it for a decade or more.
Re: So? (Score:5, Interesting)
I work for a company specializing in this tech on mobile devices. It's startlingly reliable but very low bandwidth.
Check out Yamaha Infosound, Sonic Notify, and LISNR for real world uses.
Re:Complexity, Resources and Skill. Could it be... (Score:5, Interesting)
"You have to TEST this combo on many different machines."
I'm calling hoax as fuck on this whole thing, but for just your microphone and speakers, the majority of laptops are using RealTek. Bare metal for that shouldn't be too hard to handle, as the driverset remains the same across all AC97 models and HD models. Two compliant bare-metal drivers shouldn't be too hard to fit in. Now, transmitting over ultrasonic is a whole different beast, and to do this through a supposedly truly airgapped room via noise should be impossible, as real airgaps will easily kill those frequencies.
Re: BUNCH OF CRAP !! (Score:2, Interesting)
Hey buddy its real. The bandwidth of this type of communication is low but the hardware will do it. The startup I work for is focused on transmitting data through high frequency audio and we're not the only ones.
Case studies include Yamaha info sound, Sonic Notify, and LISNR.
The only reason I'd doubt this story is because the bandwidth is less than 300 bits per second in most implementations I've seen.
Re:BUNCH OF CRAP !! (Score:2, Interesting)
> Sure they can. Maybe not very efficiently, and not far above the range of human hearing, but they are analog devices, so there is no sharp cutoff at some limit.
To explain a little more: The requirement for mic/speaker on a Mac is to generate/record audio in the audible frequency range in high quality. To have high quality on the high end of that spectrum, you'll have to use a mic/speaker that will still work at yet higher frequencies (read: ultrasonic), with decreasing quality the higher you go.
So in the ultrasonic range you do have a working mic/speaker with mediocre quality. Add: ... and you have a working network link.
- filters to compensate for different output volume at different frequencies (sorry -- missing the technical terms here)
- detection for frequencies that should better be avoided because the signal/noise ratio is too bad
- error detection/correction on the digital side
- retransmission of lost packets
Re:What a load of complete rubbish! (Score:5, Interesting)
You can also add, a pre-existing infection in hardware into the mix. The extra electronic component fitting into the hardware at the manufacturers that doesn't do what you expect it to do but rather simply carries a payload that it uploads into the system. You can fit an awful lot of data into a pretty small easily concealable chip but you would want to maintain some pretty surreptitious communication methods to hide the presence of that chip. The best place by far to do this stuff is always going to be at the manufacturers.
In that case, the best place for security is at the manufacturers, so essential infrastructure, local audited manufacture on all hardware otherwise you are just guessing whether it is secure or not. Hell, the chip could be embedded within a layer actually inside the motherboard completely invisible, picking up connections as they go through the mother board. Once you can insert and or substitute stuff inside the manufacturers with the use of secret do not tell warrants under threat of treason, anything at all is possible.
Re:What a load of complete rubbish! (Score:5, Interesting)
It all depends on what timespan you have. All you need to do is to emit sounds that are quite inaudible or at least indistinguishable from high frequency noise that we have been trained to accept (PWM noise from LCD brightness control etc). If you have plenty of time, you can reduce your bitrate heavily in the handshaking step, basically looking for just a few bits of signature in a very wide span of frequencies and encodings. When you have a basic channel, you can tell your counterpart what SNR you are getting and successively tune the channel.
You would never want this for regular networking with any kind of latency demands. If you are rather just trying to get a specific updated payload across at some point, with any number of retransmissions, then I find it quite believable.
Re:BUNCH OF CRAP !! (Score:4, Interesting)
Pretty sure the Mac can be set to record and playback af 48k samples per second.That gives you at least 4kHz of bandwidth above the limits of human hearing right there. With modern encodings, that's probably good for around 20kbps.
Re:May be an attack via the network controller. (Score:2, Interesting)
Update: Intel vPro seems to have known vulnerabilities -- announced at Black Hat conference 2009, matching the time when he first noticed something fishy?
http://news.softpedia.com/news/Intel-vPro-Hacked-101286.shtml
I also suspect that it's not USB or "ultrasonic networking", it's someone with access to his network... vPro allows remote access any time when the machine has an IP address via DHCP.. even when the machine is powered off. Removing ALL standby power from the laptop (=the battery), for the purpose of removing mic&speaker cables, might result in losing the wlan IP address and making it appear like removing the mic&speaker cables had an effect?
Re:BUNCH OF CRAP !! (Score:4, Interesting)
Are you paying attention? A speaker is an analog device. It doesn't have a "cutoff", it has a frequency response curve. Speakers typically used in laptops are quite small, so tend to perform better at higher frequencies than lower ones. Typically I'd guess they're +/- 3dB between 200Hz and 15kHz, with more attenuation outside of that range. Better ones (as might be fitted to a Mac) might manage to stay within +/- 3dB between 100Hz and 20kHz.