Forgot your password?
typodupeerror
Security

Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate 265

Posted by samzenpus
from the protect-ya-neck dept.
Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"
This discussion has been archived. No new comments can be posted.

Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate

Comments Filter:
  • Dupe (Score:5, Informative)

    by Anonymous Coward on Friday November 01, 2013 @12:39AM (#45297421)

    http://tech.slashdot.org/story/13/10/31/1955239/ars-cross-platform-malware-communicates-with-sound

    • Re:Dupe (Score:4, Insightful)

      by phantomfive (622387) on Friday November 01, 2013 @12:44AM (#45297443) Journal
      It even has the exact same link! What is the point of having the 'main link' put in the submission form if you're not going to check it?
    • by richlv (778496)

      wow. this is a new low. a dupe while first one is still on the first page. maybe it's time do downscale to weed and alcohol.

    • Anyone who identifies a dupe can be moderated +6 awesome for 7 days.
      Anyone who submits a dupe is automatically modded -1 for 7 days.
      Karma bonus for both memory over a week, and reading comprehension. And fuck dice for ruining what once was mediocre.

      • by cdrudge (68377)

        Anyone who identifies a dupe can be moderated +6 awesome for 7 days.

        Great. So then we'll have a race to be more annoying than "Frist P0st!".

    • Re:Dupe (Score:5, Funny)

      by istartedi (132515) on Friday November 01, 2013 @02:02AM (#45297721) Journal

      Give them a break. Somebody made a funny noise in their office and now all their machines are infected with SlashDupeW32.exe.

    • by Hentes (2461350)

      It's so infectous, it's already reproducing on Slashdot.

    • It's not a dupe, it's a ghost. whooooo whoooo BOOO!

  • Dupe (Score:5, Insightful)

    by Anonymous Coward on Friday November 01, 2013 @12:43AM (#45297433)

    Is it really SO hard to get rid of dupes that are less than 24 hours old? You seriously call yourself editor if you don't even manage to get those basic things straight?

  • So? (Score:5, Insightful)

    by Anonymous Coward on Friday November 01, 2013 @12:47AM (#45297457)

    Bust out an oscilloscope and a logic analyzer and start looking at these signals. It shouldn't be hard to get a waveform capture of the audio running over the speaker and the handshake between a USB device and the host.

    • by scdeimos (632778)
      ^^ This. You beat me to it.
    • But be sure to use oxygen-free copper cables and - many people get this wrong - remember that top quality cables are directional.

  • by Bonker (243350) on Friday November 01, 2013 @12:50AM (#45297473)

    A certain alphabet agency that's been in trouble for tapping all kinds of folks lately? Or are they too clueless to put together a monster like this?

    1. You'd have to write a boot loader that a) loads your bare-metal-level sound and microphone driver, networking driver, sonic network protocol, and payload.

    2. You'd have to write the forementioned a) bare-metal-level sound and mic drivers. Network drivers that might as well be bare-metal, implement a sonic network protocol, and then get them to successfully transmit your payload.

    3. You have to TEST this combo on many different machines.

    We're either looking at someone who has a LOT of free time and hardware on his hands, or a 1st or 2nd world military-level dev team with LOTS of cash to spend, IMO.

    • by jrumney (197329) on Friday November 01, 2013 @12:54AM (#45297487) Homepage

      We're either looking at someone who has a LOT of free time and hardware on his hands, or a 1st or 2nd world military-level dev team with LOTS of cash to spend, IMO.

      You've discounted the most obvious option - an attention whore who isn't adverse to making shit up.

    • by retech (1228598)
      You can say NSA we're all adults (sic) here. Besides they have a hard time spelling so you're just as likely to not be flagged.
    • by dbIII (701233)

      Or are they too clueless to put together a monster like this?

      From the various leaks it appears that such a thing is technology far beyond what the NSA is capable of. After that Star Trek set thing it's starting to look like the Albanian State Washing Machine Company is far more capable in dealing with technology.

      • by Hartree (191324)

        What? You didn't know that the NSA was really a front for the Albanian State Washing Machine Company?

        They've been running the world all along.

    • "You have to TEST this combo on many different machines."

      I'm calling hoax as fuck on this whole thing, but for just your microphone and speakers, the majority of laptops are using RealTek. Bare metal for that shouldn't be too hard to handle, as the driverset remains the same across all AC97 models and HD models. Two compliant bare-metal drivers shouldn't be too hard to fit in. Now, transmitting over ultrasonic is a whole different beast, and to do this through a supposedly truly airgapped room via noise should be impossible, as real airgaps will easily kill those frequencies.

      • by tibit (1762298)

        An air gap merely means that no network or other data cables cross it. It doesn't mean keeping things physically away!

      • by jrumney (197329)

        the majority of laptops are using RealTek

        Did you sample your office full of identical models from the same manufacturer to come up with that statistic?

        Dell laptop here (so not an unusual brand), using an audio codec from IDT.

    • by tibit (1762298)

      For an engineer with embedded programming experience, this shouldn't be that big of a deal. The challenge isn't only in coding it up, it is also in looking up and comprehending possibly vast documentation needed to pull it off. The code, presumably, runs in system management mode [wikipedia.org] on x86 machines.

  • by thesupraman (179040) on Friday November 01, 2013 @01:02AM (#45297511)

    What is being 'proposed' is NOT anything infecting through the speaker/microphone, but a pre-existing inection (that was probably USB based)
    then communication through these methods - a VERY VERY different thing.

    The hype and BS layers need to be peeled off this.

    There is no possible infection vector via microphone/speaker, or via power cord as semi-implied (unless you had a powerline modem..), it is simply a
    way to get data out of the airgapped but INFECTED machine to others that may not be airgapped.

    The 'solution' here is simple, remove the infection! there is more to security than just network airgapping!

    Time to go back to security 101.

    • by rtb61 (674572) on Friday November 01, 2013 @03:35AM (#45297929) Homepage

      You can also add, a pre-existing infection in hardware into the mix. The extra electronic component fitting into the hardware at the manufacturers that doesn't do what you expect it to do but rather simply carries a payload that it uploads into the system. You can fit an awful lot of data into a pretty small easily concealable chip but you would want to maintain some pretty surreptitious communication methods to hide the presence of that chip. The best place by far to do this stuff is always going to be at the manufacturers.

      In that case, the best place for security is at the manufacturers, so essential infrastructure, local audited manufacture on all hardware otherwise you are just guessing whether it is secure or not. Hell, the chip could be embedded within a layer actually inside the motherboard completely invisible, picking up connections as they go through the mother board. Once you can insert and or substitute stuff inside the manufacturers with the use of secret do not tell warrants under threat of treason, anything at all is possible.

  • by Anonymous Coward

    April Fools Day is five months away. Come back and repost this then.

    • Nope. It's perfectly posted on Halloween. I read this just as Jamie Lee was stabbing Michael Meyers with a hanger pokie, but this story had already raised about 80% of the hair on the back of my neck.

  • by Black Parrot (19622) on Friday November 01, 2013 @01:16AM (#45297557)

    Where, exactly, were these "packets" flowing when the networking cards were removed?

    Are they UDP or TCP?

    How long does it take you to download a movie over your speaker?

    • by Jeremi (14640)

      How long does it take you to download a movie over your speaker?

      Assuming a movie is 2GB and the data can be transferred at phone-modem speeds (say 57kb/sec), about 3 days.

      Of course, nobody was suggesting transmitting a movie via sound waves; malware (and/or the data it wants to exfiltrate) would be much smaller than that.

    • by AmiMoJo (196126) *

      The suggestion is that even air gapped machines that are infected can still leak information to network connected machines via audio. In future air gapped machines need to have their speakers disconnected or maybe just uninstall/disable the audio drivers.

    • by coofercat (719737)

      Surely you'd want to download a movie through your camera, not your speaker, wouldn't you? ;-)

  • by Animats (122034) on Friday November 01, 2013 @01:30AM (#45297597) Homepage

    I read the original article, but I don't see any part where someone recorded what was going out the speaker and looked at it. If someone is sending data over audio, it will show on a scope. Clearly that's not going to do much unless the receiving side has some kind of modem code listening for it.

    Then there are claims like "It seemed to send TLS encrypted commands in the HostOptions field of DHCP packets." Attacking via DHCP packets is plausible; DHCP clients get told a lot of things they're supposed to do, and some of the older vendor-specific extensions are very insecure. But TLS? TLS isn't used within the DHCP protocol itself. There's a way to store DHCP configuration info in an LDAP server and have a DHCP server access it via LDAP.

    If someone is seeing strange DHCP packets, and reloading the BIOS won't help, it's possible that what's going on involves an attack via the network controller. The fancier network controller parts now have CPUs and EEPROM [intel.com]. This may be an attack which puts code in the network controller which in turn patches the BIOS.

    The people studying this need to list exactly what network ICs the machines involved are using. Some network devices are too dumb to be used as an attack vector, but some have whole protocol stacks, WiFi support, remote administration support, etc. It would not be surprising if those were attackable.

    I've expected attacks via network controllers [slashdot.org] for years. That's been used to attack servers. [slashdot.org] There's a known attack on PCI controllers [oracle.com] which can survive rebooting and reloading the BIOS.

    If the machine has wireless networking hardware and the attack exploits the network controller, it may be able to do wireless networking even if the user thinks they have the hardware disabled. Time to open up the machine, clip onto the JTAG port on the network controller, and read out the device memory with a JTAG debugger. Compare the dumps with other machines.

    • by dbIII (701233)

      I read the original article, but I don't see any part where someone recorded what was going out the speaker and looked at it.

      Now that is somewhat embarrassing and puts this entire issue somewhere below the level of a high school project.

    • makes a fine covert channel to get data to or from a compromised router, and NSA has shown interest in mass-pwning routers.

  • .. even duped the /. post already!

  • It's just a ghost using your machines.

  • by dfsmith (960400)
    With most sound chips attached directly to the PCI(e) bus, it's not out of the question to initiate a DMA into memory before the bootloader can start. Gives you a very nice pre-BIOS vector.
  • by Anonymous Coward on Friday November 01, 2013 @02:21AM (#45297755)

    But people just beat their chest and ridiculed the people posting, locking and shuffling threads or in some cases on commercial antivirus forums, deleting threads and moving them to hidden sections or trashed them altogether.

    I believe this is a huge conspiracy which has been going on for years. People in malware forums have been shouting from the rooftops about this but no one wanted to listen.

    What you overlooked and should have read:

    1. Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
    http://anonymous.livelyblog.com/2012/10/05/nobody-seems-to-notice-and-nobody-seems-to-care-government-stealth-malware/ [livelyblog.com]

    2. Spy agency ASIO are hacking into personal computers
    http://anonymous.livelyblog.com/2013/01/13/spy-agency-asio-are-hacking-into-personal-computers/ [livelyblog.com]

    3. Will security firms detect police spyware?
    http://anonymous.livelyblog.com/2013/09/17/will-security-firms-detect-police-spyware/ [livelyblog.com]

    And several PDF files on blackhat pages, forums, and conferences.

    These attacks against non-networked computers runs deep - some changes are so subtle and appear to blend into normal black box Windows activities people overlook them. Read article #1 which includes the sad state of malware detection on *nix.

    When you Google enough for firmware, PCI, AGP, BIOS, sound card malware, SDR, FRS, and why some distros autoload the ax25, rose, and netrom modules by default (including TAILS, check it for yourself with lsmod), it is quite unusual. Why would a distribution like TAILS need hamradio modules? They're in there, too, in addition to the ax25, rose, netrom modules. Batman mesh networking is included in TAILS too.

    People repeat the same mantra: the only safe computer is a non-networked computer. This is a lie. The truth is, an entirely shielded TEMPEST room with no network connections and shielding down to every piece of the computer is the best test environment, but who is going to take such precautions? Is the shielded computer in the shielded room bound for other locations outside of this safe room?

    Wikileaks have released Spy Files, listing many companies developing malware to root your box beyond detection often aimed at Governments and Military sources. These secret communications are no secret, and some have been detected via FRS, but that's only one source out of many.

  • by CODiNE (27417) on Friday November 01, 2013 @02:33AM (#45297789) Homepage

    As the Ars article points out, the individual pieces needed to do all this have already been proven over the years.

    Here's why it makes even more sense to me.

    A military minded person cannot allow threats to exist anywhere. If anyone anywhere has a weapon that they don't, they must immediately take steps to duplicate it, and defend against it.

    Now take that mindset, combine it with a large team of military hackers. Now every single exploit ever publicly disclosed becomes a checkbox on a list somewhere. As a recent Snowden leak story showed, 0-day vulnerabilities have been purchased by the government. We can be sure they run the largest honeypot networks in existence and immediately dissect every new worm, root kit and exploit that touches them.

    Every theoretical exploit must be tested for feasibility, turned into a proof-of-concept and then packaged as a tool.

    And all that $$ and hacker power is under the command of someone who wants turnkey solutions and "kill switches" for everything.

    So it's definitely possible that such tools exist. But why would he be a target? I dunno, maybe someone wants advance notice on what the presenters at upcoming security conferences might be talking about so they can Barnaby Jack them?

    Sometimes people will claim something they strongly believe already exists in order to motivate people to look for it and find their proof. Sometimes they get lucky and proof is found, other times they get exposed for it. I hope he's wrong, I really want him to be wrong, but part of me believes it's real because it's definitely possible. After all, if it's just a few years out, then "they" have had it for a decade or more.

  • by dutchwhizzman (817898) on Friday November 01, 2013 @02:40AM (#45297801)

    These machines do two things:

    1. They try to infect other machines. They seem to use several methods for this. One is infecting USB sticks and other media. They have been observed abusing an old windows exploit that uses true type fonts as the vector for that.

    2. They are trying to communicate with other infected machines. They use some rather inventive carriers for that it seems. One of these appears to be sound. How it works isn't published yet. Another seems to be to use out-of-band communication by putting data inside host-option packets in DHCP. It's obvious that the malware uses such side channels to avoid detection. The OOB communication is done purely to keep in touch with "the swarm" and is not used to infect other machines.

    The real nastiness appears to be that this malware is able to infect multiple operating systems that are usually passed by malware manufacturers and also happens to be able to nest itself on the eeprom of infected machines. Both are more or less "a first" and the combination hasn't been seen in the wild either.

    Right now, there's a lot of discovery being done and a lot of speculation taking place as to who made it, what it can do, how it gets itself in eeprom and prevents itself from being overwritten during reflashing of the bios. It's not known if the virus will attempt to infect virtual machines, or will only infect machines that will let it nest in it's bios. Also, anything malicious apart from infecting and communicating hasn't been observed. For all we know, it may be a true worm that does nothing but replicate and is an out of control experiment.

    So far, no infections appear to have been seen on virtual machines, or machines that don't have an intel chipset. I haven't seen any linux infected machines mentioned, but don't hold your breath on that, if *BSD and OSX have been infected, Linux may very well be infected too. Windows is infected for certain, but what versions are exactly vulnerable isn't clear to me at this time.

    Thus far, the only thing that can be advised to prevent infection is the usual; don't trust content/media from sources that could be spreading infections, knowingly or not and keep your system up to date. If applicable, set your bios read-only with hardware switches or jumpers and if at all possible, put passwords on bioses and put software blocks on updates as well. To this date it's not known if and what software blocks will prevent the malware, but it's best to give it as few attack surfaces as possible.

    • by wvmarle (1070040)

      I don't believe the whole thing for that very reason. It infected both an OSX and FreeBSD machine, which in itself is quite impressive. Two pretty tough systems with low market share, versus a single much weaker target with large market share: Windows.

      Then it managed to infect two totally different BIOSes - hard to imagine the OSX and BSD machine were the exact same hardware. So it can handle various BIOSes, too.

      And then there must be a quite complex bit of software that can talk to the network stack (there

      • by geogob (569250)

        I don't believe market share is relevant. This seems to be a specially crafted attack for a very specific task. You're mistaken to think virus and rootkit writer always want to reach the biggest pool possible.

        • by wvmarle (1070040)

          You have a point there.

          However it's quite interesting that it can infect not only two different OSes, but also two different BIOSes. And that researcher happened to have the exact right version of both, for the malware to infect, and managed to get infected. Possible? Yes. Plausible? Not really.

  • by LaughingRadish (2694765) on Friday November 01, 2013 @03:03AM (#45297853) Journal

    I haven't yet seen mention of someone setting up microphones sensitive to ultrasonic frequencies to check to see what, if any, odd sounds are being made by the computers. A lot of extraordinary claims are being made and I just don't see the requisite extraordinary evidence.

    • I doubt you'd even need a special mic - obviously (allegedly) the receiving computer can record the sound.

    • by gweihir (88907)

      Quite frankly, I see basically no evidence at all. Also, measuring ultra-sonics is easy: Just get an ultrasonic microphone (basically a 5 USD/EUR microphone with a higher-than-normal frequency range) and hook it up to a cheap digital oscilloscope. You will even see spread-spectrum signals that way immediately. And you can do even better: Connect the oscilloscope directly to the speaker input lines. There are obvious other problems, for example that nobody going to so much trouble will be as careless as to m

  • by GrpA (691294) on Friday November 01, 2013 @03:37AM (#45297937)

    Why do you think network security engineers always have headphones on? They're not listening to music, they're packet-sniffing.

    GrpA

  • While ultra-sonic communication seems plausible at first, it fails to take into account that the audio-system is not up to it. For one thing, most microphones are of the ElCheapo variant, and cannot handle signals above the highest frequencies humans can hear in any meaningful way. For another, the typical, sane audio-design has cutoff-filters that prevent ultra-sonics from being processed. Then, the speakers are pretty unsuitable for generating ultra-sonics. All this leads to very, very bad signal transmis

    • Well, shows what you know with all your fancy book-learnin'.

      While you may be correct if you go by the dictionary definition of ultrasonics, the adult human ear - my adult human ear, certainly - is incapable of hearing anything over around 15kHz. Freakin' 8kHz in my case :(

      I generated an 18kHz tone in Audacity, played it through my 10-year-old Dell desktop's built-in speaker, and my phone's mic picked up the spike clearly from a few feet away in a mildly noisy office. None of the younger humans around me hea

      • by gweihir (88907)

        "Book learning"?? 18kHz is not ultrasound. Some people will hear it. I am over 40, and my hearing goes up to 13.5kHz (just measured). People seem to have incredible bad hearing these days...

        You also forget that in order to transmit anything useful, you have to put modulation on it and make sure people do not hear that.

        • If people can't hear it, they can't hear whether it is modulated or not. FFSK on a 22.5kHz carrier? I bet the local bats hate it, and maybe it will annoy your dog too, but I doubt you could hear it yourself, unless at 115dB. Your PC speaker probably cant put out even 60dB at this frequency. Anyway, if you have a SMPS in the room, the noise will be drowned out. (Ultrasonic means what the sales guy at PC world says it means) A lot of us remember 110 baud.
  • I seem to recall some anecdote from at least 10 years ago in which an artificial life program, running/evolving on a desktop machine 'learned' to use the power hardware in the computer to signal externally using emf to an adjacent system (I think the neighboring system was a monitoring system that was empowered to 'dump' "food" into the primary when it hit certain breakpoints, and the AI was triggering that faster or something).

    That could be apocryphal, though, as I've never seen anything more about it and

  • What a stupid prank article. Oh yeah, my uninfected computer interpreted ultrasonic sounds and saved them as an executable file on the root drive on its own. Ah huh. I can't believe anyone is stupid enough to believe this. The BIOS chip can't even send data directly to the speakers. This is such complete sci-fi nonsense, how are any of you taking this seriously?
  • If it's using some sort of communications ("ultrasonic networking") it's **NOT** airgapped in any way, shape, or form.

    "Airgapped" means no remote automated communications of ANY kind would be possible. You can't interact with it by remote, period- you have to have a human being log into a local console to do things with it. This is a failure of the airgapping measures being exploited is all- or it was never really airgapped to begin with.

TRANSACTION CANCELLED - FARECARD RETURNED

Working...