Security researcher says new malware can affect your BIOS; be transmitted via the air

BadBIOS infects your machine's BIOS -- the small bit of firmware that prepares your machine before booting the operating system.

Rip out your computer's microphone and webcam, turn off your Bluetooth, and put on your tinfoil hats, it's "super amazing crazy security storytime."

A noted security researcher says he has found a new type of malware that can affect some of the lowest levels of your machine. Even more surprising, this bit of nasty code could be the first example of an airborne computer virus.

No, I'm not talking about Wi-Fi downloads, but input signals converted into code by your laptop's microphone. The new malware is dubbed badBIOS by Dragos Ruiu, the security researcher who says he uncovered it.

Ruiu recently told Ars Technica that he's been tracking down badBIOS for the past three years. Since badBIOS is reportedly a crafty piece of code, all he has right now is a working theory about how the malware works.

The thing is...

The one nagging detail about badBIOS is that Ruiu is the only person making these claims, and he has yet to produce enough evidence for other security researchers to independently examine.

But Ruiu, who organizes the CanSecWest and PacWest security conferences , is respected enough that many fellow researchers are hesitant to outright discredit his claims as pure fantasy. Still, without independent verification of Ruiu's claims, it's impossible to know for sure whether badBIOS is the real deal or not.


If you want a more detailed explanation of badBIOS, check out the Ars Technica article linked to above, but here are the basics.

As its name suggests, badBIOS infects your machine's BIOS--the small bit of firmware that prepares your machine before booting the operating system. If you've ever pressed a key like F2 shortly after your computer boots and then gone to a screen that looks like it was built on a Commodore Vic 20, that's the BIOS.

Once a machine is infected, badBIOS gets to work inserting malicious code inside the operating system itself.

Malware that starts by attacking the BIOSisn't unheard of, but most bits of bad code typically attack weaknesses in standard targets that live inside the operating system, such as Adobe Reader or a Java browser plugin.

BIOS malware could be more effective since it's harder to track down, and fixing it is beyond the capabilities of the majority of PC users.

But what really sets badBIOS apart is that it is supposedly capable of resisting erasure if someone reinstalls (known as flashing) the BIOS firmware. BadBIOS is also platform-independent, which means it can infect and work across a wide array of PC operating systems that include Windows, OS X, Linux, and BSD, according to Ruiu.

BadBIOS can infect a machine in one of two ways, according to Ruiu's current theory. It can get onto a machine through an infected USB stick--a textbook infection method--or by sending high-frequency signals that get picked up by an uninfected PC's microphone.

The reality of the badBIOS reality

That certainly sounds like a virus created in the realms of pure fantasy but, if badBIOS is real, it has some serious implications. Ruiu believes badBIOS is just the first wave of further malware payloads. Similar to other bad code, badBIOS would jump onto a machine and then call home for further instructions. What those instructions might be, if they even exist, is unknown.

The verified existence of badBIOS would also throw into serious doubt the viability of air-gap security, where sensitive files are read or created on PCs that never connect to the Internet. Security expert Bruce Schneier who recently assisted the Guardian in looking at documents from NSA leaker Edward Snowden used an air-gap computer for that work.

Without connecting to the Internet, it was believed, the only realistic way you could get a malware infection would be from an infected USB stick or other storage peripheral. Even then, without a live Internet connection, the impact of most malware infections would be mitigated. Spyware such as a keylogger, for example, would have a hard time delivering timely updates to its masters.

But even badBIOS' purported high-frequency infection method could be just the tip of a much larger digital iceberg. Anyone interested in some background information, should check out a blog post by Errata Security's Robert David Graham.

"There are other ways to do air-gapped communications using covert channels," Graham says in the post. "You might exploit blinking LEDs...monitor the voltage on the power supply...The average laptop computer has a godawful number of inputs/outputs that we don't quite realize."

The malware-filled future that badBIOS portends may sound scary, but it's too early to press panic buttons just yet. We can also take heart in the fact that knowing about a piece of malware and how it works is half the battle to defeating it.

And for anyone that loves to admire all things tech, malware or not, you have to admit that badBIOS (if it's real) would be a pretty impressive hack.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityviruscomputersmalware

More about Adobe SystemsLinuxNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place