You could really hear the noise with these however. And there's the fact that the speaker was directly touching the microphone. It's cool that this works basically inaudibly across a room.
You could hear them because they were constrained to the voiceband. Frequencies outside 300-3400Hz were deliberately filtered out by the telephone system to maximize the number of calls that could be carried on a limited amount of copper.
"Across the room" isn't really interesting, either. I've decoded PSK31 across a room. Higher, near-inaudible frequencies would probably make the decode even cleaner.
Chirp.io uses sound to transmit & receive links between nearby Android/iOS devices. IMO, interesting tech[1], thats more useful & less secure than bluetooth, for such use cases.
Chirp is doing some really interesting work in this space, trying to improve the user experience of fast-forming short range communication.
My understanding is that Chirp uses audio to basically detect WHO you are standing near, but the actual data transfer happens over more typical links.
"An inherent limitation of the audio protocol is its highly limited transmission rate.
To send larger amounts of data, we have built a RESTful network infrastructure which allows arbitrary pieces of data to be associated with Chirp shortcodes. A sending device can thus upload a photo to the cloud, and obtain a shortcode representing it to be send over the air. A receiving device hears the shortcode over its microphone, and resolves it with a GET request."
Very unlikely. Laptops have crappy mics, they don't really have a response near 20 kHZ, as do crappy speakers. Also, this virus would have to analyze and deal with ambient noise. That's a pretty big level of sophistication for malware that can fit in flash memory.
So far, extraordinary claims, little data to back it.
I got that, but this part here didn't mention any USB drive...
"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."
Air-gapped and no mention of USB...
Magic or just inaccurate description?
One of those "keep reading" things to keep your interest, I suppose. A journalism thing?
"For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa."
I think they mean to say it was a computer that was previously infected and then airgapped, wiped and reinstalled. But because the executable load is in the bios, it persisted and reestablished communication with its peer via HF audio.
From what I understood, audio cannot serve as a first infection vector, but it could serve as a reinfection vector even when the BIOS was flashed, as the malware apparently also infects the RealTek audio chip software (according to what he reports on G+).
That would explain this scenario: the malware has been erased from the disk and the bios, but still lives in the audio chip, download a new payload through the high frequency connection, and boum, the computer is infected again.
This is quite cool actually. It reminds you that if your device has a sensor, it can communicate.
It should be possible to communicate through a webcam and a screen when the airgapped devices are on the same room. It could be possible to communicate by accelerometer(macs has these) and inducing vibrations using the HDD when the devices sit on the same table.
accelerometer: is very low bandwidth (think ~10-1000 measurements per second). The noise is ~100μg/√Hz - with 12 bits samples I'm not sure you'll pick up HDD vibrations (but rather easy to test).
Someone should lend the people researching this an oscilloscope.
No, not QR codes since it would require the webcam capturing the screen directly. The screen may be used as a light source for the transmission and the webcam can capture the light reflecting from the walls...
Certainly devices can "communicate" via sensory data, but that shouldn't cause your device to randomly execute code after receiving that data. Unless the programs that read from sensors are really poorly sandboxed...
Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.
Yes, especially coupled with the "been going on for 3 years" and yet no actual analysis of the virus, no oscilloscopes, digital signal analyzers or spectrum analyzers put on the task, no third party researchers confirming this. Sounds very odd indeed.
The post announcing discovery of the HF audio was made October 15th, 2013. Remember you're reading a reporter's dumbed-down summary of what someone else has found.
So 14 days and still "pending analysis". I don't know where he lives, but it can't be that difficult to find someone with an oscilloscope and the knowledge of how to use it?
Again, sounds very fishy. I would expect a more methodical approach from a security researcher.
Interesting that such a seemingly well-designed piece of malware would have such an obvious tell (refusing to boot from any other hard disk). Although I suppose that it is a rare thing to do. (Now's the time to check…)
Also fascinating that his infection is at least three years old. Was Dragos targeted? Or perhaps someone within the pwn2own contest was?
Such persistent malware that targets air gapped machines reminds me of other malware created by nation-states.
Booting from a CD would [let you replace the infected BIOS](http://www.flashrom.org/Live_CD). Restricting the boot devices presumably helps preserve the BIOS infection.
Fair enough, presumably it's easier to simply prevent booting from CD than subvert every tool for flashing BIOSes.
In the end, it seems to me that blocking boot from CD is a net loss, since it alerts the user (who can undertake drastic measures including hooking up a different hard drive), whereas allowing boot from CD but reinstalling the BIOS malware from the (presumably thoroughly infected) hard disk would not.
If not impossible, at least very strange that he has not done more research to verify this (would be easy to do with an oscilloscope attached to the speaker output).
Using any random quad-SPI programmer and soldering it to the chip that contains your BIOS. If dragosr is suspecting a BIOS malware, I can't understand that he hasn't done that yet. From what I've read on his Twitter and Facebook account, he would have spent 3 years investigating this malware and is just now thinking of dumping the ROM of his "infected" USB devices.
Presumably that's atypical behavior for a BIOS, so an analysis of the dumped firmware should turn up where it's getting the location of and method to decode the data. That would give you enough to keep digging.
That sounds fairly unlikely (the BIOS does executes some code from PCI devices, but he says this happens on a machine without any weird PCI device, and PCI ROMs can be dumped too). We would not have to discuss whether this is the case if BIOS dumps turned out to be different. The issue is that 3 years after discovering the malware, he hasn't even tried to dump his BIOS.
Compression and encryption at this stage would be obfuscation more than anything else, and it's the job of malware researchers to break these kind of obfuscation layer. But again, we have no proof of this even being present.
The BIOS is not a black box that can't be analyzed.
With many (most?) desktop motherboards, the flash chip is desolderable and can usually be taken out and read on a dedicated flash reader if you have the equipment. There would be no way for the rootkit to bypass that.
Yet, even these programmers are not directly wired to the transistors holding the individual bits and bytes. I would not be surprised if there's a way to manipulate the internal logic of an EEPROM chip, too.
> Some of dragosr's claims/suspicions come off as next to impossible.
Which ones? The technical aspects are all known to be practical. The only thing odd is that a reasonably sophisticated and determined attacker is seemingly targeting him specifically and no one else.
Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed
> Are you just assuming these are laptops with a battery?
Did you even read the article? It's a laptop. That would be the safe assumption, anyway. Laptops far out-stripped desktop sales years ago, they're what most work happens on now.
> And saying that computers are communicating by speakers and microphones over long distances (i.e. > a few inches) is patently ridiculous.
It's not. I've done it myself. Go grab a couple laptops and some PSK31 software and you can do it, too.
Or else he simply picked up the malware simply by borrowing a usb key from someone else who'd been infected. I bet the majority of security researchers are only a couple of hops on their network of acquaintances from people who are pretty much guaranteed to be targets of <pick your state security agency of choice> and they would certainly have the resources to develop something like this if they chose to.
We know that Stuxnet spread beyond it's intended target - that's how it was discovered by the wider security community in the first place. Malware this pernicious could spread fairly stealthily through a large number of people without being noticed I'd imagine.
(If it really is using high frequency audio to leak data then that would be strong evidence that it was originally designed to target some group using air gapped computer networks to protect their high grade information. If your top secret & merely secret grade computers are laptops in the same room & they can communicate over a back channel like this then suddenly your air gapped computer network isn't cut off from the internet any more!)
> The technical aspects are all known to be practical.
No, they aren't. Not by a long shot. They sound vaguely similar to some that are however, so people are overlooking the details that would take this from advanced malware to hollywood fantasy.
Unless you care to explain which parts are not practical, and which details are being overlooked, what you have here is literally the opposite of credibility. You have deliberately made yourself non-credible through your anonymous cowardice.
If the BIOS (or some commonly used FPGA) already have builtin some kind of backdoor could be used for this.
Now, if it was over a hardware backdoor in so many models it should be pretty widespread.
Couldn't one verify that this malware is present with some kind of listening device...or a dog ;-)? The article didn't mention that the sound theory was verified with some kind of external measurement, but I assume it must have been at some point? I'd like to see what that would look like.
What could easily explain all of this is he's installing OSes using pirated media (which commonly bundles trojans). Plugging in the USB drive could just be triggering the trojan that came in the OS.
The most telling thing about the article is he hasn't been able to capture any of the malware code in three years. Either it's all in firmware and not being delivered to the OS, or it's already in the OS.
...And it could also be a series of unfortunate coincidences that just look like malware activity. CDROM doesn't boot? Probably a bad CDROM drive. Registry editor disabled? Probably a bug in Windows. Strange networking where it shouldn't be? Apps transmit random networking crap all the time, and you don't need OS support to send arbitrary raw packets. 'Modifying settings and deleting data' could be anything, like a log rotater, I don't know.
But he doesn't need pirated media for, say MacOS on his MacBook Air, or Linux machines. Seeing as though he's a security researcher, I'm guessing he is capable of md5ing his FreeBSD ISOs...
I hope someone else analyzes that USB stick to see what it's doing or trying to do when plugged in. It sounds too fantastic to be true, but I guess it's somewhat plausible.
He also mentions that data was deleted and configuration changes made. If all of these things happened to you in a short amount of time, on multiple machines, what would your conclusions be? Would you just shrug it off as coincidence?
Personally I'm skeptical about the registry search functionality being disabled on a wiped machine -- that could easily be a Windows bug. But the other stuff would certainly get my gears turning.
Shouldn't the speaker/mic communication theory be easy to test? If computer microphones are being used by the malware a simple computer mic should be enough to detect if there is any communication going on...
According to the last few comments on his G+ post, he was able to isolate the communication to the mic/speaker and disable it. He also took some recordings.
As I read the article I thought, "Gee, my phone has a USB port and a radio or two."
By the end I'd added, "And a speaker and a microphone."
If I was [metaphorically] a state sponsored espionage agency, that's the way I would go. I wouldn't be fooling around with USB sticks. That 1990's vector has been publicly outed and people can easily live without them.
And by writing this, I've just now tinfoil-hatted my way to the belief that pretty much every electronic device, if it isn't p'wned, it's just by the blessings of laziness or disinterest. After having read about the scale upon which the US pursued cryptography during the Second World War in Battle of Wits: The Complete Story of Codebreaking in World War II by Stephen Budiansky, I'm not betting on either.
Considering the article goes so far as to claim that infected machines can still continue infecting others when they're unplugged from A/C, I'd argue that yes, you're absolutely right. This sounds like a "ghost story."
Edit: I should note that after about the first 2/3rds of the article, there is some effort made to explain this (and negates the entire first bit of the article), but there is much better information others have shared here regarding malware embedded in USB controllers. I still like jameshart's assertion that this is just an elaborate ghost story for Halloween.
Edit edit: The conveniently mention toward the latter part of the article that the machine unplugged from A/C was a laptop which was then running off battery. I'm growing more and more suspicious of the quality of this particular article.
So wait, it's a BIOS virus that covers the platforms he tested (multiple BIOSs to exploit/patch)...
that can communicate via Sound (Requires DSP)...
that can defend itself against the registry editor (Deep integration to the OS, for at least windows, linux/OSX noted as well)...
that can alter data...
that can infect network cards (implied in the article)...
that can possibly use the power system to communicate (Ok, on a laptop, that might be possible. Otherwise, PSUs aren't completely isolated from the computing system's logic?)...
that all still fits within a BIOS chip?
Either BIOSs are complex (read space-intensive) enough to stop being Basic, or they can fit this AND a functioning BIOS in to a payload that would be delivered by sound, USB, network cards...
Can it modulate the fans to transmit data too? Or change the screen brightness faster than the human eye can see, but can be detected with cameras? How about using the Wifi, HDD activity, sound mute, caps lock, numlock, scroll lock and power indicators to transmit?
How about opening and closing the HDD to transmit data?
I can't agree more with MacsHeadroom's assertion that this is a situation where the simplest explanation wins.
Not to mention I REALLY don't want this kind of thing to exist...
If these were all EFI/UEFI machines, there is a lot more code in these preboot EFI environments than one expects. Room enough to hide this kind of payload.
I could expect ONLY the DSP, ONLY the windows-individual portion, maybe 4 or 5 BIOS exploits and maybe 2 or 3 BIOS patches, about the same for Ethernet cards, maybe the CD controller, maybe 1 or two different USB firmware exploits and patches, maybe the entire PSU manipulation logic
but ALL of that? In the BIOS?
(I'd like to point out I am nowhere near the caliber of the man who's supposedly experiencing all of this. I do not know the true size of any of the aforementioned payload.)
With UEFI/EFI it's pretty plausible that you can load additional code at runtime from elsewhere even outside of the large space available for UEFI/EFI itself. Some versions even self contain quick booting minimal environments that contain web browsers and such.
I understand, but from my reading of the article, it looks like all of this is the inital badBIOS module
But on the topic of modular malware, what would the initial discovery of Flame look like, if it were still in-progress after 3 years? Would it or would it not seem like this? It's got odd transmission methods, and the possibility of more to come. But if deleting data, self protection, and propogation aren't the attacks, then what are?
Well, BIOSes these days are all the same anyway (Award/Phoenix), and no one gives a fk about BIOS code safety. Even the "anti-thievery" measure of permanent security codes (unlockable by manufacturer only) is moot, as you can reverse-engineer BIOS updates and get the code from them.
And I would not rely on BIOS code be security-audited in ANY way! Especially not the part of the code dealing with USB. Low-level as it may be, I bet there exist buffer overflow or other vulnerabilities in USB protocol stacks.
Would it be possible to infect device firmware? If this guy's airgapped computers keep getting infected, assuming he's smart enough to not plug a USB drive into the computer, perhaps a hard disk's or CD drive's firmware was infected.
>"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."
I read this as the computer being infected without a USB plugged into it. "Air-gapped" would mean no USB, right?
No, it means air-gapped. Traditionally this just meant no wires to other computers (and an autonomous power source if you're extra paranoid). Today of course it more broadly means no direct communication with another computer, including things like WiFi or Bluetooth.
External media has always been used to transfer data between air-gapped systems, and it's always been a weakness. USB drives are just smarter than older forms of external media, posing a greater potential threat.
Don't speakers/mics tend to have a built-in cutoff? I've played with generating higher and higher frequencies before, and I was able to hear it up to 18kHz. That's probably hitting the high range of my own hearing, but there was an audible pop when the speakers started playing that frequency. The sound card seemed to simply refuse to play that high.
I suppose the malware could be working at a low enough level to override a cutoff in the sound card's firmware. But then wouldn't it have to implement drivers for almost every kind of sound card in existence?
Interesting story. The use of audio is fascinating, even with 20khz carriers, using FSK[1] you're looking at maybe a 6666 baud which is 666 bytes per second. That is about 2 seconds per 1500 byte packet. So not exactly a "fast" way to communicate.
You might use QPSK (basically two FSK ranges using phase to indicate 00/01/10/11 states but that would still make for a pretty small pipe. Perhaps enough for a C&C channel be not really enough to exfiltrate data.
[1] Frequency Shift Keying - generally takes three complete cycles to of a 'tone' to reliably recognize the frequency. So 20,000 / 3 = 6666.666 bauds per second.
I once did some work for a team that did ELF communication from a small autonomous sub to a surface ship for mapping. They had a 1200 bps channel up to the ship for the map data...
(I didn't get to do anything with the sub - I was just brought in for two weeks to give them a way of feeding that data from a Sun workstation on the tracking ship to another station via GSM data (mainly for demo and testing purposes); trivial in comparison to the software controlling the sub, but it was fun getting to go out on the tracking ship when they did test runs)
Okay, so because he could not remove the audio interface, is MUST was the only logical infection vector remaining? That is a very strong claim, particularly since I do not see any claims that he is also HEARING the requisit very long and loud screeching sounds that would imply. Audio data transmissions on consumer grade devices unavoidably involve sound, right?
Well that is the thing, if it were pitched high enough then no, you probably wouldn't hear it. (that is also beneficial for higher speed transfers).
What the article said was that he was seeing packets from the airgapped host (that means nothing but air around it, no wifi) which stopped when he disabled the speaker and microphone. That suggested that this was the 'wire' between the two.
One of the side effects of using peizo electric speakers (which are nice and flat so adored by mobile device makers and laptop makers alike) is that they often have frequency response ranges above 20khz. Many people cannot hear frequencies over 15Khz, although 15Hkz (which was the scan rate of CRT monitors) can be heard by some folks and poorly wound flyback transformers would drive them nuts.
> poorly wound flyback transformers would drive them nuts
Those and marginal capacitors do drive us nuts. And that's one reason such communication wouldn't have to be completely out of human hearing range. Those of us who can hear it aren't going to be shocked by yet another high-pitched whine in a room full of electronics.
I considered this before posting. If it was near ultrasonic it would have near zero chance of useful transmission unless the attacker and victim were very particularly aligned. The higher the sound frequency, the less sound curves around obstacles.
Would it matter what frequency if the signal is a sequence of digital pulses, i.e., a digital secret knock encoded in compromised hardware or software, i.e. audio components and or drivers?
> Perhaps enough for a C&C channel be not really enough to exfiltrate data.
I really really really hate to say "APT," but if you had a gapped, infected PC sitting next to an internet PC; and both were powered up 24x7 for months with the infection undiscovered, you could grab a significant amount of data.
« Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. »
Hard for me to buy the sound transmission stuff. Keeping in mind the noise, sound diffusion etc. I suppose the packet correction takes an error limit before dropping out the entire packet.
The article is long and a bit rambling. It doesn't do a good job of explaining what steps Dragos took to eliminate different attack methods. It doesn't sound like a particularly clean fault finding / debugging session.
> For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.
I don't want to sound mean, but what? This paragraph just reads like Hurp-Durp to me. I'm an idiot, but even I know that there are some very nasty things to do to USB drives.
The audio channel doesn't make any sense to me; when I heard it from Dragos on Facebook the first time, I was actually a little worried about him. It's not that I think it's impossible to create a covert channel over audio; it obviously isn't. It's that for the malware story to play out, the covert receiver needs to already exist; if it does, you're already infected, so what does "air gapping" matter?
The way I read this article, two infected computers can communicate via these means, but the means of initial infection of airgapped computers are still partially unknown. You may have more context, but that's how I understood the article on its own.
Creating a network connection over audio allows an infected, but airgapped, computer to remain in contact with the malware controllers. This would enable the exfiltration of information, as well as the infiltration of updates to the malware.
Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.
I think it means that the infected airgapped computer can communicate with an infected non-airgapped computer over audio. The malicious code would already need to be there but once it's there it could (albeit slowly given the transmission rate) send data out from the air gapped machine.
I was going to add a line like "Who has a mic and speakers on their airgapped machine?!" but obviously every laptop does.
And next to every PC has at least a speaker for the BIOS beep. I'm not sure how good the DAC driver chip is (especially, how they perform at ultrasonic or subsonic frequencies).
I was thinking about this too. If it's possible to send out arbitrary frequencies with it you could have a one way channel even if the air gapped machine doesn't have a mic. Only the receiver would need one. The air gapped machine would just be transmitting 24/7 hoping another machine is in range.
The PC speaker does not have much of a DAC. Before the common use of ASIC chipsets, the PC speaker was connected to one of the channels of a clock divider chip. The other channel was used to drive the timer IRQ.
When a program wanted to produce a tone, the program took the input frequency of the clock divider divided by the desired frequency and programmed it into the clock divider. To control the duration of the tone, a DOS or BIOS call was available delay the program or the program could hook the timer interrupt vector. The program would then turn the speaker off or start the next tone.
Programs could also turn the output bit on and off manually. Some programs could turn the bit on and off rapidly to play arbitrary sounds. There was even a Windows driver to play sound through the PC speaker, but it disabled interrupts, causing the clock, keyboard, mouse, and network to stop while the sound was playing.
If the speaker is physically capable of that, the same technique can output ultrasound - with modern processor speeds, you probably could twiddle that output bit while still leaving room for normal system operation.
Schneier admitted his airgapped machine was laptop. But I supposed he has the good sense to physically damage the mic, speakers and wifi and Bluetooth.
Yeah this really reads like quite paranoid delusions. Connecting events but ignoring the incredible leaps that have to be made.
I don't understand why he hasn't posted 'infected' USB sticks to a bunch of high profile security folk with "POTENTIAL BIOS MODIFYING TROJAN ONBOARD" written on it? It would be a matter of a day or two before someone monitored all communications with it passively and proved or disproved his theory.
Presumably the infection includes a driver to turn the audio system into an acoustic coupler, which would appear as a network device on the target machine. At that point any packet sniffer should be able to attach to it.
I'm guessing of course, there's not much real details to go on, and that would mean this infection is more then just a malicious BIOS.
EDIT: Or he's full of shit. Honestly I said that several times reading it, the story was clearly written for sensationalism and made many seemingly impossible claims. I'm no where near an expert but it still set off the bullshit meter too many times.
Exactly. From the article: "Forensic tools showed the packets continued to flow over the airgapped machine." How do they know? Where do they hook in to log these packets?
Wireshark doesn't listen on audio devices though. You have to choose an interface. There is no obvious way to capture what he claims to be seeing, and if he used wireshark or tcpdump, he would have a log. Furthermore, if you had a covert audio channel, you wouldn't encapsulate it in TCP or IP. Under close examination, these claims don't make any sense.
Wireshark can also capture raw Ethernet and raw USB frames, but it still needs an interface from which to capture. Maybe it was the loopback interface?
Software infecting the running system could send packets received via audio to localhost. I'm not saying it's likely, but it's a remotely plausible explanation for the article's description of the attack and investigation.
Software infecting the running system could send packets received via audio to localhost.
Hm. I suppose this is theoretically possible, but I don't see why it would be done in a practical sense. If the malware needs to "phone home", it doesn't need to send packets via localhost; it just sends them out on whatever interface is connected to the Internet. (But how would you distinguish those packets from any others being sent out to the Internet?) If the malware is divided up into multiple processes that need to communicate with each other, why would they betray themselves by connecting via localhost? If they are on OS X or Linux, they can use Unix sockets, which don't need to go through any network interface. If they are on Windows, they can use any of several Windows IPC mechanisms that don't require a network interface.
Probably by monitoring the hardware when the machines were supposed to be doing nothing. If you get activity with certain timing you can be pretty sure that the machines are sending packets to each other.
Beyond capturing it locally, if the goal was to actually forward messages out to the internet a simple sniffer at the gateway would see attempts to phone home. This is definitely an area where more information would be needed but it's entirely plausible that someone would choose to have a way for targeted air-gapped systems to smuggle data out slowly if no better option is available.
The article is awkwardly formulated, but gets clear later on: the attack happens over a USB flash drive, but air gap doesn’t remove communications from the infected machine until you remove the mike/speakers.
This seems nonsensical to me. The microphone and speakers in a typical laptop(yes even a macbook air) are hardly quality enough to a) transmit any data at a high enough frequency to have any bandwidth and be "undetectable" and b) the microphone would be of even worse quality.
A typical laptop has a +- 3db audio frequency response of 200hz - 8khz if you are lucky, even if you wanted -10 or 20db I doubt you would get much above 12khz which is detectable by most people without significant hearing damage. I'm very skeptical about this article...
There are pressure sensitive pens that work with any Android/iOS cell phone via ultrasound. So I don't know about laptops, but all smartphones are capable of data transmission via ultrasound. I can't recall the last laptop I used that didn't work fine for Skype, so I don't think laptops are any worse, personally. Maybe 5 years ago one employer went cheap on a model without the built-in webcam on a laptop that usually had it, but even that had speakers and mic.
I just tested the built in speakers and mic on my 3 year old MacBook Pro using sine waves and a spectrum analyser.
It's perfectly capable of sending and picking up a 20kHz signal by itself. The frequency response starts dropping off drastically at around 14kHz. Around 21kHz seems to be the practical limit.
However, there seems to be a bit of distortion going on. I'm not sure it's possible to send a clean inaudible signal without introducing lower frequency components.
I've worked in computer music/audio for years. Most people and PCs can reach 20kHz. It's no coincidence, human hearing drops off around that point and thus the 44.1kHz sample rate was chosen to match that (you can transmit frequencies at max of 1/2 the sample rate, thus 22.05kHz). But modern sound cards can reach 96 or even 192kHz sample rate, able to transmit ~50-100kKHz tones (other factors aside). Further, modern sound cards can have amplitudes expressed as 24-bit numbers, providing very high fidelity/accuracy.
So, you may be able to hear higher than 20kHz. Even if you increase your sound card sample rate, best test would be to try something analog to eliminate other bottlenecks in the audio processing. But you can easily tweak your audio settings and generate sine waves with this program:
Quite a few people can hear 20kHz. I can still clearly hear 18.5kHz (or what my laptop's speakers emit when I feed a 18.5kHz sine) and 19-20kHz gives me headaches.
Ok so maybe it's possible to send audio and receive it via a MacBook Pro. However, how much data could that low bandwidth signal carry? I'm even more curious how randomly transmitting "evil bits" this way could spontaneously infect a PC at the lowest levels. Something just doesn't add up here.
Absolutely no one is suggesting that audio is being used to spontaneously infect previously uninfected systems. No one has ever suggested that except for people who have failed to carefully and completely read the article. The claim is infected machines are using it to communicate, not that uninfected machines are being infected by it.
Imagine a ton of laptops passing through Starbucks. The infection is being established via something on an unprotected (or compromised router) wifi network. That infection is dormant with only one function: listen on the microphone. You could create an army of laptops that receives its orders through proximity completely bypassing any firewall system you have. It's pretty insidious.
The audio system is not the attack vector. It is a means of staying in contact with command-and-control by communicating with other already-infected machines.
With a staged payload, the ability to communicate across an airgap could allow successive stages to be delivered in the presence of counter-measures. It could also facilitate minimization of the spore's footprint during initial infection and thereby reduce the likelihood that the spore will be detected.
The conclusion that for communications across the air-gap to work, the receiver must already be infected is the only alternative to "No, it isn't happening."
Now I'm not in a position to say, that it is happening. But I'm not in a position to say that the supply chain for electronic devices is hardened against an attack by a state sponsored agency seeking to inject spores into devices at the time of manufacture. If an agency is interested in maximizing backdoor accesses, having infected devices roll off the assembly line and straight to end users certainly seems like an ideal outcome. It's map reduce.
Don't get me wrong, I know I'm furiously folding Reynolds Wrap. But I also know that there is a cognitive gap between the furniture of everyday experience and large scale phenomena - e.g. collecting meta data on all phone calls simultaneously and then storing and searching it doesn't fit with the MOS 6510 mental model of computing I habitually use.
>>>> If an agency is interested in maximizing backdoor accesses, having infected devices roll off the assembly line and straight to end users certainly seems like an ideal outcome.
And we already have proof that manufacturers in China have been doing this:
"Microsoft researchers in China investigating the sale of counterfeit software found malware pre-installed on four of 20 brand new desktop and laptop PCs they bought for testing. They found forged versions of Windows on all the machines."
This would be the easiest way to do this, and since it's already been demonstrated, I would hasten to say your tinfoil folding is certainly is not being done in vein.
What's your current assessment of this story? Are you still on the "Dragos may need help" side of the spectrum, or has subsequent information pushed you to the "this might be a real thing" side?
@PaxNoxNomPox - @dragosr How can #badBIOS spread if rcvr doesn't know what to listen for? Something has to be listening and know what to listen for. Thnx.
@dragosr - @PaxNoxNomPox no evidence of "spreading" via audio. Just comms between infected machines.
All of the major OEMs embed code from these guys into their BIOS. Once activated, it can brick the box, delete files, re-install their Windows/Mac agent that allows for location tracking, etc.
Worse, Computrace ends up in the management engine firmware, which is more powerful and less auditable than the BIOS/UEFI (and works with powered off main CPU, too).
The lack of low-level analysis is incredibly suspicious. If you think its moving at the BIOS-level on USB sticks, then you find someone with a high-frequency recording oscilloscope and capture every single electrical signal you see on that bus because it's certainly not going to be moving an encrypted version of its own infection code. Same thing you'd do to the microphone and speaker.
I mean I get a few months of nothing you don't do this, but 3 years? A USB bus is not high bandwidth - there's off-the-shelf hardware that will do this.
This story is just too fantastical to be true. We're talking about a ridiculously sophisticated piece of malware, which has been found nowhere else, and is absurdly high visibility (people don't keep using computers which are obviously infected with something).
If you had something as resistant as this in your pocket, you didn't write it on your own, and the absolute last thing you would do is give it high-visibility infection symptoms and toss it out into the wild.
EDIT: It's worth noting this would very much hardly be the first time a researcher suddenly went off the reservation. Happens to even Nobel Laureates.
>>>> This story is just too fantastical to be true. We're talking about a ridiculously sophisticated piece of malware, which has been found nowhere else, and is absurdly high visibility (people don't keep using computers which are obviously infected with something).
Unless you're a state sponsored agency looking to test a zero day exploit. What better way to test it then to attack one of the top infosec researchers in the industry?
Think about it. You get one of the top researchers to figure out your malware, bring in all his friends to figure out how it works and then publish the results - giving you exactly what you need to refactor it so it's completely untraceable, and non-responsive to efforts to try and stop it from propagating.
What I'm posing is, if you had malware this successful at spreading itself, the very last thing you would do is attach a high-visibility payload to it (disabling system devices like the CDROM drive - allegedly).
Your hypothesis isn't much better - hostile organizations don't give you a chance to figure out a defense strategy, especially when there's no risk of deployment. You don't need a test for a virus - you use it, and then you make another one.
So the oldest mention I did find, is from the 21st of October [0] and then more at the 23rd. [2,3] So until I see an actual zombie, my money is on a ghost story for Halloween.
256 comments
[ 3.1 ms ] story [ 259 ms ] threadLooks like my laptop needs a tinfoil hat more so than myself!
"ARF ARF" -"What is it, doggy? Someone's trying to hack the IRS dbase? Good dog!"
Not so much mine.
http://en.wikipedia.org/wiki/Acoustic_coupler
"Across the room" isn't really interesting, either. I've decoded PSK31 across a room. Higher, near-inaudible frequencies would probably make the decode even cleaner.
[1] http://chirp.io/tech/
My understanding is that Chirp uses audio to basically detect WHO you are standing near, but the actual data transfer happens over more typical links.
"An inherent limitation of the audio protocol is its highly limited transmission rate.
To send larger amounts of data, we have built a RESTful network infrastructure which allows arbitrary pieces of data to be associated with Chirp shortcodes. A sending device can thus upload a photo to the cloud, and obtain a shortcode representing it to be send over the air. A receiving device hears the shortcode over its microphone, and resolves it with a GET request."
So far, extraordinary claims, little data to back it.
"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."
Air-gapped and no mention of USB... Magic or just inaccurate description?
"For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa."
That would explain this scenario: the malware has been erased from the disk and the bios, but still lives in the audio chip, download a new payload through the high frequency connection, and boum, the computer is infected again.
See https://plus.google.com/u/0/103470457057356043365/posts/3reW...
[0] https://plus.google.com/app/basic/stream/z13tzhpzvpqyuzv1n23...
It should be possible to communicate through a webcam and a screen when the airgapped devices are on the same room. It could be possible to communicate by accelerometer(macs has these) and inducing vibrations using the HDD when the devices sit on the same table.
Naturally.
http://en.wikipedia.org/wiki/Timex_Datalink#Wireless_data_tr...
accelerometer: is very low bandwidth (think ~10-1000 measurements per second). The noise is ~100μg/√Hz - with 12 bits samples I'm not sure you'll pick up HDD vibrations (but rather easy to test).
Someone should lend the people researching this an oscilloscope.
Anyone else having flashbacks of John Nash?
http://en.wikipedia.org/wiki/John_Forbes_Nash,_Jr.#Mental_il...
https://plus.google.com/103470457057356043365/posts/3reWRqDM...
Again, sounds very fishy. I would expect a more methodical approach from a security researcher.
Also fascinating that his infection is at least three years old. Was Dragos targeted? Or perhaps someone within the pwn2own contest was?
Such persistent malware that targets air gapped machines reminds me of other malware created by nation-states.
In the end, it seems to me that blocking boot from CD is a net loss, since it alerts the user (who can undertake drastic measures including hooking up a different hard drive), whereas allowing boot from CD but reinstalling the BIOS malware from the (presumably thoroughly infected) hard disk would not.
Never the less, this does sound like a nasty piece of malware.
Seems like trolling or some form of paranoia.
Smells fishy to me.
You then put the code on another machine and you are in the same situation, it seems to me like a vicious circle if you don't know where to cut.
Compression and encryption at this stage would be obfuscation more than anything else, and it's the job of malware researchers to break these kind of obfuscation layer. But again, we have no proof of this even being present.
The BIOS is not a black box that can't be analyzed.
Which ones? The technical aspects are all known to be practical. The only thing odd is that a reasonably sophisticated and determined attacker is seemingly targeting him specifically and no one else.
Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed
Did you even read the article? It's a laptop. That would be the safe assumption, anyway. Laptops far out-stripped desktop sales years ago, they're what most work happens on now.
> And saying that computers are communicating by speakers and microphones over long distances (i.e. > a few inches) is patently ridiculous.
It's not. I've done it myself. Go grab a couple laptops and some PSK31 software and you can do it, too.
As for communications via speakers and microphones, that makes as much sense as any other outrageously insane theory I've ever heard.
Keep in mind he's talking about laptops that have batteries.
We know that Stuxnet spread beyond it's intended target - that's how it was discovered by the wider security community in the first place. Malware this pernicious could spread fairly stealthily through a large number of people without being noticed I'd imagine.
(If it really is using high frequency audio to leak data then that would be strong evidence that it was originally designed to target some group using air gapped computer networks to protect their high grade information. If your top secret & merely secret grade computers are laptops in the same room & they can communicate over a back channel like this then suddenly your air gapped computer network isn't cut off from the internet any more!)
No, they aren't. Not by a long shot. They sound vaguely similar to some that are however, so people are overlooking the details that would take this from advanced malware to hollywood fantasy.
http://blog.erratasec.com/2012/05/bogus-story-no-chinese-bac... http://news.softpedia.com/news/Secret-3G-Radio-in-Every-Inte...
The most telling thing about the article is he hasn't been able to capture any of the malware code in three years. Either it's all in firmware and not being delivered to the OS, or it's already in the OS.
...And it could also be a series of unfortunate coincidences that just look like malware activity. CDROM doesn't boot? Probably a bad CDROM drive. Registry editor disabled? Probably a bug in Windows. Strange networking where it shouldn't be? Apps transmit random networking crap all the time, and you don't need OS support to send arbitrary raw packets. 'Modifying settings and deleting data' could be anything, like a log rotater, I don't know.
If it sounds impossible, it probably is.
It's much less likely that he's experiencing the most advanced malware in the world, and much more likely that he just overlooked something simple.
Personally I'm skeptical about the registry search functionality being disabled on a wiped machine -- that could easily be a Windows bug. But the other stuff would certainly get my gears turning.
https://plus.google.com/103470457057356043365/posts/3reWRqDM...
By the end I'd added, "And a speaker and a microphone."
If I was [metaphorically] a state sponsored espionage agency, that's the way I would go. I wouldn't be fooling around with USB sticks. That 1990's vector has been publicly outed and people can easily live without them.
And by writing this, I've just now tinfoil-hatted my way to the belief that pretty much every electronic device, if it isn't p'wned, it's just by the blessings of laziness or disinterest. After having read about the scale upon which the US pursued cryptography during the Second World War in Battle of Wits: The Complete Story of Codebreaking in World War II by Stephen Budiansky, I'm not betting on either.
Edit: I should note that after about the first 2/3rds of the article, there is some effort made to explain this (and negates the entire first bit of the article), but there is much better information others have shared here regarding malware embedded in USB controllers. I still like jameshart's assertion that this is just an elaborate ghost story for Halloween.
Edit edit: The conveniently mention toward the latter part of the article that the machine unplugged from A/C was a laptop which was then running off battery. I'm growing more and more suspicious of the quality of this particular article.
that can communicate via Sound (Requires DSP)...
that can defend itself against the registry editor (Deep integration to the OS, for at least windows, linux/OSX noted as well)...
that can alter data...
that can infect network cards (implied in the article)...
that can possibly use the power system to communicate (Ok, on a laptop, that might be possible. Otherwise, PSUs aren't completely isolated from the computing system's logic?)...
that all still fits within a BIOS chip? Either BIOSs are complex (read space-intensive) enough to stop being Basic, or they can fit this AND a functioning BIOS in to a payload that would be delivered by sound, USB, network cards...
Can it modulate the fans to transmit data too? Or change the screen brightness faster than the human eye can see, but can be detected with cameras? How about using the Wifi, HDD activity, sound mute, caps lock, numlock, scroll lock and power indicators to transmit?
How about opening and closing the HDD to transmit data?
I can't agree more with MacsHeadroom's assertion that this is a situation where the simplest explanation wins.
Not to mention I REALLY don't want this kind of thing to exist...
EDIT: Added fans paragraph
but ALL of that? In the BIOS?
(I'd like to point out I am nowhere near the caliber of the man who's supposedly experiencing all of this. I do not know the true size of any of the aforementioned payload.)
But on the topic of modular malware, what would the initial discovery of Flame look like, if it were still in-progress after 3 years? Would it or would it not seem like this? It's got odd transmission methods, and the possibility of more to come. But if deleting data, self protection, and propogation aren't the attacks, then what are?
And I would not rely on BIOS code be security-audited in ANY way! Especially not the part of the code dealing with USB. Low-level as it may be, I bet there exist buffer overflow or other vulnerabilities in USB protocol stacks.
I read this as the computer being infected without a USB plugged into it. "Air-gapped" would mean no USB, right?
No, it means air-gapped. Traditionally this just meant no wires to other computers (and an autonomous power source if you're extra paranoid). Today of course it more broadly means no direct communication with another computer, including things like WiFi or Bluetooth.
External media has always been used to transfer data between air-gapped systems, and it's always been a weakness. USB drives are just smarter than older forms of external media, posing a greater potential threat.
I suppose the malware could be working at a low enough level to override a cutoff in the sound card's firmware. But then wouldn't it have to implement drivers for almost every kind of sound card in existence?
You might use QPSK (basically two FSK ranges using phase to indicate 00/01/10/11 states but that would still make for a pretty small pipe. Perhaps enough for a C&C channel be not really enough to exfiltrate data.
[1] Frequency Shift Keying - generally takes three complete cycles to of a 'tone' to reliably recognize the frequency. So 20,000 / 3 = 6666.666 bauds per second.
Reminded of ELF communication with submerged submarines.
http://en.wikipedia.org/wiki/Extremely_low_frequency
(I didn't get to do anything with the sub - I was just brought in for two weeks to give them a way of feeding that data from a Sun workstation on the tracking ship to another station via GSM data (mainly for demo and testing purposes); trivial in comparison to the software controlling the sub, but it was fun getting to go out on the tracking ship when they did test runs)
What the article said was that he was seeing packets from the airgapped host (that means nothing but air around it, no wifi) which stopped when he disabled the speaker and microphone. That suggested that this was the 'wire' between the two.
One of the side effects of using peizo electric speakers (which are nice and flat so adored by mobile device makers and laptop makers alike) is that they often have frequency response ranges above 20khz. Many people cannot hear frequencies over 15Khz, although 15Hkz (which was the scan rate of CRT monitors) can be heard by some folks and poorly wound flyback transformers would drive them nuts.
Those and marginal capacitors do drive us nuts. And that's one reason such communication wouldn't have to be completely out of human hearing range. Those of us who can hear it aren't going to be shocked by yet another high-pitched whine in a room full of electronics.
I really really really hate to say "APT," but if you had a gapped, infected PC sitting next to an internet PC; and both were powered up 24x7 for months with the infection undiscovered, you could grab a significant amount of data.
How is that possible ?
http://smus.com/ultrasonic-networking/
> For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.
I don't want to sound mean, but what? This paragraph just reads like Hurp-Durp to me. I'm an idiot, but even I know that there are some very nasty things to do to USB drives.
EDIT: https://news.ycombinator.com/item?id=6534617 https://news.ycombinator.com/item?id=933210 https://news.ycombinator.com/item?id=1855936
Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.
I was going to add a line like "Who has a mic and speakers on their airgapped machine?!" but obviously every laptop does.
When a program wanted to produce a tone, the program took the input frequency of the clock divider divided by the desired frequency and programmed it into the clock divider. To control the duration of the tone, a DOS or BIOS call was available delay the program or the program could hook the timer interrupt vector. The program would then turn the speaker off or start the next tone.
Programs could also turn the output bit on and off manually. Some programs could turn the bit on and off rapidly to play arbitrary sounds. There was even a Windows driver to play sound through the PC speaker, but it disabled interrupts, causing the clock, keyboard, mouse, and network to stop while the sound was playing.
I don't understand why he hasn't posted 'infected' USB sticks to a bunch of high profile security folk with "POTENTIAL BIOS MODIFYING TROJAN ONBOARD" written on it? It would be a matter of a day or two before someone monitored all communications with it passively and proved or disproved his theory.
I'm guessing of course, there's not much real details to go on, and that would mean this infection is more then just a malicious BIOS.
EDIT: Or he's full of shit. Honestly I said that several times reading it, the story was clearly written for sensationalism and made many seemingly impossible claims. I'm no where near an expert but it still set off the bullshit meter too many times.
Hm. I suppose this is theoretically possible, but I don't see why it would be done in a practical sense. If the malware needs to "phone home", it doesn't need to send packets via localhost; it just sends them out on whatever interface is connected to the Internet. (But how would you distinguish those packets from any others being sent out to the Internet?) If the malware is divided up into multiple processes that need to communicate with each other, why would they betray themselves by connecting via localhost? If they are on OS X or Linux, they can use Unix sockets, which don't need to go through any network interface. If they are on Windows, they can use any of several Windows IPC mechanisms that don't require a network interface.
A typical laptop has a +- 3db audio frequency response of 200hz - 8khz if you are lucky, even if you wanted -10 or 20db I doubt you would get much above 12khz which is detectable by most people without significant hearing damage. I'm very skeptical about this article...
https://plus.google.com/u/0/103470457057356043365/posts/3reW...
It's perfectly capable of sending and picking up a 20kHz signal by itself. The frequency response starts dropping off drastically at around 14kHz. Around 21kHz seems to be the practical limit.
However, there seems to be a bit of distortion going on. I'm not sure it's possible to send a clean inaudible signal without introducing lower frequency components.
So, you may be able to hear higher than 20kHz. Even if you increase your sound card sample rate, best test would be to try something analog to eliminate other bottlenecks in the audio processing. But you can easily tweak your audio settings and generate sine waves with this program:
http://audacity.sourceforge.net/
The conclusion that for communications across the air-gap to work, the receiver must already be infected is the only alternative to "No, it isn't happening."
Now I'm not in a position to say, that it is happening. But I'm not in a position to say that the supply chain for electronic devices is hardened against an attack by a state sponsored agency seeking to inject spores into devices at the time of manufacture. If an agency is interested in maximizing backdoor accesses, having infected devices roll off the assembly line and straight to end users certainly seems like an ideal outcome. It's map reduce.
Don't get me wrong, I know I'm furiously folding Reynolds Wrap. But I also know that there is a cognitive gap between the furniture of everyday experience and large scale phenomena - e.g. collecting meta data on all phone calls simultaneously and then storing and searching it doesn't fit with the MOS 6510 mental model of computing I habitually use.
And we already have proof that manufacturers in China have been doing this:
http://www.theguardian.com/technology/2012/sep/14/malware-in...
"Microsoft researchers in China investigating the sale of counterfeit software found malware pre-installed on four of 20 brand new desktop and laptop PCs they bought for testing. They found forged versions of Windows on all the machines."
This would be the easiest way to do this, and since it's already been demonstrated, I would hasten to say your tinfoil folding is certainly is not being done in vein.
@dragosr - @PaxNoxNomPox no evidence of "spreading" via audio. Just comms between infected machines.
https://twitter.com/dragosr/status/395959517243928576
http://www.absolute.com/en/products/absolute-computrace/pers...
All of the major OEMs embed code from these guys into their BIOS. Once activated, it can brick the box, delete files, re-install their Windows/Mac agent that allows for location tracking, etc.
See https://events.ccc.de/congress/2013/wiki/Projects:MEre
I mean I get a few months of nothing you don't do this, but 3 years? A USB bus is not high bandwidth - there's off-the-shelf hardware that will do this.
This story is just too fantastical to be true. We're talking about a ridiculously sophisticated piece of malware, which has been found nowhere else, and is absurdly high visibility (people don't keep using computers which are obviously infected with something).
If you had something as resistant as this in your pocket, you didn't write it on your own, and the absolute last thing you would do is give it high-visibility infection symptoms and toss it out into the wild.
EDIT: It's worth noting this would very much hardly be the first time a researcher suddenly went off the reservation. Happens to even Nobel Laureates.
Unless you're a state sponsored agency looking to test a zero day exploit. What better way to test it then to attack one of the top infosec researchers in the industry?
Think about it. You get one of the top researchers to figure out your malware, bring in all his friends to figure out how it works and then publish the results - giving you exactly what you need to refactor it so it's completely untraceable, and non-responsive to efforts to try and stop it from propagating.
I'm not sayin, I'm just sayin. . .
What I'm posing is, if you had malware this successful at spreading itself, the very last thing you would do is attach a high-visibility payload to it (disabling system devices like the CDROM drive - allegedly).
Your hypothesis isn't much better - hostile organizations don't give you a chance to figure out a defense strategy, especially when there's no risk of deployment. You don't need a test for a virus - you use it, and then you make another one.
There's no point hampering removal once you're detected if you have a good mechanism for hiding or repairing the infection.
[0] https://twitter.com/dragosr/status/392348130101829632 [1] https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa... [2] https://plus.google.com/103470457057356043365/posts/9fyh5R9v...