Literally nothing. If something jumped an AirGap then a USBdrive, or CDrom/DVDrom, etc. was infected. In which case the system wasn't Air Gapped, it was part of a sneaker net.
Most commonly we refer to sneaker nets as Airgaps, when often their just as vulnerable as a normal network. Dirty USB sticks are an old as the hills hack at this point.
BadBIOS was supposed to communicate with C&C systems using sounds inaudible to the human ear that could be picked up by the microphone of a nearby (also infected) computer.
Hence 'airgapped" (not connected to the network) computers could still export private information to a botnet operator.
If I've got drivers running on two computers that only are in the same room, and they both have speakers and microphones, then yes, I may be able to pull this off. If one of them is connected to the outside world and the other isn't, I may be able to connect from the outside world to the unconnected computer using this acoustic method.
None of this helps me get the infection on the unconnected computer, though. For that, there has to be something else - sneakernet USBs, for example, as you mentioned.
Since we're being pedantic :-) what if the original infection occurred before the motherboard left the factory? Does that still fail to meet your definition of "airgapped"?
More seriously, the "virus that jumps airgaps" was a sensationalist headline from the get-go. I just was trying to explain where the claim originated.
Which lends no credence to Dragos' story at all. Ultrasonic networking isn't a new idea, and malware in firmware has been around as long as rewritable firmware.
The main issue always was Dragos' inability to isolate any suspicious artifacts besides "I can't burn CDs!".
Basically his story required there to not only be firmware malware that could infect a wide variety of devices, but for said malware to somehow exist in a part of the firmware/BIOS chip which couldn't be dumped for examination. Even if such a thing existed he still could have tapped a logic analyzer onto a USB cable, plugged in some fresh hardware, and captured what the malware did.
Oh don't get me wrong - I don't think he actually found anything either. But it is interesting that the core technologies he was talking about now have proofs-of-concept.
I do not know any vulnerability researchers (Dragos, who is someone I do like, is not one of those) who give this story any credence. The closest I've seen that to happening was Robert Graham writing a blog post about how RF side channels could be used by cooperating processes to communicate --- but that's just a small detail of the whole story Dragos told.
I do know some extremely reputable researchers, people with no connection at all to the supposed events, who have very forceful arguments for how the (scant) evidence Dragos produced didn't establish anything about the existence of anything like BadBIOS.
You're probably not going to get closure on this story.
11 comments
[ 3.2 ms ] story [ 39.8 ms ] threadLiterally nothing. If something jumped an AirGap then a USBdrive, or CDrom/DVDrom, etc. was infected. In which case the system wasn't Air Gapped, it was part of a sneaker net.
Most commonly we refer to sneaker nets as Airgaps, when often their just as vulnerable as a normal network. Dirty USB sticks are an old as the hills hack at this point.
Hence 'airgapped" (not connected to the network) computers could still export private information to a botnet operator.
'Airgapped' computers without infected BIOSes could not leak information. Sneakernet computers with bad BIOSes could.
Unless you can pull off a remote code execution via microphone input, or speaker feed back. Its unlikely an air-gapped computer will be infected.
If I've got drivers running on two computers that only are in the same room, and they both have speakers and microphones, then yes, I may be able to pull this off. If one of them is connected to the outside world and the other isn't, I may be able to connect from the outside world to the unconnected computer using this acoustic method.
None of this helps me get the infection on the unconnected computer, though. For that, there has to be something else - sneakernet USBs, for example, as you mentioned.
More seriously, the "virus that jumps airgaps" was a sensationalist headline from the get-go. I just was trying to explain where the claim originated.
The main issue always was Dragos' inability to isolate any suspicious artifacts besides "I can't burn CDs!".
Basically his story required there to not only be firmware malware that could infect a wide variety of devices, but for said malware to somehow exist in a part of the firmware/BIOS chip which couldn't be dumped for examination. Even if such a thing existed he still could have tapped a logic analyzer onto a USB cable, plugged in some fresh hardware, and captured what the malware did.
I do know some extremely reputable researchers, people with no connection at all to the supposed events, who have very forceful arguments for how the (scant) evidence Dragos produced didn't establish anything about the existence of anything like BadBIOS.
You're probably not going to get closure on this story.