×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Airgap-Jumping Malware May Use Ultrasonic Networking To Communicate

samzenpus posted about 6 months ago | from the protect-ya-neck dept.

Security 265

Hugh Pickens DOT Com writes "Dan Goodwin writes at Ars Technica about a rootkit that seems straight out of a science-fiction thriller. According to security consultant Dragos Ruiu one day his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused and he also found that the machine could delete data and undo configuration changes with no prompting. Next a computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting and further investigation showed that multiple variants of Windows and Linux were also affected. But the story gets stranger still. Ruiu began observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped. With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on. It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either. 'It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,' says Ruiu. 'The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

265 comments

Dupe (5, Informative)

Anonymous Coward | about 6 months ago | (#45297421)

http://tech.slashdot.org/story/13/10/31/1955239/ars-cross-platform-malware-communicates-with-sound

Re:Dupe (3, Insightful)

phantomfive (622387) | about 6 months ago | (#45297443)

It even has the exact same link! What is the point of having the 'main link' put in the submission form if you're not going to check it?

Re:Dupe (1)

fustakrakich (1673220) | about 6 months ago | (#45297455)

"Hugh Pickens DOT Com writes..."

Can it be any more obvious?

Re:Dupe (0)

Anonymous Coward | about 6 months ago | (#45297735)

This H*gh P*ckens fellow seems very ugly and retarded. Can we get rid of him? Is he going to die soon?

They used to check dupe link (0)

Anonymous Coward | about 6 months ago | (#45297573)

What is the point of having the 'main link' put in the submission form if you're not going to check it?

Slashdot used to check for duped link in the submission, at least, it did, several years ago.

It used to be that you had to put at least ONE original article link to accompany the article submission.

Somehow that requirement was gone - along with the dupe-link check.

Re:Dupe (1)

richlv (778496) | about 6 months ago | (#45297523)

wow. this is a new low. a dupe while first one is still on the first page. maybe it's time do downscale to weed and alcohol.

Re:Dupe (0)

Anonymous Coward | about 6 months ago | (#45297641)

Wrong...this is not a new low. Slashdot has had front-page dupes every now and then for years. This sad state of affairs is business as usual, I'm afraid.

Re:solution (1)

Bite The Pillow (3087109) | about 6 months ago | (#45297565)

Anyone who identifies a dupe can be moderated +6 awesome for 7 days.
Anyone who submits a dupe is automatically modded -1 for 7 days.
Karma bonus for both memory over a week, and reading comprehension. And fuck dice for ruining what once was mediocre.

Re:Dupe (4, Funny)

istartedi (132515) | about 6 months ago | (#45297721)

Give them a break. Somebody made a funny noise in their office and now all their machines are infected with SlashDupeW32.exe.

Re:Dupe (0)

Anonymous Coward | about 6 months ago | (#45298075)

Give them a break. Somebody made a funny noise in their office and now all their machines are infected with SlashDupeW32.exe.

Oh Noes, we've been duped.

Dupe (5, Insightful)

Anonymous Coward | about 6 months ago | (#45297433)

Is it really SO hard to get rid of dupes that are less than 24 hours old? You seriously call yourself editor if you don't even manage to get those basic things straight?

Re:Dupe (1)

Anonymous Coward | about 6 months ago | (#45297441)

This one has a much better summary for people who don't RTFA, though.

Re:Dupe (0)

Anonymous Coward | about 6 months ago | (#45297997)

maybe the last one didn't get enough response, so they posted the story behind the link. most seemed to not care anyway, since no one can discover with any real proof if this is a high frequency attack!! but enough is there to show it "could be possible" .

Part of the problem is no one bothers to reads the linked articles, and when they do they seem to shit in one hand and pray for gold in the next!!! Until this happens to them, oh wait I forgot no one cares!!!

Re:Dupe (1)

Anonymous Coward | about 6 months ago | (#45298159)

Evidently this story jumped the airgap in samzenpus head.

Dupe (-1)

Anonymous Coward | about 6 months ago | (#45297449)

Can't we at least wait for the original article to fall off the front page before reposting it?

So? (5, Insightful)

Anonymous Coward | about 6 months ago | (#45297457)

Bust out an oscilloscope and a logic analyzer and start looking at these signals. It shouldn't be hard to get a waveform capture of the audio running over the speaker and the handshake between a USB device and the host.

Re:So? (1)

Anonymous Coward | about 6 months ago | (#45297593)

As long you have a microphone that can work at those frequencies.

Re:So? (4, Insightful)

Fjandr (66656) | about 6 months ago | (#45297663)

If the internal mic and speaker on a standard laptop can be used to maintain the ultrasonic connection, I don't think this requires an ultra-hifi mic in order to capture the frequencies being used.

Re: So? (5, Interesting)

Anonymous Coward | about 6 months ago | (#45297823)

I work for a company specializing in this tech on mobile devices. It's startlingly reliable but very low bandwidth.

Check out Yamaha Infosound, Sonic Notify, and LISNR for real world uses.

Complexity, Resources and Skill. Could it be...? (4, Interesting)

Bonker (243350) | about 6 months ago | (#45297473)

A certain alphabet agency that's been in trouble for tapping all kinds of folks lately? Or are they too clueless to put together a monster like this?

1. You'd have to write a boot loader that a) loads your bare-metal-level sound and microphone driver, networking driver, sonic network protocol, and payload.

2. You'd have to write the forementioned a) bare-metal-level sound and mic drivers. Network drivers that might as well be bare-metal, implement a sonic network protocol, and then get them to successfully transmit your payload.

3. You have to TEST this combo on many different machines.

We're either looking at someone who has a LOT of free time and hardware on his hands, or a 1st or 2nd world military-level dev team with LOTS of cash to spend, IMO.

Re:Complexity, Resources and Skill. Could it be... (5, Insightful)

jrumney (197329) | about 6 months ago | (#45297487)

We're either looking at someone who has a LOT of free time and hardware on his hands, or a 1st or 2nd world military-level dev team with LOTS of cash to spend, IMO.

You've discounted the most obvious option - an attention whore who isn't adverse to making shit up.

Re:Complexity, Resources and Skill. Could it be... (0)

Anonymous Coward | about 6 months ago | (#45297939)

Or an NSA asshole that is trying to discredit these 5% of us society that has any objections to fascists in US gov. It seems to me that today all options are possible.

That comment USED to work, before Snowden proved i (0)

Anonymous Coward | about 6 months ago | (#45298033)

That comment USED to work, before Snowden proved it all.

The conspiracy theorists were right. All bets are now off.

Re:Complexity, Resources and Skill. Could it be... (1)

retech (1228598) | about 6 months ago | (#45297493)

You can say NSA we're all adults (sic) here. Besides they have a hard time spelling so you're just as likely to not be flagged.

Re:Complexity, Resources and Skill. Could it be... (0)

Anonymous Coward | about 6 months ago | (#45297601)

Um, why did you "sic" up there? Do you know what sic means and when to use it? I know what it means and I'm confused right now.

Re:Complexity, Resources and Skill. Could it be... (-1)

retech (1228598) | about 6 months ago | (#45297685)

Because you couldn't here my clear my through when I typed the word adult in reference to the /. community.

Sorry that one went over your head.

Re:Complexity, Resources and Skill. Could it be... (4, Funny)

narcc (412956) | about 6 months ago | (#45297723)

No, you're still wrong. [wikipedia.org]

Here's how it works:

Because you couldn't here my clear my through [sic] when I typed the word adult in reference to the /. community.

See how easy that is?

Re:Complexity, Resources and Skill. Could it be... (2, Informative)

Anonymous Coward | about 6 months ago | (#45297759)

"Because you couldn't here my clear my through when I typed the word adult in reference to the /. community. "

I had to read that about 15 times before it started to make sense. I think you were trying to be sarcastic. Is that possible? English doesn't seem to be your first, or even second language, but to indicate sarcasm one uses quotes.

The latin "sic" means THIS, you use it when you are copying something verbatim but you know it is wrong.

"Sorry that one went over your head"

You might want to check your arrogant attitude and tone it down a bit. You aren't as "adult" as you think you are and could benefit from LISTENING to others and maybe LEARN something instead of looking like a complete JACKASS.

Re:Complexity, Resources and Skill. Could it be... (1)

Anonymous Coward | about 6 months ago | (#45297645)

It would be easier and cheaper to pay the manufacturers (or, if you're the Chinese doing the manufacturing, order them) to hide the basic, hardware-specific components, i.e. the network protocol in the sound card, in the chips at the point of manufacture. The virus itself need only be a command/control module that activates private API's in the hardware and stores itself in a ready-made nest that was built into the machine in the factory. That way, the hardware-specific bits can be modularized and isolated from the C&C, reducing complexity and infection difficulty.

Captcha: horror

Re:Complexity, Resources and Skill. Could it be... (1)

tibit (1762298) | about 6 months ago | (#45297915)

It really isn't as hard as it sounds. A dedicated engineer (or perhaps two, depending on how many chipsets one wishes to support) could pull it off in a year. Presumably one could leech some driver code from open-source kernels like Linux or FreeBSD.

Re:Complexity, Resources and Skill. Could it be... (1)

dbIII (701233) | about 6 months ago | (#45297737)

Or are they too clueless to put together a monster like this?

From the various leaks it appears that such a thing is technology far beyond what the NSA is capable of. After that Star Trek set thing it's starting to look like the Albanian State Washing Machine Company is far more capable in dealing with technology.

Re:Complexity, Resources and Skill. Could it be... (5, Interesting)

Khyber (864651) | about 6 months ago | (#45297827)

"You have to TEST this combo on many different machines."

I'm calling hoax as fuck on this whole thing, but for just your microphone and speakers, the majority of laptops are using RealTek. Bare metal for that shouldn't be too hard to handle, as the driverset remains the same across all AC97 models and HD models. Two compliant bare-metal drivers shouldn't be too hard to fit in. Now, transmitting over ultrasonic is a whole different beast, and to do this through a supposedly truly airgapped room via noise should be impossible, as real airgaps will easily kill those frequencies.

Re:Complexity, Resources and Skill. Could it be... (2)

tibit (1762298) | about 6 months ago | (#45297919)

An air gap merely means that no network or other data cables cross it. It doesn't mean keeping things physically away!

Re:Complexity, Resources and Skill. Could it be... (2)

tibit (1762298) | about 6 months ago | (#45297909)

For an engineer with embedded programming experience, this shouldn't be that big of a deal. The challenge isn't only in coding it up, it is also in looking up and comprehending possibly vast documentation needed to pull it off. The code, presumably, runs in system management mode [wikipedia.org] on x86 machines.

Re:Complexity, Resources and Skill. Could it be... (0)

Anonymous Coward | about 6 months ago | (#45298089)

And being so bright, he allows easy detection that somthing is wrong by breaking booting from a CD. Could be, but... not so likely, no.

Also, you'd need to be infected before communication would be possible. For an actual attack I would suggest malware (not the BIOS) that uses the speaker when it is prodded (this is the malware that should learn about the way it is researched) and there is no other way to communicate, and other malware (perhaps on a phone even or on other lab equipment, which may be on an unsafe network) that listens in.

Infecing everything on a BIOS level and making visible machine changes just does not make much sense. Putting malware on a machine that spits out bits as sound does.

BUNCH OF CRAP !! (0)

Anonymous Coward | about 6 months ago | (#45297507)

First, no speaker in a Mac can generate "ultrasonic" !!

Second, no mic in a Mac can capture "ultrasonic" !!

Even assuming this were possible, there is no way anything could be conveyed without massive error, so bad nothing even close to 'digital' could be had !! And no, an old-style acoustic modem is not ultrasonic and it very isolated. Ultrasonic BEAMS like light - any deviation from the norm and it is somehting else !!

What a fool can make himself believe, if he doesn't know how things work !!

Re:BUNCH OF CRAP !! (1)

jrumney (197329) | about 6 months ago | (#45297539)

First, no speaker in a Mac can generate "ultrasonic" !!

Second, no mic in a Mac can capture "ultrasonic" !!

Sure they can. Maybe not very efficiently, and not far above the range of human hearing, but they are analog devices, so there is no sharp cutoff at some limit. I agree on your conclusion about the fool nonetheless.

Re:BUNCH OF CRAP !! (2, Interesting)

Anonymous Coward | about 6 months ago | (#45297893)

> Sure they can. Maybe not very efficiently, and not far above the range of human hearing, but they are analog devices, so there is no sharp cutoff at some limit.

To explain a little more: The requirement for mic/speaker on a Mac is to generate/record audio in the audible frequency range in high quality. To have high quality on the high end of that spectrum, you'll have to use a mic/speaker that will still work at yet higher frequencies (read: ultrasonic), with decreasing quality the higher you go.

So in the ultrasonic range you do have a working mic/speaker with mediocre quality. Add:
- filters to compensate for different output volume at different frequencies (sorry -- missing the technical terms here)
- detection for frequencies that should better be avoided because the signal/noise ratio is too bad
- error detection/correction on the digital side
- retransmission of lost packets ... and you have a working network link.

Re:BUNCH OF CRAP !! (1)

tibit (1762298) | about 6 months ago | (#45297931)

LOL, what a bunch of uninformed bullshit. Quality, in audio, generally means distortion. When you've got narrowband signals, typical harmonic distortion is irrelevant in in transmission because the harmonics are way outside of your bandwidth. It is somewhat important in reception, since you've got leakage between frequencies, but that doesn't need much mitigation, typically. Even intermodulation and other kinds of distortion won't matter all that much. It'd take a bit of testing to determine what kind of modulation would get the best S/N ratio, but I presume that BPSK would be easy to deal with as you've got decent ability to detect signal strength to determine if your demodulator output is worth anything.

Re:BUNCH OF CRAP !! (0)

Anonymous Coward | about 6 months ago | (#45297895)

The speakers and microphones are analog, but they're behind D/A and A/D converters - which are in turn behind lowpass filters. So, there is actually a cutoff.

Re:BUNCH OF CRAP !! (1)

Bazman (4849) | about 6 months ago | (#45297933)

A neighbourhood ecologist friend of mine has a bat detector. Shall we settle this once and for all?

Re:BUNCH OF CRAP !! (3, Interesting)

jrumney (197329) | about 6 months ago | (#45298145)

Pretty sure the Mac can be set to record and playback af 48k samples per second.That gives you at least 4kHz of bandwidth above the limits of human hearing right there. With modern encodings, that's probably good for around 20kbps.

Re:BUNCH OF CRAP !! (0)

Anonymous Coward | about 6 months ago | (#45297781)

Why is this modded down? He's (or she!) is right. It amazes me that a supposedly technical site like /. endorses some rather simplistic and ignorant pseudo-intellectual crap so easily. This is also seen in 3D printing stories and private space fantasies.

Re: BUNCH OF CRAP !! (2, Interesting)

Anonymous Coward | about 6 months ago | (#45297849)

Hey buddy its real. The bandwidth of this type of communication is low but the hardware will do it. The startup I work for is focused on transmitting data through high frequency audio and we're not the only ones.

Case studies include Yamaha info sound, Sonic Notify, and LISNR.

The only reason I'd doubt this story is because the bandwidth is less than 300 bits per second in most implementations I've seen.

What a load of complete rubbish! (5, Insightful)

thesupraman (179040) | about 6 months ago | (#45297511)

What is being 'proposed' is NOT anything infecting through the speaker/microphone, but a pre-existing inection (that was probably USB based)
then communication through these methods - a VERY VERY different thing.

The hype and BS layers need to be peeled off this.

There is no possible infection vector via microphone/speaker, or via power cord as semi-implied (unless you had a powerline modem..), it is simply a
way to get data out of the airgapped but INFECTED machine to others that may not be airgapped.

The 'solution' here is simple, remove the infection! there is more to security than just network airgapping!

Time to go back to security 101.

Re:What a load of complete rubbish! (-1)

Anonymous Coward | about 6 months ago | (#45297577)

There is no possible infection vector via microphone/speaker, or via power cord as semi-implied.....

Here we go again.... Another idiot who refuses to pay attention to detail and thinks the OP is about ultrasonic vectors.

Re:What a load of complete rubbish! (3, Informative)

Impy the Impiuos Imp (442658) | about 6 months ago | (#45297727)

He's clarifying what the OP seems to suggest -- that infection might be happening thru the speaker. A detailed read shows they think this is rootkits using USB for the initial infection, then burrowing into various hardware such that reflashing the bios, replacing the HD, and reloading windows off a known CD isn't enough -- the stuff burrowed into PCI or other hardware re-infects the BIOS. The exact role in the speaker ultrasonic data is not yet known, but it also sounds like he's suggesting some communication aiding in the re-takeover of the airgapped machine.

Perhaps the little stub in the PCI controller or whatever doesn't have enough room to store infectors for everything else, so downloads it via audio from another machine.

Re:What a load of complete rubbish! (0)

Anonymous Coward | about 6 months ago | (#45297599)

There is possible attack vector over sound. If there is bug in sound driver or sound server above it(on input). Find it, exploit it. Broadcast some sound that may trigger reaction on target machine, and you may trigger zero day like attack. I don't believe it's likely to happens, but who knows? I just don't rule out possibility.

Re:What a load of complete rubbish! (0)

Anonymous Coward | about 6 months ago | (#45297897)

I suppose it depends on what software has access to the mic. If the mic is enabled, then its a certainty that something is listening - whether it be a driver or chat program, I guess it's a matter of overflowing the buffer on that software if possible. If u could overwrite script files or batch files etc. from the overflow, then you're in.

Disclaimer: Not a hacker/cracker. Please discredit.

Re:What a load of complete rubbish! (0)

Anonymous Coward | about 6 months ago | (#45297717)

also any mic and speaker system made for domestic use are tuned for human frequencies (20Hz to 20KHz)... you can't send or receive ultrasonic signals with them, that's total BS

Re:What a load of complete rubbish! (0)

Anonymous Coward | about 6 months ago | (#45297825)

Actually, it's been shown over and over that you can. Mics and speakers aren't "tuned."

Re:What a load of complete rubbish! (2)

tibit (1762298) | about 6 months ago | (#45297943)

It doesn't work that way. Just because you get decent performance up to 20kHz doesn't mean that suddenly and abruptly the sensitivity drops off a cliff right above 20kHz. Remember: sharp filters are expensive, you won't get one by accident.

Re:What a load of complete rubbish! (0)

Anonymous Coward | about 6 months ago | (#45298025)

you don't get decent performance in a laptop speaker up to 20k Hz. It is more like decent up to 11k and rolls off gradually from there.
(taking into consideration variances from between manufacturers). There is no way a crappy speaker is sending ultrasonic signals reliably enough to be used as a communication link.

Re:What a load of complete rubbish! (5, Interesting)

cnettel (836611) | about 6 months ago | (#45298059)

It all depends on what timespan you have. All you need to do is to emit sounds that are quite inaudible or at least indistinguishable from high frequency noise that we have been trained to accept (PWM noise from LCD brightness control etc). If you have plenty of time, you can reduce your bitrate heavily in the handshaking step, basically looking for just a few bits of signature in a very wide span of frequencies and encodings. When you have a basic channel, you can tell your counterpart what SNR you are getting and successively tune the channel.

You would never want this for regular networking with any kind of latency demands. If you are rather just trying to get a specific updated payload across at some point, with any number of retransmissions, then I find it quite believable.

Re: What a load of complete rubbish! (0)

Anonymous Coward | about 6 months ago | (#45297745)

> a preexisting infection

On a Mac Book Air?? Panicking, running, screaming back to the tinfoil bunker.

Re:What a load of complete rubbish! (4, Interesting)

rtb61 (674572) | about 6 months ago | (#45297929)

You can also add, a pre-existing infection in hardware into the mix. The extra electronic component fitting into the hardware at the manufacturers that doesn't do what you expect it to do but rather simply carries a payload that it uploads into the system. You can fit an awful lot of data into a pretty small easily concealable chip but you would want to maintain some pretty surreptitious communication methods to hide the presence of that chip. The best place by far to do this stuff is always going to be at the manufacturers.

In that case, the best place for security is at the manufacturers, so essential infrastructure, local audited manufacture on all hardware otherwise you are just guessing whether it is secure or not. Hell, the chip could be embedded within a layer actually inside the motherboard completely invisible, picking up connections as they go through the mother board. Once you can insert and or substitute stuff inside the manufacturers with the use of secret do not tell warrants under threat of treason, anything at all is possible.

wtf (0)

Anonymous Coward | about 6 months ago | (#45297527)

Apparently /. really wants us to believe this bullshit story.

Re:wtf (0)

Anonymous Coward | about 6 months ago | (#45297951)

Hopefully someone with half a brain will volunteer to hook a microphone up to an oscilloscope to see if the claim being made is true.

I'd like to believe that would have happened before going public but making extraordinary claims on the internet is much more fun, isn't it?

You Are Five Months Early (2, Insightful)

Anonymous Coward | about 6 months ago | (#45297551)

April Fools Day is five months away. Come back and repost this then.

Re:You Are Five Months Early (2)

Impy the Impiuos Imp (442658) | about 6 months ago | (#45297741)

Nope. It's perfectly posted on Halloween. I read this just as Jamie Lee was stabbing Michael Meyers with a hanger pokie, but this story had already raised about 80% of the hair on the back of my neck.

Huh? (2)

Black Parrot (19622) | about 6 months ago | (#45297557)

Where, exactly, were these "packets" flowing when the networking cards were removed?

Are they UDP or TCP?

How long does it take you to download a movie over your speaker?

Re:Huh? (0)

AHuxley (892839) | about 6 months ago | (#45297655)

One computer is infected networked or was networked, the other is the infected ready target computer never on any network.
Sound becomes your update modem between two computers you control but one is no longer on any network.
This is a great way to get to the secure 'air gapped' computer that is used to usb drive a lot of data/software to a clean network computer.
You can infect and *update* the safe computer via the networked one. You can outpace any AV daily cleaning on both computers.
The burst of data would only need to be in the few megabytes. A very selective keylogger could send the few password strings back up from the non networked computer to the networked computer and a distant server.
Whats a few packets more when surfing on a 'clean' computer already infected?
Its not about the amount of data, its just enough passwords in plain text to make any encryption junk.
The hard part is getting both computers infected and set up. After that it would be just staying hidden and off and behaviour detecting AV products.
Not a great challenge on a few consumer OS brands. Some smart ethernet packet sniffing might show the control link or data upload if not careful crafted.

Re:Huh? (0)

Anonymous Coward | about 6 months ago | (#45297659)

The operating system still has a network stack when there are no network cards. (loop-back etc.) Most likely a modified sound driver acted as a software modem, interfacing to the OS network stack like any other network card driver.

Re:Huh? (0)

Anonymous Coward | about 6 months ago | (#45297667)

Good question: how does the packet analyzer know that packets are flowing, if it doesn't know what interface they're flowing through (i.e. a hidden /dev/soundcardnet)? Would diabolical geniuses be able to hide an interface that completely, yet not somehow rig the packet in and out counts?

Re:Huh? (1)

Jeremi (14640) | about 6 months ago | (#45297793)

How long does it take you to download a movie over your speaker?

Assuming a movie is 2GB and the data can be transferred at phone-modem speeds (say 57kb/sec), about 3 days.

Of course, nobody was suggesting transmitting a movie via sound waves; malware (and/or the data it wants to exfiltrate) would be much smaller than that.

Alright (0)

Anonymous Coward | about 6 months ago | (#45297579)

Here's a question, if someone goes to such an extent to create cryptic malware, why give away its presence so trivially by disabling functionality in the OS? If your software runs at such an elevated level (above ring 0 that is), you can just spoof whatever the user gets to see.

Re:Alright (1)

AHuxley (892839) | about 6 months ago | (#45297715)

You need both computers infected. The air gap computer may never get on a network or infected usb again so you try and really keep your code in the computers safe.
The networked computer is easy. The non networked computer needs to be listening for new data/code and to send small amounts of data back out.
The amount of application data needed to sniff passwords, hide the passwords, get them ready to send, the sound sending software and hide from new AV detect might not leave much room for better spoof options.
Hope the user just blames a faulty consumer grade motherboard and reboots as normal vowing never to buy that brand again?
Also the skill set needed to spoof whatever the user sees might get too cute and give the creators origins away. You go from any very skilled global coder to *some* state sponsor. Better to keep the target guessing.

Doctor Diagoras (0)

Anonymous Coward | about 6 months ago | (#45297583)

He should have investigated if he wasn't himself used as a medium of transmission. See a short story Doctor Diagoras in Memoirs of a Space Traveler: Further Reminiscences of Ijon Tichy by Stanisaw Lem.

Re:Doctor Diagoras (2)

Black Parrot (19622) | about 6 months ago | (#45297605)

I think it's transmitted by LSD. My computer stopped doing that kind of stuff as soon as I stopped taking it.

May be an attack via the network controller. (5, Informative)

Animats (122034) | about 6 months ago | (#45297597)

I read the original article, but I don't see any part where someone recorded what was going out the speaker and looked at it. If someone is sending data over audio, it will show on a scope. Clearly that's not going to do much unless the receiving side has some kind of modem code listening for it.

Then there are claims like "It seemed to send TLS encrypted commands in the HostOptions field of DHCP packets." Attacking via DHCP packets is plausible; DHCP clients get told a lot of things they're supposed to do, and some of the older vendor-specific extensions are very insecure. But TLS? TLS isn't used within the DHCP protocol itself. There's a way to store DHCP configuration info in an LDAP server and have a DHCP server access it via LDAP.

If someone is seeing strange DHCP packets, and reloading the BIOS won't help, it's possible that what's going on involves an attack via the network controller. The fancier network controller parts now have CPUs and EEPROM [intel.com]. This may be an attack which puts code in the network controller which in turn patches the BIOS.

The people studying this need to list exactly what network ICs the machines involved are using. Some network devices are too dumb to be used as an attack vector, but some have whole protocol stacks, WiFi support, remote administration support, etc. It would not be surprising if those were attackable.

I've expected attacks via network controllers [slashdot.org] for years. That's been used to attack servers. [slashdot.org] There's a known attack on PCI controllers [oracle.com] which can survive rebooting and reloading the BIOS.

If the machine has wireless networking hardware and the attack exploits the network controller, it may be able to do wireless networking even if the user thinks they have the hardware disabled. Time to open up the machine, clip onto the JTAG port on the network controller, and read out the device memory with a JTAG debugger. Compare the dumps with other machines.

Re:May be an attack via the network controller. (2)

dbIII (701233) | about 6 months ago | (#45297769)

I read the original article, but I don't see any part where someone recorded what was going out the speaker and looked at it.

Now that is somewhat embarrassing and puts this entire issue somewhere below the level of a high school project.

DMA (1)

dfsmith (960400) | about 6 months ago | (#45297697)

With most sound chips attached directly to the PCI(e) bus, it's not out of the question to initiate a DMA into memory before the bootloader can start. Gives you a very nice pre-BIOS vector.

Re:DMA (1)

Anonymous Coward | about 6 months ago | (#45297857)

Wow, you really didn't read the article and have no idea what you are talking about.

You were all warned about this malware for years (4, Interesting)

Anonymous Coward | about 6 months ago | (#45297755)

But people just beat their chest and ridiculed the people posting, locking and shuffling threads or in some cases on commercial antivirus forums, deleting threads and moving them to hidden sections or trashed them altogether.

I believe this is a huge conspiracy which has been going on for years. People in malware forums have been shouting from the rooftops about this but no one wanted to listen.

What you overlooked and should have read:

1. Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
http://anonymous.livelyblog.com/2012/10/05/nobody-seems-to-notice-and-nobody-seems-to-care-government-stealth-malware/ [livelyblog.com]

2. Spy agency ASIO are hacking into personal computers
http://anonymous.livelyblog.com/2013/01/13/spy-agency-asio-are-hacking-into-personal-computers/ [livelyblog.com]

3. Will security firms detect police spyware?
http://anonymous.livelyblog.com/2013/09/17/will-security-firms-detect-police-spyware/ [livelyblog.com]

And several PDF files on blackhat pages, forums, and conferences.

These attacks against non-networked computers runs deep - some changes are so subtle and appear to blend into normal black box Windows activities people overlook them. Read article #1 which includes the sad state of malware detection on *nix.

When you Google enough for firmware, PCI, AGP, BIOS, sound card malware, SDR, FRS, and why some distros autoload the ax25, rose, and netrom modules by default (including TAILS, check it for yourself with lsmod), it is quite unusual. Why would a distribution like TAILS need hamradio modules? They're in there, too, in addition to the ax25, rose, netrom modules. Batman mesh networking is included in TAILS too.

People repeat the same mantra: the only safe computer is a non-networked computer. This is a lie. The truth is, an entirely shielded TEMPEST room with no network connections and shielding down to every piece of the computer is the best test environment, but who is going to take such precautions? Is the shielded computer in the shielded room bound for other locations outside of this safe room?

Wikileaks have released Spy Files, listing many companies developing malware to root your box beyond detection often aimed at Governments and Military sources. These secret communications are no secret, and some have been detected via FRS, but that's only one source out of many.

It's definitely possible... (3, Interesting)

CODiNE (27417) | about 6 months ago | (#45297789)

As the Ars article points out, the individual pieces needed to do all this have already been proven over the years.

Here's why it makes even more sense to me.

A military minded person cannot allow threats to exist anywhere. If anyone anywhere has a weapon that they don't, they must immediately take steps to duplicate it, and defend against it.

Now take that mindset, combine it with a large team of military hackers. Now every single exploit ever publicly disclosed becomes a checkbox on a list somewhere. As a recent Snowden leak story showed, 0-day vulnerabilities have been purchased by the government. We can be sure they run the largest honeypot networks in existence and immediately dissect every new worm, root kit and exploit that touches them.

Every theoretical exploit must be tested for feasibility, turned into a proof-of-concept and then packaged as a tool.

And all that $$ and hacker power is under the command of someone who wants turnkey solutions and "kill switches" for everything.

So it's definitely possible that such tools exist. But why would he be a target? I dunno, maybe someone wants advance notice on what the presenters at upcoming security conferences might be talking about so they can Barnaby Jack them?

Sometimes people will claim something they strongly believe already exists in order to motivate people to look for it and find their proof. Sometimes they get lucky and proof is found, other times they get exposed for it. I hope he's wrong, I really want him to be wrong, but part of me believes it's real because it's definitely possible. After all, if it's just a few years out, then "they" have had it for a decade or more.

communication versus infection (5, Informative)

dutchwhizzman (817898) | about 6 months ago | (#45297801)

These machines do two things:

1. They try to infect other machines. They seem to use several methods for this. One is infecting USB sticks and other media. They have been observed abusing an old windows exploit that uses true type fonts as the vector for that.

2. They are trying to communicate with other infected machines. They use some rather inventive carriers for that it seems. One of these appears to be sound. How it works isn't published yet. Another seems to be to use out-of-band communication by putting data inside host-option packets in DHCP. It's obvious that the malware uses such side channels to avoid detection. The OOB communication is done purely to keep in touch with "the swarm" and is not used to infect other machines.

The real nastiness appears to be that this malware is able to infect multiple operating systems that are usually passed by malware manufacturers and also happens to be able to nest itself on the eeprom of infected machines. Both are more or less "a first" and the combination hasn't been seen in the wild either.

Right now, there's a lot of discovery being done and a lot of speculation taking place as to who made it, what it can do, how it gets itself in eeprom and prevents itself from being overwritten during reflashing of the bios. It's not known if the virus will attempt to infect virtual machines, or will only infect machines that will let it nest in it's bios. Also, anything malicious apart from infecting and communicating hasn't been observed. For all we know, it may be a true worm that does nothing but replicate and is an out of control experiment.

So far, no infections appear to have been seen on virtual machines, or machines that don't have an intel chipset. I haven't seen any linux infected machines mentioned, but don't hold your breath on that, if *BSD and OSX have been infected, Linux may very well be infected too. Windows is infected for certain, but what versions are exactly vulnerable isn't clear to me at this time.

Thus far, the only thing that can be advised to prevent infection is the usual; don't trust content/media from sources that could be spreading infections, knowingly or not and keep your system up to date. If applicable, set your bios read-only with hardware switches or jumpers and if at all possible, put passwords on bioses and put software blocks on updates as well. To this date it's not known if and what software blocks will prevent the malware, but it's best to give it as few attack surfaces as possible.

Hmm (0)

Anonymous Coward | about 6 months ago | (#45297837)

Why go to such lengths to make the malware difficult to detect when you're going to disable features inside the OS making it obvious malware is present?

God damn it. (0)

RightSaidFred99 (874576) | about 6 months ago | (#45297851)

This is just fucking stupid. Why would anyone post this drivel? If you didn't realize this was just risible, abject fucking dipshittery after reading about 2 sentences of this god damn idiocy then you should not work anywhere in the field of computing.

This actually makes me angry. Unaccountable nerd rage.

Did he bother to check for actual sounds? (5, Insightful)

LaughingRadish (2694765) | about 6 months ago | (#45297853)

I haven't yet seen mention of someone setting up microphones sensitive to ultrasonic frequencies to check to see what, if any, odd sounds are being made by the computers. A lot of extraordinary claims are being made and I just don't see the requisite extraordinary evidence.

Re:Did he bother to check for actual sounds? (1)

wonkey_monkey (2592601) | about 6 months ago | (#45298103)

I doubt you'd even need a special mic - obviously (allegedly) the receiving computer can record the sound.

Re:Did he bother to check for actual sounds? (1)

gweihir (88907) | about 6 months ago | (#45298125)

Quite frankly, I see basically no evidence at all. Also, measuring ultra-sonics is easy: Just get an ultrasonic microphone (basically a 5 USD/EUR microphone with a higher-than-normal frequency range) and hook it up to a cheap digital oscilloscope. You will even see spread-spectrum signals that way immediately. And you can do even better: Connect the oscilloscope directly to the speaker input lines. There are obvious other problems, for example that nobody going to so much trouble will be as careless as to make an infection obvious (not booting, "packets seen sent" - whatever that may mean), exceedingly bad bandwidth, and a complete impossibility to attack a system through this channel.

This thing sounds completely bogus to me, but apparently has the right mix of technology, magic, conspiracy-theory to sound credible to a lot of semi-competent people. My guess would be some con-artist with a bit of technological background looking for press exposure.

Re:Did he bother to check for actual sounds? (1)

knsomething (3414495) | about 6 months ago | (#45298157)

It doesn't take special hardware. Several companies use this tech. See Yamaha Infosound, Sonic Notify, and LISNR.

This has always been known... (3, Funny)

GrpA (691294) | about 6 months ago | (#45297937)

Why do you think network security engineers always have headphones on? They're not listening to music, they're packet-sniffing.

GrpA

BadBios and Airgap (0)

Anonymous Coward | about 6 months ago | (#45298085)

Considering the formal aspects of the content above and below, this threat already has a speculative quality of almost e p i c proportion .......

Sounds like nonsense once you look at details (1)

gweihir (88907) | about 6 months ago | (#45298101)

While ultra-sonic communication seems plausible at first, it fails to take into account that the audio-system is not up to it. For one thing, most microphones are of the ElCheapo variant, and cannot handle signals above the highest frequencies humans can hear in any meaningful way. For another, the typical, sane audio-design has cutoff-filters that prevent ultra-sonics from being processed. Then, the speakers are pretty unsuitable for generating ultra-sonics. All this leads to very, very bad signal transmission capabilities with very, very low bandwidth.

On the other hand, no "packets" sent are visible anywhere when using a channel not known to the OS, and this one is certainly not known to the OS as a data-transmission channel. And ultra-sonics are easy to measure: Just get a ultra-sonics sensor (basically a microphone with a different than normal frequency range) and hook it up to a cheap digital oscilloscope. The signals will be very, very obvious. That this test has not been done indicates the possible/likely fraudulent nature of this story.

The article also seems to suggest that infections can come in that way, which is complete nonsense. Audio-input channels can take _any_ audio signal without buffer overflow or the like and turning an audio signal into code would require advanced demodulation software which is just not available on the target before infection.

I think somebody is looking for some cheap press-exposure and people are (as usual) to gullible to see the obvious large implausibilities and gaps in the explanation given.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...