USB Malware


In the world of cyber threats, evolution can be a fierce enemy, especially when threats make a such a huge leap that the cyber security game ends up being changed forever. That’s when evolution becomes a revolution, and every IT security professional hoping to remain standing is going to eventually be sucked in, like it or not. It’s happened before (Stuxnet quickly comes to mind), and it will happen again. So when I see anything with even a glimmer of that kind of potential, I feel compelled to do whatever I can to help get it on the radar of as many security professionals as possible. And after looking into badBIOS, first brought to light by known and respected cyber security researcher Dragos Ruiu, that glimmer of potential certainly caught my eye and bears watching.

Is badBIOS the new Bad Boy on the Block?

What makes badBIOS score so high on my potential danger scale is that it could directly impact one of the most relied upon methods used today for shielding critical systems and data to drastically reduce the risk of compromise – air gaps – the practice of physically separating systems so there is no tangible connection which could be used as a springboard for malware to propagate. badBIOS seems to have the ability to circumvent that protection though, allowing systems (and malware) to communicate with each other even when unplugged from every physical connection, including a power cord plugged into the wall, and disabling and/or removing any Wi-Fi and Bluetooth capabilities. Imagine the large scale implications on critical infrastructure and SCADA systems that often rely on air-gaps as a main line of defense. To me, it’s a terrifying thought.

Fact or Fiction? Time Will Tell

So for three years Ruiu has been trying to find the answer to the mystery that befuddled him since he first noticed that malware was being introduced and communicating with systems that were not connected in any traditional way. So he reported it, and started his own quest to find the truth. But as often happens, most of the cyber security world just filed it away as more science fiction that’s just not possible. But as the microwave oven in your kitchen and the 20th century military super-computer that now doubles as a phone in your pocket can attest, sometimes science fiction has a way of making the leap to science fact. And with what would be at stake in the real world we live in today, even the possibility of that being the case should merit further scrutiny in data security circles.

That Sound You Don’t Hear Could be the Answer

So how does Ruiu think this mysterious connection is taking place? Right now all signs are pointing to the possibility that inaudible high frequency sounds transmitted from the speakers of one system are being picked up from the microphone of the other and translated by the malware present on each. It’s not hard to imagine digital information being transmitted this way, just think about logging on to the Internet years ago and listening to the screeching howl of the modem as it was trying to connect – same idea, but bigger, stronger, faster and silent to human ears. In a practical sense, it would mean if a hacker could get that malware on the systems on both sides of the air gap, they would just talk up a storm. Then all the hacker would have to do is simply glean the conversation from the system connected to the outside, or introduce their own conversation to the connected system which would relay it to the one on the other side of the air gap. It’s so simple it’s brilliant, not to mention powerful and dangerous on so many levels.

The Malware Still Needs to be Delivered

The one saving grace I see is that in some form or fashion the malware still needs to be initially delivered to the systems on both sides. For the connected system, that could come in a host of forms we are all too familiar with, like emails with infected attachments, malicious sites, or what is often the culprit with malware that makes it past the air gap, USB storage devices. USB sticks have always been a favorite for this purpose. The tendency to rely on USB devices to update and/or synchronize systems on the other side of the gap is all too common, and something we have long focused on when we do network vulnerability assessments and penetration tests for clients. Thankfully, it looks like guarding against that practice may also be a main weakness of badBIOS, because the introduction of data from a USB device seems to be the one constant in the mystery. The malware goes as far as disabling the ability to boot from external devices, and can even brick USB devices so they unreadable until they are reintroduced to an infected system, then they mysteriously work again, which both show a concerted effort on the part of the malware designers to force the user into the direction they want them to go. I look forward to the next phase of his testing where more advanced forensics will be performed on what exactly is happening on that level.

Standing Still Only Gets You Left Behind

It will take more study and industry scrutiny before the final verdict is in on badBIOS, but if there is one point I hope to get across, it’s this; malware will always continue to evolve. If you are tasked with the security of data and digital assets, one eye always has to be looking ahead. Read and consume all the information about the latest trends and developments that you can. While many times new “revelations” will turn out to be nothing but smoke, they can still make you see things in a different light, and sometimes that is enough to make a connection to dangers you’ve never even considered before. Because like Sherlock Holmes, or Mr. Spock, depending on your generation, if you eliminate all other possibilities, whatever remains can lead you to the truth.

*Joe Caruso is the founder and CEO/CTO of Global Digital Forensics, a premier provider of cyber security solutions since the infancy of the Internet.