There are polite and impolite ways to express skepticism, and I'd encourage anyone to give Ruiu the benefit of the doubt as far as his motivations are concerned, even if you can think of an uncharitable explanation. "Here's some odd behavior I've seen and a possible explanation" is far from a hostile or irresponsible thing to say, especially when there are long histories of state-level and non-state level bad actors engaging in behavior to warp the target's perception relative to observers' of what's going on. [1][2]<p>[1] <a href="http://en.wikipedia.org/wiki/Stasi#Zersetzung" rel="nofollow">http://en.wikipedia.org/wiki/Stasi#Zersetzung</a><p>[2] <a href="http://en.wikipedia.org/wiki/Gaslighting" rel="nofollow">http://en.wikipedia.org/wiki/Gaslighting</a>
<i>But at the same time, this is Dragos Ruiu, a well-respected researcher for 15 years. If he says he's got an infected BIOS, I'm going to believe him.</i><p>My first impression was that badBIOS was an elaborate troll on the part of Ruiu, to make the point that just taking what even a "well-respected researcher" says at face value is NOT good security practice.
Would someone please explain how the firmware dumps of the infected computer are being made?<p>Is it true that if you control the firmware, then you control what the dumps of that firmware will look like? The only way I can imagine getting a clean dump of that machine is by desoldering the chips and imaging them via some specialized tool. If the machine's firmware is rooted, how can you trust any signal the machine sends, especially firmware dumps? The virus could trivially hide itself by detecting a firmware dump is in progress and sending a decoy (clean) image.
The Ars Technica article is nothing short of offensive. It's an article that does not need to exist. We need to sit down and have a nice long talk about the ethics of fear mongering in the security industry, as well as the idea that a "well-respected researcher" would not only hype up his findings, but not even <i>reveal</i> his findings until a conference that <i>he</i> organizes. Talk about a conflict of interest.<p>I'm willing to give Dragos the benefit of the doubt here and just assume that Dan Goodin has his head so far up his ass he can't see clearly and that Dragos has no intention of misleading people.<p>But having these issues for 3 years? Let's just say that extraordinary evidence needs to come out fairly quickly now. Or at least a massive correction of the hype here. Surely, in 3 years, <i>someone else</i> would have discovered this thing.
I can't believe how presumptuous every one is here. Let's just wait and see. The idea is completely plausible. I like to operate off of facts and right now we just don't have them.
>With a slightly more expensive dongle that can transmit as well as receive, your laptop can pretend to be a wifi access point or a cell phone tower...<p>I understand the point being explained here, but is this really accurate? I don't know of any SDR platform, let alone a "dongle" with anywhere near the capacity necessary to operate as a wifi AP.
For a summary of quite a few of the techniques mentioned in the Ars article, have a look at:<p>Hardware backdooring is possible - By Jonathan Brossard
<a href="http://www.youtube.com/watch?v=yRpilXPv8pU" rel="nofollow">http://www.youtube.com/watch?v=yRpilXPv8pU</a><p>(This one more recent from nullcon, made a splash from DefCon 20 earlier).<p>It's not really much of a stretch that an agency (commercial, criminal or government) that dedicated a few man-years of work could come up with something along these lines.<p>There's really only one-and-a-half "out there" claims: the "half" being networking via audio, the "one" being cross-platform.<p>It'll be interesting to see if they manage to grab a dump of the malware and we can get more eyes looking at it...
I encourage people to learn about ITP port and JTAG debuggers for processors. It is easy to verify all of this with ITP debugger in no time. I am surprised nobody did it. It is amateurish at least for a 15 years of experience. I'd expect a researcher like that to know about hardware ITP port. How do you think BIOS or UEFI firmware are developed and debugged? The cost of the debugger is 20k USD and you hook directly into the CPU bus and see everything from SMM mode transitions to cache events. Complete transparency without the sci-fi claims anymore and crap publicity.<p>EDIT:
<a href="http://en.wikipedia.org/wiki/In-target_probe" rel="nofollow">http://en.wikipedia.org/wiki/In-target_probe</a>
A mild omission in the blog posting: the BIOS continues to run after the OS boots. See: <a href="http://en.wikipedia.org/wiki/System_Management_Mode" rel="nofollow">http://en.wikipedia.org/wiki/System_Management_Mode</a>
How would you write an OS that would be encrypted or otherwise inaccessible to the hardware on which it's running? It would be a kind of hypervisor OS, but you might run only 1 VM so you could connect via console and maximize resources, as though it were a standard PC. Or maybe have a small server VM to help your network manage resources.<p>Are we looking at a future where a standard OS install is a multi-VM situation?
How could malware jump across an air gap to a clean machine, even theoretically? No uninfected machine would reflash its firmware from what it was hearing on its speaker.