Science, technology, and all things awesome with Ian Steadman

RSS

Researchers prove PC viruses can spread via microphones

When the so-called "badBIOS" virus was found in October, transmitting itself by audio broadcasts at inaudible frequencies, it seemed incredible - and now we have proof-of-concept.

A sound proofed room used by Bell Labs, 1947. (Photo: Getty)

Researchers have proven that it’s possible to transmit computer viruses via sound, confirming a controversial suspicion reported earlier this year that malware was mutating into strange, unexpected new forms.

Three years ago Dragos Ruiu, a computer security expert, discovered that several of his computers were infected with some kind of virus - and, even weirder, they were managing to talk to each other even when their Wi-Fi and Bluetooth connections were turned off. Disconnecting the ethernet and power cables didn’t work either. He physically removed the wireless cards from the machine and it didn’t have any effect on stopping the virus.

This was baffling. I’ll let Dan Goodin at ars technica explain why:

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

In October, Ruiu settled upon a hypothesis – this malware would first get onto a computer on an infected USB stick, where it would burrow into the machine’s BIOS (that’s the fundamental program that runs directly off its hardware). It would then take over the computer’s microphone and speakers and communicate with other computers by high-frequency sounds that humans can’t hear.

That’s right – computers that, literally, speak to each other.

It was such an unbelievable idea that, at first, many other experts has assumed Ruiu had made some fundamental mistake. Ruiu himself made it clear that his research needed to be peer-reviewed, it was such an extraordinary idea. The possibility that such a virus – which he dubbed “badBIOS” – is out in the wild is a worrying one for those who rely on air gaps to keep their machines clean.

Researchers from the Fraunhofer Institute for Communication, Information Processing, and Ergonomics in Germany have now provided some proof-of-concept that the mechanism Ruiu describes is possible. Using a program originally developed for transmitting information acoustically underwater, they managed to get computers exchanging inaudible broadcasts over distances of up to 65 feet, according to their paper in the Journal of Communications.

Importantly, it wasn’t just two computers talking, but also a demonstration of “how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks”. That mesh network, where each computer talks to several others, would explain how Ruiu was unable to completely clear his lab of infected machines – each time he would wipe a machine then turn it back one, it would be infected by at least one of the remaining machines that had yet to be wiped.

The bandwidth of this method is incredibly small, only a few bits per second, which makes this a pretty useless tool for extracting large files from target machines. It would work well as a keylogger, though, noting down usernames and passwords. These could be used to give access for more traditional viruses.

It’s a fascinating find, although it still doesn't explain where on earth badBIOS came from – if it does exist – nor how it first infected Ruiu's computers. But, these days it isn’t unusual for the paranoid to stick tape across their webcam to stop hackers taking surreptitious pictures. Perhaps it may be wise to begin eyeing that uncovered microphone with equal suspicion.