For those of you unfamiliar with this infamous rootkit, it’s worth taking a minute and reading up on it. Now, before I immediately get discredited for suggesting BadBIOS is real, I would like to clear the air and say that no, I am not actually advocating its existence.
However, I did just find an interesting, empirical, evidence-based research paper posted in the Journal of Communications on covert acoustical mesh networks in the air. The researchers, Michael Hanspach and Michael Goetz, set out with the goal to exploit systems and networks that have been deemed security hardened by most professionals in the industry.
They did this by creating their own covert channel of communication that allowed them to circumvent system/network security polices by exploiting a means of communication previously unused by malware. They were able to prove this when they achieved mesh node communication among multiple Lenovo T400 laptops by solely using the built-in microphones and speakers.
What is really interesting about their experiment is that they wrote their own network stack based on an adaption of existing underwater acoustical communication, developed by the research department for Underwater Acoustics and Marine Geophysics. Because the existing TCP/IP stack is known for having a large amount of overhead, it was necessary to create their own communication protocol that leverages a simpler, lightweight network stack.
Once the stack was in place they used embedded digital filters to create a bandpass filter that has pass frequencies at 17Khz and 20Khz. These frequencies are just bordering the ultrasonic range, with the vast majority of us incapable of hearing them. Something that is particularly fascinating is that the researchers were even able to demonstrate a working acoustical multi-hop key logger capable of transmitting about 20bits/s at a range of almost 20 meters!
Now, I know 20bits/s isn’t exactly blazing speeds, but the fact that they are able to create an experiment capable of exfiltrating data via laptop speakers and microphones is pretty impressive. Not to mention that this proof of concept experiment renders traditional security concepts useless. Just thinking about it, how many network devices have you heard of that try to block inaudible frequency ranges? I can’t think of any, but in the same breath do I think this is cause for alarm? Absolutely not.
This malware is strictly proof of concept and the infection methods are the same as any other malware out there. The application itself still needs to be executed by a user and not to mention the laptop compatibly of this malware, which is limited to the audio drivers written by the Conexant Audio Software company and restricted even further by driver version 126.96.36.199. This confines the amount of laptops that would even be capable of being infected to just 10 specific models and one tablet. The complete list of models can be found here.
Figure: Hanspach & Goetz system architecture for covert acoustical mesh networks