badBIOS: airgap-jumping malware that may use ultrasonic networking to communicate

Wouldn’t a mineshaft gap be sufficient?

Are font files executed when Windows views the font file? Maybe there’s a buffer overflow that a font file can exploit. I thought font files are just data tables.

Now that I think about it…
early 1980ies, a Commodore C64, a Radio Shack DIY acoustic coupled modem (using an old pair of headphones as mic/speaker) and my parent’s telephone (rotary dial, too) was all it took to log on to bulletin boards etc.
Worked pretty well as long as the ambient noise levels were low, i.e. unless Mum wasn’t hoovering the carpet…

“Getting old is not for sissies” - Bette Davis

That’s the system the new Furbies use to talk to each other, between 16-18KHz.

Wow. Terminator got it all wrong; it won’t be Cyberdyne Systems that triggers the apocalypse - it’ll be Hasbro.

1 Like

Actually, no, at least not with normal/traditional phone hardware. The “infinity microphone” required installing a circuit into the phone itself.

1 Like

They should get a bat detector - it transposes ultrasound down into the audio range, so you can hear bat calls. I’ve heard forest recordings where the normal spectrum is quiet and peaceful, just wind in the trees, but with a bat detector its a mass of crazy chirps and screeches. I’m pretty sure that that would make audible any frequencies a compute speaker could create (and a microphone pick up…)

“Mr. President, we must not allow a Mine Shaft Gap!”

The real problem with Roombas and Scoobas (other than the fact that you have to empty them and clean the brushes so often) isn’t the noise. It’s getting hypnotized and watching them travel for endless minutes whether you want to or not. I finally got so I wouldn’t run mine unless I was on my way out the door, lol.

1 Like

heheheehhe my previous computer speakers were so bad at the high end , so much roll-off , that i actually had my hearing checked !! i am fine !! ( and running slightly better speakers ) most computer speakers roll off real bad !! ah , ehehheehehh !! and , my cheapo computer microphone , which is almost never plugged in , but is around here somewhere ~ tangled up with my old c-64 serial disk drive cables most likely , also had a verrry narrow bandpass , like old telephones , only worse !! hheheeheheeheh !! but , do be carefull out here !!

Seriously, as soon as I saw this on Slashdot, I thought “Sounds like Gibson”

The funny thing about stories like this is that even if they ARE fabricated, it will likely be true not long after.

Exactly. To do a “network jump” by “ultrasonic networking” you need a protocol stack that can recognize the mike and speakers as network devices, AND similar already installed and working on the recipient box. . .


Uh, a spectrograph would do much better to that end.

Right. Based on his observations, Dragos believes that stack is installed directly into the motherboard flash (BIOS/UEFI) via a virus that originally comes in on a USB stick.

I can think of other explanations easily enough, and like @edthehippie I’m very skeptical of the ability of PC speakers to usefully transmit ultrasonics.

WANT! Thank you, that’s going on the solstice list.

@AliceWeir, you almost made me snort decaf.

Depends. If it’s an old school standalone phone that still has an actual mechanical switch in the cradle/hook that disconnects the line you’d have to do a black bag job and do some rewireing or plant a bug. Think ‘electric / electromechanical’ in terms of technology here, not ‘electronic’.
If the line is disconnected the only thing that would work is a radio transmitter.

Quite a lot on how this was done in Peter Wright’s autobiography:

However, with the advent of ISDN a telephone became basically something pretty much like a computer terminal in a mainframe network. Especially the multiline phone systems you find at any large office.
It is possible to reprogram the telephone unit on your desk and the central ‘switchboard’ they are connected to.
You can reprogram the system yourself - that’s what you do when you use options like blocking certain calls or re-routing them to another extension or whatever options the system offers.
All these systems have ports for (remote) maintenance. Obviously, this is meant for service operations like upgrading firmware and fixing problems.
Obviously, this can be used to hack into the system and change a few settings.
When you push a button on your phone, you dont’t really use a switch that opens or closes something hardwired. You toggle parameters in the software that runs in the little computer that is your phone. The software operates the switch. It also operates whatever display your phone uses and what the display shows you.

The long and the short of all this is, yes it is possible for example to switch your phone into speakerphone mode (microphone only) without you knowing it, i.e. monitoring the room it’s in.

BTW: way back when in the east block countries it was standard procedure to unplug the phone from the wall socket before having a heart-to-heart

No disparagement of Dragos Ruiu at all since he has not published yet and thus can’t really be faulted but that ARS article was definitely problematic.

RootWyrm has a thing or two to say on this. It may or may not be 100% since its commenting more on ARS than on Dragos. Aside from what RootWyrm has to say about the BIOS/EFI issues, the concept of using “ultrasonic networking” to do much meaningful data transfer is just laughable if you know much about either of words.

“Ultrasonic” is defined as of or involving sound waves with a frequency above the upper limit of human hearing. Generally this would be sound above 20Khz. Considering that “most” laptop speakers don’t go anywhere near reproducing the upper end of the audible sound spectrum, is it at all realistic to expect them to produce sound in the ultrasonic range? Builtin microphones are going to be optimized for an even smaller response range since the expectation is they will be used for the auditory range of human speech. How exactly are they going to pickup ultrasound even if a nearby laptop were able to reproduce in that range?

Data transfer by audio is not sic-fi or Three Letter Agency stuff. As others here have pointed out, that was the basis for modems in days of yore. Also as others have pointed out, acoustic coupler modems were very sensitive to noise. DSP in software now takes care of that for many things but you still run into the Shannon limit on how much data transfer you can do given your available bandwidth.

Something just isn’t kosher here.

Uhm. No,

An office phone which is using digital signalling (either dedicated or via Ethernet) MAY have vulnerabilities, but that’s something of a special case.

Outside of that sort of system – meaning in almost any home situation except POSSIBLY a particularly fancy apartment building – a phone remains a phone.

Also: Ultrasonic communications could work only if the other machine was already compromised and running appropriate software to handle that signal. If it’s already compromised, you wouldn’t need ultrasonic. If it isn’t, ultrasonic wouldn’t do you any more good than shouting at the machine does.

It’s a cute idea, but even without questioning whether communication via audio is possible I don’t any use for it as an infection vector.

As you say. AFAICT no one is saying an audio communication is the infection vector but rather USB memory sticks. It seems the issue of audio comms is claimed as a method of jumping the air gap.

The USB part is believable but there are ways to test this such as a USB connection testing/monitoring kit to dump the comms, until we see that were still in the realm of speculation.

1 Like

TL;DR: Nope. If the phone network is digital, it doesn’t matter where you are.

Telephone networks are largely digital by now - hey, ISDN is 1990ies technology.

They are much, much cheaper to bulid and maintain than analog systems. You just don’t need those big rooms stuffed with rows and rows of racks stuffed with relays anymore. A telephone used to be a microphone and a loudspeaker connected by wire to a switchboard - that is one specific board at a specific physical location. That used to be the same place where the electromagnetic counter was installed that racked up your phonebill. If all the extensions on that specific switchboard were dedicated - bad luck, no more new phone numbers. That’s why your phone numer changed when you moved. BTW, ever seen ‘Pillow Talk’? The whole premise is bulid on the limitations of an an analog phone network. All telephone conversations were analog signals transmitted over wires via electromagnetic relays, amplifieres etc. That’s why the sound on trunk calls was usually worse than on local calls.

Modern telephones are digital. They send data packages. The switchboard is a network router. The A/D / D/A conversion is done by your phone.
Your phone is constantly connected to the network. It signals to the network that the receiver is on the hook = standing by to receive calls. You lift up the receiver, it signals to the network heads up, incoming data. Which will be the number you’re dialling plus the data packages containing your voice.
Most telephones have speakerphone option. That wouldn’t work if ‘hanging up’ would disconnect anything. Oher options might be ‘Handsfree Answer Back’ i.e. you don’t pick up yourself, the phone does and goes into speakerphone mode. Or surveillance options - you phone yourself from somewhere else, enter a 4-digit PIN and the microphone activates. A lot of phones have features like that.
Easy to implement as ISDN protocolls allow for that sort of thing:

(scroll to ‘ISDN Information Elements’)

The tools you need to run a telephone network - whatever the techies use to keep it up and running - are by their very nature also basic tools for surveillance. You just have to tweak them a little.

True. But most landline telephone INSTRUMENTS aren’t. To open the mike, you need to deal with the instrument; you can’t reprogram analog hardware remotely.

I stand by my statement. This IS one of my areas of expertise.