Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.A good rule of thumb is that you should be suspicious if you see IPv6 from your computer, especially if it's encrypted. If you're remotely interested in security, you should read this. It's quite a good writeup, and shows just how bad things have become.
In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.
...
Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.
The Bad Guys are very good indeed.
5 comments:
I am an old IT hand, plus I've read a lot of opinions about this. My best take so far:
- If you read what this guy has published, the one point he may have is the possibility of infecting - not the BIOS of the motherboard - but the firmware of peripherals like USB controllers. That is moderately scary.
- Lots of his claims, however, do not hold water. First, most speakers/amplifiers will not produce much (if anything) ultrasonic. There's no reason for them to be able to do so, so they have not been designed for it. Maybe high frequencies in the 10kHz to 15kHz range would be reliable, but anyone under the age of 40 or wo would hear that.
- Despite the three years he has been playing with this problem, there seems to be a remarkable lack of verification by people other than the author. Let's see one of the major IT sites do an independent investigation.
As far as I can see, this is Rossi and "cold fusion" all over again. After three years, there's just no reason to believe this is anything but this guy's attempt to grab some limelight.
PC mics and speakers can probably handle frequencies above 20 kHz, although inefficiently. I could see two infected computers being able to talk to each other that way if they were right next to each other, but I'm highly skeptical that a clean machine could be infected that way.
Why do they make it sound like picking up an infection from a USB drive is hard to believe? An air gap is worthless if you're carrying storage devices across it.
The only way to be completely secure is to go totally analog...
never mind. that doesn't even work. even snail mail can be steamed open and read.
You always post such "cheery" news.
Yep, and a 'probability' as to how some fairly 'secure' networks have been infected by people bringing in personal computers to their workspaces...
Another problem is the profound lack of data. At no point, does it seem, has anyone actually hooked up a microphone and recorded any of these 'transmissions'. I used to be able to whistle some modem handshakes but this is pretty outlandish.
Occham's may show mw wrong at some point, but for now it requires a minimum of 2 machines with infected systems running sophisticated rootkits, separately infected in the same airspace using a fairly crowded, dirty, and narrow band of transmission. It is much more likely that a chip onboard has a backdoor and is deploying a morphing payload to other memory systems.
Post a Comment