When you spend most of your time digging into cyber security, testing systems for weak points, chasing down identity theft, charting increasingly sophisticated attacks and understanding at a deep level just how vulnerable people are to online threats, it’s almost inevitable that a little paranoia creeps in.
However, whether Dragos Ruiu, a respected computer security researcher, has actually stumbled upon the mother of all malware, or is simply becoming just a tad paranoid is open to debate.
Ruiu claims he has discovered audio-based malware that affects the operation of computers via ultrasonic sound. This is a big claim. A very big claim. It implies that malware exists which can jump from one computer to another without requiring a connection of some sorts.
Sound system infections
It suggests viruses that can infect other computers via a pair of speakers or a microphone. It posits a future in which computer systems can be controlled simply by beaming ultrasonic sound waves at them.
But is it possible? Ruiu certainly thinks so. Just over a month ago he posted on his Google+ page that a high-pitched sound in his home was being caused by an ultrasonic sound between loud speakers and the microphones of nearby computers.
Over time he noted that his computers have been doing strange things even when unplugged and with Wi-Fi and Bluetooth switched off. He first became suspicious when installing a new version of Apple’s OS X onto a MacBook. Apparently, without any intervention on his part, the laptop updated its BIOS, which boots up the operating system and manages disc drives and memory.
Malware that lays dormant
His conclusion is that somehow malware has been installed in the chips on his computers and they have lain dormant until awakened by an audio signal. He recorded high-frequency audio signals between computers and has seen the computers mysteriously change their configuration even when they don't have network connections, Wi-Fi cards or Bluetooth cards. The computers were running off batteries so they couldn’t receive anything though the power lines.
The security community is divided on the topic. There is a general consensus that this type of malware is theoretically possible, it’s known as badBIOS. However, badBIOS code has never been discovered. There’s also the difficulty of creating audio malware that is reliable. Because the sound specifications in computers vary widely, it would be difficult to ensure the audio signals are received by all types of computer.
In short, creating badBIOS malware requires high levels of sophistication and technical expertise. And these levels are well beyond the means of most people.
Of course, we could speculate endlessly or we could dismiss it as the computing equivalent of hearing voices coming from the television. However, given the enormous strides in computer science, most experts lean towards the view that it’s certainly possible, but the jury is out on whether Ruiu’s discovery is genuine. For one thing though, he is absolutely convinced.
Posted by Steve Bell