It’s a little late, but humor me. I have one hell of a scary story.
Your computer is infected with a virus. But there’s no way to prove it’s infected. You just notice little things. It won’t boot off a CD anymore. Certain web sites won’t load on your computer. Yet those same web sites, those same CDs, work on other computers just fine.
But soon the rest of your computers start to experience these same symptoms. You isolate them. Pull them off the internet. Physically remove the wired and wireless network cards. Then you run some diagnostics and see, somehow, it’s still talking over some phantom network that it can’t possibly connect to. What else is there? The speakers? The microphone? And when you physically remove them … that network activity stops?!
You figure out how they’re getting infected. It’s the USB sticks you use to transfer files. Stop using the USB sticks. Flash the BIOS. Reformat the hard drives. Reinstall the OS. All OK, right? WRONG! It’s still there.
And here’s the kicker: one is a Linux box. The other is a Mac OS box. Another is a Windows box. Different operating systems. All infected. HOW?!
This horror tale is one told by a security expert. One who has the credentials and the reputation to believe he’s not making this up. This is the story of BadBIOS.
Is this all really possible? And why waste what would be the most sophisticated virus ever seen on a single individual and not sell it, or use it on extremely high-value targets like banks or governments?
The community is skeptic. So am I. But not because the story is impossible. It is absolutely possible. Many bits that sit inside your computer have their own mini-CPUs. They run out instructions local to their hardware, outside the operating system. Your USB sticks, every one, have such a mini-CPU. And of the dozens of different brands of USB sticks out there, there are only about 5 different manufacturers of the hardware controllers behind them. Find an exploit in all of them, or at least the most popular 2 or 3 of them and you’ve got it. From the USB stick to the USB controller in the computer to whatever other hardware there is on the system. Your Windows machine probably uses an Intel or AMD processor. Your Mac probably uses an Intel processor. Your Linux box probably uses an Intel or AMD processor. And the micro-controllers, those “mini-CPUs”, that come with those processors.
And computer speakers? Microphones? Those of decent quality can absolutely pickup and send out sounds at frequencies outside the range of human hearing. It’s actually quite a common hack. Modern Furbies interact with your iPhone using this very trick.
So if such a virus is feasible, why the skepticism?
Because we don’t have enough direct evidence, not yet. Just one man’s (credible) word. And soon we may very well have direct evidence. Dumps of computer hardware firmware, hardware debugging tools, things that up until now haven’t been brought to bare may soon be. But until then I have to be skeptic.
Concerned. But skeptic.