Recent revelations of the NSA’s advanced firmware hacking have sent the InterWebs aflutter. The NSA’s firmware hack is a software module capable of reflashing writeable firmware chips. It can also persist during system rebuilds and hide itself in such a way that makes regular antimalware detection very difficult.
A handful of readers wrote me to say that the NSA’s firmware hack is proof positive that Dragos Ruiu's BadBIOS tale is real.
For those of you who missed the BadBIOS hysteria back in 2013, a well-liked, trusted, and knowledgeable antimalware expert, Dragos Ruiu, wrote about a superadvanced and mysterious malware program that had infected his computers.
This malware program’s abilities were unbelievable. It could not only flash and live in firmware (like the NSA’s tool), but it worked on multiple platforms (OS X, Windows, BSD, and so on), could hide itself so that no one could analyze it, and could communicate with other infected computers using ultrahigh speaker frequencies.
Ruiu’s claims sounded like magic. If he hadn't been regarded as a reputable security expert, I would have blown off his accusations as yet another paranoid schizophrenic rant. Nearly everything Ruiu claimed was possible. But experts who examined those claims ended up contending they were either highly unlikely or relied on a dubious assumption (for example: PC speakers are capable of transmitting and receiving at frequencies they weren't designed to produce).
To believe in the existence of BadBIOS, you had to believe all of these incredibly unlikely technological feats were possible and had been rolled into one malware program. Lots of people bought it. Many said they had experienced the same symptoms (or others that were as advanced or stealthy). There were big debates and flame wars, with each side calling the other naïve.
I started -- and ended up -- being skeptical that BadBIOS existed and essentially accused Ruiu and his supporters of seeing the picture they wanted to see. That's a common fault among accomplished scientists and researchers, much less laypeople. That’s why independent, skeptical confirmation is so critical in real research. BadBIOS and all the other related claims had none.
Then the NSA firmware hacking revelations started to become public in early 2014, revealing malware signs and symptoms that were eerily similar to BadBIOS. Again, I remained a BadBIOS skeptic.
I still am. The biggest flaw in Ruiu’s claims is that not only did he lack hard evidence of his malware program, but no one involved in the forensic investigation found evidence either. Examination by experts in the field found nothing unusual. What Ruiu had claimed showed signs of maliciousness were found to be normal and expected data. Reaching the point of absolute incredulity, Ruiu claimed the malware was erasing itself whenever he tried to make copies of it for forensic investigation.
The NSA's recently revealed firmware hack is another matter. Although the revelations may be startling to some, there are two big reasons why it is demonstrably real, unlike BadBIOS.
First and most important: It’s detectable. No one could detect BadBIOS code, whereas the leading antivirus firms are easily detecting the NSA’s firmware hack. It may be advanced, but it doesn’t have magical abilities to hide from prying eyes. We can detect it. We can examine it. We can remove it.
Equally as important, everything the NSA firmware hack does is possible without making incredible assumptions. It uses existing specifications and APIs to pull off feats that, although unusual, are easily understood without stretching the imagination. No experts in the field argue that what it does can’t be done.
I still like Ruiu, and I believe he genuinely thought he had discovered advanced, undetectable malware on his system. But he didn't. We all make mistakes -- and one mistake in the cyber security world shouldn’t define the career of a single individual. We’re in this fight together, and sometimes we end up chasing false leads. It’s to be expected. We learn from our mistakes and it makes us better.
I'd feel better, though, if readers didn’t use every new firmware hack as an excuse to declare that BadBIOS was real, without first examining the reasons why BadBIOS wasn’t to be believed.