Credit: Reuters/Jason Reed
Recent revelations about NSA hardware and firmware backdoors gives all the evidence that those who believe BadBIOS Trojans exist need to see. The spying technology has arrived. The only question is if the BadBIOS incident truly happened.
To summarize, BadBIOS is the name for a purported superadvanced Trojan that has been battling against disclosure by respected security researcher Dragos Ruiu. Ruiu has reported that the cross-platform Trojan can survive reformattings, communicate using sound waves, and remove itself on the fly during forensics investigations. All those claims are technologically possible but, in my opinion, are unlikely to be come together in one Trojan and are unlikely to be used against Ruiu. Though some people concluded Ruiu was just seeking publicity, I felt Ruiu was misdiagnosing innocuous symptoms as evidence of maliciousness.
[ RIP, information security, done in by backdoors and secret deals | InfoWorld's expert contributors show you how to protect your Web browsers in the "Web Browser Security Deep Dive" PDF guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
A two-week-old LeakSource report makes the case for BadBIOS more plausible. It appears the NSA has many software and firmware/hardware-based modules that can be placed either on devices after those devices are made or can be actually embedded onto the motherboard/circuitboard as a chip or other component. These devices can enable continued, hard-to-discover, unauthorized remote access for NSA monitors. And the behaviors described in the article seem to parallel many of those attributed to BadBIOS.
Here are some examples: The NSA's Ironchef product "provides access persistence" using "a hardware implant that provides two-way RF communication" "by exploiting the motherboard BIOS." Gourmettrough "is a user configurable persistence implant" for Juniper firewalls. "It persists [another NSA product] across reboots and OS upgrades." Halluxwater is a "persistence Back Door implant" installed as a boot ROM upgrade on Huawei firewalls. Jetplow is the same thing for Cisco PIX and ASA devices. Loudauto is a small device that picks up room audio, which can then be collected using radar. Nightstand is a "802.11 wireless exploitation and injection tool for payload/exploit delivery into otherwise denied target space." Ginsu is a PCI card that ensures the reinstall of other implants after physical removal of the other implant. Somberknave "is a software implant that surreptitiously routes TCP traffic from a designated process to a secondary network."
Each "implant" is so devious that it was hard for me to decide what to include or not include as an example in the paragraph above. Many of these devices are intended to be used in combination with each other. Most have apparently been available for many years.
You can't go through the full list without wondering if Ruiu was completely right all along. Have I and other skeptics been too disbelieving? Given just the few dozen devices revealed in the article, you would have to conclude that everything Ruiu has been claiming is possible. Maybe I was wrong!