badBIOS high-frequency malware communication test

There is a lot of talk going on about a new, very advanced malware called “badBIOS”, discovered by the well known security consultant Dragos Ruiu. The perhaps most interesting feature of this piece of malware is that two near by infected systems can still communicate with each even when they are not connected to a network, using high-frequency audio signals that are inaudible for humans (but your dog may be able hear something!).

So, the basic idea is that infected system will send and receive audio signals beyond 16kHz that are inaudible for humans. Sounds scary, but Fascinating. So can this really work? I gave it a try, using only everyday hardware that i had at home.

Using Audacity, i created a sinus signal starting at 4kHz, slowling climbing up to 20kHz. If you want to give it a shot yourself, you can download the .wav file here (5mb). I did not use any compression because it might mess up the higher frequencies

I played this file on my desktop computer that has some rather cheap pair of $40 Logitech speakers connected. In roughly 4 meters distance, i positioned a Sony notebook (4year old model), recording the audio via the integrated mic located at the top of the screen using Audacity.

I then analyzed this recording using Reaper and the gfxspectrograph plugin. Here is the spectrogram for the recording:

20kHz-recording

Recording the singal with an average laptop mic

As you can see, we are receiving a good signal up to about 15kHz, but the singal starts to fade after passing 17kHz and beyond 19kHz there is hardly anything.

This first recording was done in a quiet room with nobody talking, nobody on the phone, no television, radio or music in the background. In a real-world scenario, there wouldmost likely be some noise. So i played the signal along with a mp3 from my music collection and made another recording using the same setup as mentioned above:

Recording with extra noise added

Recording with extra noise added

Even with a song playing in the background over the same speaker, you are still able to locate the high-frequency signal.

Keep in mind this is a very cheap notebook with a low-end crappy mic and rather average speakers. Some higher end notebooks, for example the Macbook Pro series, most likely have higher quality mics and speakers where one might be able to improve the signal.

The average adult hardly hears anything that is beyond 15-16kHz. So in theory audio singals transmitted between ~16k-19kHz could be used by infected sytem to exchange some bits and bytes. This has already been done 30 years ago in dial-up acoustic coupler modems.

However, this is all theory. I have no idea how reliable this type of “connection” would be and what kind of bandwith you can actually expect out of this.

Leave a Reply