[Nottingham] badBIOS - hoax? Mistake? Or time to panic and flap about?

Martin martin at ml1.co.uk
Mon Nov 4 13:51:07 UTC 2013

For this "Halloween" story, I think this debunks most of the BIOS angle
and the poltergeist-like leaps:

The badBIOS Analysis Is Wrong

The fact is that everything I have read about #badBIOS is completely and
utterly wrong; from the supposed “escaping air gap” to well...
everything. And I should know. I’ve dealt with malicious BIOS and
firmware loads in the past...

That leaves USB insecurity, UEFI exploit funkiness, and a whole load of
paranoia and conspiracy and a fun Halloween fairytale...

And an awful lot of "viral" publicity ;-)

All good fun and a good reminder of a few exploits.

Enjoy the fireworks! :-)


On 31/10/13 18:43, Martin wrote:
> On 31/10/13 18:11, Jason Irwin wrote:
>> I am nowhere near qualified to ascertain the veracity of this, but it's
>> a good read in cloak-n-dagger kind of way.
>> http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
>> It almost seems too perfect and too complex to be true. Surely anything
>> with that level of sophistication is going to be, well, large. Isn't it?
> Indeed so... As was the case with Stuxnet and the other cloak'n'dagger
> targeted sabotage malware agents.
> I don't believe the journalistic Halloween story funkiness...
> However...
> On PC hardware, ALL USB devices are considered *completely trusted*
> hardware. There is no security whatsoever. Crazy!
> Hence, you can plug in a USB device and part of the startup protocol can
> have *code downloaded* and executed to do anything... That can be either
> instigated by the BIOS code, or by the OS code.
> So... Add a programmable device to your innocent looking mouse and
> takeover the host machine. "Simple".
> For example, there is 'boot' code included in some USB memory sticks
> that automatically run code downloaded from the memory stick to do
> 'clever' things such as encryption or to fake additional partitions...
> And whatever else...
> Note:
> http://www.usb.org/developers/defined_class
> USB defines class code information that is used to identify a device’s
> functionality and to nominally load a device driver based on that
> functionality...
> And quite a few BIOSes now even include automatic-no-user-intervention
> reflash the firmware upon detecting a USB memory stick with a certain
> filename on there...
> And you thought you were just plugging in an innocent USB mouse...?
> Hence, for my areas and for years now, the use of memory sticks is
> completely banned. They should not be needed and they are too much a
> security risk. Even just for an office for suffering the disruption
> potential.
> Quite a sloppy mess...
> Cheers,
> Martin

- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg

More information about the Nottingham mailing list