Ars technica meet bad bios chip

Friday Shortbread - The Tech Report

ars technica meet bad bios chip

Thanks to forum readers on Ars Technica for figuring this one out. Lenovo published an updated BIOS that removed this capability late last month, but that Too bad! In February, Lenovo promised that by the time Windows 10 arrived, it would Clearly the company has a long way to go to meet that goal. Meet “badBIOS,” the mysterious Mac and PC malware that jumps . the BIOS is reading the drive itself, and they're reprogramming the flash. Ruiu may be on to something, but it is probably not quite as bad as it seems. Do you know what chips or hardware BIOS it runs? Original Story: http://

Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw.

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps | Ars Technica

A compilation of Ruiu's observations is here. Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competitionhe is no doubt an attractive target to state-sponsored spies and financially motivated hackers.

But he's no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu's computers and networks. In contrast to the skepticism that's common in the security and hacking cultures, Ruiu's peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security— retweeted the statement and added: Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network.

His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer's peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

ars technica meet bad bios chip

It's also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT. Of course, it's one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques.

But as Triulzi suggested, it's another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What's more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran's nuclear program.

The PC BIOS will be killed off by as Intel plans move to pure UEFI | Ars Technica

And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet. To communicate over ultrahigh frequency sound waves between computers is really, really easy.

Eureka For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it.

Lenovo laptops can reinstall bundled crapware, even if you load a retail copy of Windows

He soon theorized that infected computers have the ability to contaminate USB devices and vice versa. He still doesn't know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into.

ars technica meet bad bios chip

At next month's PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism. Julia Wolf "It's going out over the network to get something or it's going out to the USB key that it was infected from," he theorized. It's trying to keep its claws, as it were, on the machine.

Windows 10 support could end early on some Intel systems

It doesn't want you to boot another OS it might not have code for. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Lenovo's now under fire this week for reinstalling the company's bloatware on Lenovo laptops, even if customers have completed a fresh install of Windows. First noticed by an Ars Technica forum regular and confirmed by readers at Hacker Newsas well as users over at RedditLenovo appears to be hiding its crapware install in the laptop BIOS, so it gets installed even after fresh Windows installs: I couldn't understand how a Lenovo service was installed and running!

Delete the file and it reappears on reboot. I've never seen anything like this before. Something to think about before buying Lenovo.

ars technica meet bad bios chip

I searched and found almost nothing about this, so it may be something they started doing in the last few months. Apparently, Lenovo's using a Windows function called Microsoft Windows Platform Binary Table WPBToriginally designed to help simplify the installation of proprietary drivers and anti-theft software obviously since any smart thief would do a clean install relatively quickly after theft.

Except in this case, Lenovo's using it as a method to force the laptop to phone home to Lenovo servers so adware can be installed. Lenovo's version then ensures that LenovoUpdate.