The BIOS (Basic Input / Output System) is the firmware that runs while a computer boots up. A BIOS attack infects the BIOS with malicious code and is persistent through reboots and attempts to reflash the firmware.
There is no consensus in the security community on whether BadBIOS actually exists. Security expert Dragos Ruiu reported BadBIOS in 2010. According to Ruiu, the malware can make changes to the installed operating system and is reactive, deleting data and configuration changes made in an effort to combat it. Ruiu found that BadBIOS could infect via external storage, affecting flash drive firmware as well. Even connecting the drive without mounting still transmitted the infection. The researcher also reported that the infection can create covert IPv6 networks and acoustic mesh networks and is able to breach and exploit air gapped systems.
Ruiu’s suspicions were aroused when a Macbook Air with a newly reinstalled OS X spontaneously flashed its firmware. Subsequently, the
system would not boot from CD. Ruiu subsequently observed that his configuration changes and user
data were deleted.
The researcher noted that this was not the only affected machine and that the infection was not limited to OS X. An air gapped BSD machine that had its drives replaced and its BIOS re-flashed was also compromised, and displayed the same kind of reactive changes seen on the OS X machine. Ruiu saw IPv6 packets leaving his network, despite the fact that he had disabled IPv6 altogether. Affected Linux and Windows machines were also discovered.
Ruiu observed that the air gapped machine could covertly send data to other computers using an ultrasonic signal from the speakers, which was picked up by other infected listening computers -- a concept known as acoustical infection that has been demonstrated in a proof of concept exploit.
Among security experts who believe BadBIOS exists, there is speculation that the Trojan is among the National Security Agency’s (NSA) hacking tools, which have been demonstrated to include hardware and firmware backdoors.