Browse Definitions:
Definition

BadBIOS

Contributor(s): Matthew Haughn

BadBIOS is a BIOS-level Trojan that can affect Windows, Macintosh, Linux and BSD systems.

The BIOS (Basic Input / Output System) is the firmware that runs while a computer boots up. A BIOS attack infects the BIOS with malicious code and is persistent through reboots and attempts to reflash the firmware.

There is no consensus in the security community on whether BadBIOS actually exists. Security expert Dragos Ruiu reported BadBIOS in 2010. According to Ruiu, the malware can make changes to the installed operating system and is reactive, deleting data and configuration changes made in an effort to combat it. Ruiu found that BadBIOS could infect via external storage, affecting flash drive firmware as well. Even connecting the drive without mounting still transmitted the infection. The researcher also reported that the infection can create covert IPv6 networks and acoustic mesh networks and is able to breach and exploit air gapped systems.

Ruiu’s suspicions were aroused when a Macbook Air with a newly reinstalled OS X spontaneously flashed its firmware.  Subsequently, the system would not boot from CD. Ruiu subsequently observed that his configuration changes and user data were deleted.

The researcher noted that this was not the only affected machine and that the infection was not limited to OS X.  An air gapped BSD machine that had its drives replaced and its BIOS re-flashed was also compromised, and displayed the same kind of reactive changes seen on the OS X machine. Ruiu saw IPv6 packets leaving his network, despite the fact that he had disabled IPv6 altogether. Affected Linux and Windows machines were also discovered. 

Ruiu observed that the air gapped machine could covertly send data to other computers using an ultrasonic signal from the speakers, which was picked up by other infected listening computers -- a concept known as acoustical infection that has been demonstrated in a proof of concept exploit.

Among security experts who believe BadBIOS exists, there is speculation that the Trojan is among the National Security Agency’s (NSA) hacking tools, which have been demonstrated to include hardware and firmware backdoors.

While there remain many skeptics on the existence of BadBIOS, just about every concept described by Ruiu has been proven as a concept or used in the real world. The combination of the concept's use in a covertly installed package is what is doubted. No code for the exploit has been located. While Dragos extracted the UEFI code nothing was found. He suggested that BadBIOS may have the ability to erase itself. Many others assumed that the infection was elsewhere, perhaps on controller chips, or that it didn't exist. As of yet there is no definitive proof  that the malware exists. However, further NSA firmware hacking leaks have since demonstrated that more claims associated with it are possible.

This was last updated in January 2017

Continue Reading About BadBIOS

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of the NSA's data-gathering and surveillance activities?
Cancel

-ADS BY GOOGLE

Dateiendungen und Dateiformate

Gesponsert von:

SearchCompliance

  • internal audit (IA)

    An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine ...

  • pure risk (absolute risk)

    Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if ...

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

SearchSecurity

  • phishing

    Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication ...

  • vulnerability disclosure

    Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that ...

  • incident response

    Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also ...

SearchHealthIT

SearchDisasterRecovery

  • business continuity and disaster recovery (BCDR)

    Business continuity and disaster recovery (BCDR) are closely related practices that describe an organization's preparation for ...

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

  • call tree

    A call tree -- sometimes referred to as a phone tree -- is a telecommunications chain for notifying specific individuals of an ...

SearchStorage

  • flash memory

    Flash memory, also known as flash storage, is a type of nonvolatile memory that erases data in units called blocks.

  • NAND flash memory

    NAND flash memory is a type of nonvolatile storage technology that does not require power to retain data.

  • NOR flash memory

    NOR flash memory is one of two types of nonvolatile storage technologies.

SearchSolidStateStorage

  • hybrid hard disk drive (HDD)

    A hybrid hard disk drive is an electromechanical spinning hard disk that contains some amount of NAND Flash memory.

Close