Browse Definitions:
Definition

BadBIOS

Contributor(s): Matthew Haughn

BadBIOS is a BIOS-level Trojan that can affect Windows, Macintosh, Linux and BSD systems.

The BIOS (Basic Input / Output System) is the firmware that runs while a computer boots up. A BIOS attack infects the BIOS with malicious code and is persistent through reboots and attempts to reflash the firmware.

There is no consensus in the security community on whether BadBIOS actually exists. Security expert Dragos Ruiu reported BadBIOS in 2010. According to Ruiu, the malware can make changes to the installed operating system and is reactive, deleting data and configuration changes made in an effort to combat it. Ruiu found that BadBIOS could infect via external storage, affecting flash drive firmware as well. Even connecting the drive without mounting still transmitted the infection. The researcher also reported that the infection can create covert IPv6 networks and acoustic mesh networks and is able to breach and exploit air gapped systems.

Ruiu’s suspicions were aroused when a Macbook Air with a newly reinstalled OS X spontaneously flashed its firmware.  Subsequently, the system would not boot from CD. Ruiu subsequently observed that his configuration changes and user data were deleted.

The researcher noted that this was not the only affected machine and that the infection was not limited to OS X.  An air gapped BSD machine that had its drives replaced and its BIOS re-flashed was also compromised, and displayed the same kind of reactive changes seen on the OS X machine. Ruiu saw IPv6 packets leaving his network, despite the fact that he had disabled IPv6 altogether. Affected Linux and Windows machines were also discovered. 

Ruiu observed that the air gapped machine could covertly send data to other computers using an ultrasonic signal from the speakers, which was picked up by other infected listening computers -- a concept known as acoustical infection that has been demonstrated in a proof of concept exploit.

Among security experts who believe BadBIOS exists, there is speculation that the Trojan is among the National Security Agency’s (NSA) hacking tools, which have been demonstrated to include hardware and firmware backdoors.

While there remain many skeptics on the existence of BadBIOS, just about every concept described by Ruiu has been proven as a concept or used in the real world. The combination of the concept's use in a covertly installed package is what is doubted. No code for the exploit has been located. While Dragos extracted the UEFI code nothing was found. He suggested that BadBIOS may have the ability to erase itself. Many others assumed that the infection was elsewhere, perhaps on controller chips, or that it didn't exist. As of yet there is no definitive proof  that the malware exists. However, further NSA firmware hacking leaks have since demonstrated that more claims associated with it are possible.

This was last updated in January 2017

Continue Reading About BadBIOS

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of the NSA's data-gathering and surveillance activities?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

SearchCompliance

  • PCAOB (Public Company Accounting Oversight Board)

    The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public ...

  • cyborg anthropologist

    A cyborg anthropologist is an individual who studies the interaction between humans and technology, observing how technology can ...

  • RegTech

    RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of ...

SearchSecurity

  • email spam

    Email spam, or junk email, is unsolicited bulk messages sent through email with commercial, fraudulent or malicious intent.

  • distributed denial of service (DDoS) attack

    A distributed denial-of-service attack occurs when an attack originates from multiple computers or devices, usually from multiple...

  • application whitelisting

    Application whitelisting is the practice of identifying applications that have been deemed safe for execution and restricting all...

SearchHealthIT

  • athenahealth Inc.

    Based in Watertown, Mass., athenahealth Inc. is a leading vendor of cloud-based EHRs for small to medium-sized physician ...

  • Affordable Care Act (ACA or Obamacare)

    The Affordable Care Act (ACA) is legislation passed in 2010 that changed how uninsured Americans enroll in and receive healthcare...

  • HIPAA Privacy Rule

    The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes ...

SearchDisasterRecovery

  • disaster recovery as a service (DRaaS)

    One approach to a strong disaster recovery plan is DRaaS, where companies offload data replication and restoration ...

  • data recovery

    Data recovery restores data that has been lost, accidentally deleted, corrupted or made inaccessible. Learn how data recovery ...

  • disaster recovery plan (DRP)

    A company's disaster recovery policy is enhanced with a documented DR plan that formulates strategies, and outlines preparation ...

SearchStorage

  • yottabyte (YB)

    A yottabyte is a measure of theoretical storage capacity and is 2 to the 80th power bytes, or, in decimal, approximately 1,000 ...

  • Kilo, mega, giga, tera, peta, exa, zetta and all that

    Kilo, mega, giga, tera, peta, exa, zetta are among the list of prefixes used to denote the quantity of something, such as a byte ...

  • brontobyte

    A brontobyte is a measure of memory or data storage that is equal to 10 to the 27th power of bytes.

SearchSolidStateStorage

  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

  • SSD caching

    SSD caching, also known as flash caching, is the temporary storage of data on NAND flash memory chips in a solid-state drive so ...

  • NVDIMM (Non-Volatile Dual In-line Memory Module)

    An NVDIMM (non-volatile dual in-line memory module) is hybrid computer memory that retains data during a service outage.

SearchCloudStorage

  • RESTful API

    A RESTful application program interface breaks down a transaction to create a series of small modules, each of which addresses an...

  • cloud storage infrastructure

    Cloud storage infrastructure is the hardware and software framework that supports the computing requirements of a private or ...

  • Zadara VPSA and ZIOS

    Zadara Storage provides block, file or object storage with varying levels of compute and capacity through its ZIOS and VPSA ...

Close