Air-Gap-Breaching BIOS Rootkits with SDRs Inside (and smartphones, Snowden, NSA, Wikileaks)

A little while back I covered a paper on FPGAs that could turn themselves into SDRs. I suspected this would be one way to breach an air gap.

It seems I was right on the money. If a little behind the times.

Researchers have found an incredibly persistent BIOS rootkit in the wild that includes SDR functionality… literally turning your computer into a radio transmitter to exfiltrate data even if you’re not connected to the Internet.

(When the computer is connected to the Internet, the rootkit receives commands via NetBIOS DNS lookups and IPv6 DNS lookups, even if IPv6 is disabled.)

The researchers were using a new tool, Copernicus, which sadly seems to be Windows-only. Nevertheless a number of you might be interested in checking it out.

There is one enduring mystery of this rootkit… how does it survive BIOS reflashes?

Nobody has yet figured out where it’s hiding. Though the rootkit seems to cause the computer to prefer booting from the internal drive no matter what (funny, one of my laptops does this, I wonder… nahh…*) they’ve since ruled out a hard drive firmware backdoor like I covered some time ago.

* On a completely unrelated note, anyone want to buy a beat-up old laptop? Just add hard drive and it’s ready to go!

Smartphone users don’t spot guy waving gun. I’m not a big fan of violence so I wouldn’t recommend trying to replicate this, but given that this is San Francisco — someone ought to try making a porno. (Thanks for the tip, you know who you are)

Best worst Snowden headline: “Traitors’ convention.” I totally dare someone to actually do this. “That’s a good conference – I still use the swag backpack I got from TraitCon ’09.”

The NSA capabilities in yesterday’s link could be replicated for $30k on Russian blackhat forums, quoth The Grugq… a long time ago I noted that hackers, SIGINT types, and underground crooks were less different than you’d expect — they all want your data* — and this illustrates it nicely.

* Since the analogy only includes spies and crooks, to represent the hacker side of the trilogy I’ll use Sarah Harrison’s** request for the complete “Wikileaks Forum” membership list:

(But then again Harrison may not be representative — I get a bit of an off vibe from her picture, something about the eyes.)

Oddly enough, to continue the tangent, this happened on the same day*** that someone (Assange? Harrison?) started responding via back-channels to a really bizarre conspiracy theory about Wikileaks, which makes me wonder if there wasn’t something about this theory someone wanted to hide… indeed, my own investigations have shown the craziest rumors sometimes have an element of truth:


The CIA spotted Snowden’s mental shift towards leaking and pushed him out… just a heads-up, human intelligence people are professionally good at people-reading, and when you can read expressions and “vibe” well enough you might as well be reading minds. This is why they invented split-personality spies:

Got a UK IP address (or proxy)? Watch Wikileaks’ own documentary of their “Operation CABLERUN” — available free to UK IP addresses this weekend only, starting an hour or so ago:
IMHO Copernicus is the most important security tool in recent history. Already found persistent BIOS malware (survives reflashing) here.
…and that’s not even interesting part. Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed.
Copernicus BIOS verification. Also if tool is mysteriously failing or weird output full of FFs you may have problem.
This particular BIOS persistent malware sample seems use TLS encrypted DHCP HostOptions as a command and control.
this sample was on a Dell Alienware, but we have verified infected Thinkpads and Sonys too. Potentially MacBooks, unverified.
Infected BIOS really dislikes to boot from external devices, almost always goes to internal disk, regardless of settings.
Infected BIOS: back channel is via odd fixed length NetBIOS DNS lookups & blocks of IPv6 DNS lookups, even on machines with V6 sw disabled.
nfected BIOS: can rule out disk drive firmware, using new drives fresh from foilpack, @ioerror – expensive tests to run, ouch.

Copernicus dumps the BIOS so inspection (such as comparing against a clean copy) is possible, and also checks the status of the configuration to determine if the BIOS can be modified.

How does it work? The tool is implemented as a kernel driver that creates a file containing the BIOS dump and a file containing the raw configuration information. When deployed in enterprise environments, scripts can send the raw BIOS dump and configuration information to a server for post-processing. This processing can indicate whether a given BIOS differs from an expected baseline, and it can also indicate whether the BIOS or the computer’s System Management RAM (where some code loaded by BIOS continues running after boot).

%d bloggers like this: