Talk:BadBIOS

What are the answers?
I created this page because to be honest, coverage died down end of 2013 and I never saw the researcher back-track on the matter. This Stack exchange post for example suggests the only discussion going on about this any more in on a sub reddit. It appears no main stream media said categorically this was over.

A facebook post by Ruiu says he's running out of test machines to reproduce this on way back in October 2013 when this first broke, but I would really like this issue put to bed. Deku-shrub (talk) 16:54, 30 December 2014 (UTC)
 * BadBIOS does not exist and is generally accepted to be a hoax. No further research has been released nor will ever materialize. 98.23.201.201 (talk) 01:41, 16 February 2015 (UTC)
 * "and is generally accepted to be a hoax" Deku-shrub (talk) 12:33, 16 February 2015 (UTC)
 * Generally accepted by the Stack Exchange Q&A community, at least . Need a better source? Here. 75.90.67.208 (talk) 03:16, 20 April 2015 (UTC)

Bios exploit info
I don't think this article is the place for generic bios rootkits, it was the alleged air-gap jumping ability that was exceptional. As a result I'm removing this new content. Deku-shrub (talk) 21:58, 8 September 2015 (UTC)


 * Has been labeled a "hoax" but is feasible and used in-the-wild. So maybe something such as this edit which demonstrates these facts? There are other attacks which also use audio, lights or electromagnetic emissions as carrier / command and control channel for exploits (will have to dig around for these). -- dsprc   [talk]  22:18, 8 September 2015 (UTC)
 * I didn't think BadBios's bios-infection was why it was notable, I thought it was the air-gap jumping? Wouldn't Bios infection info belong on BIOS? Deku-shrub (talk) 00:14, 9 September 2015 (UTC)
 * I'm pretty sure it never actually jumped airgaps. It just communicated over them. It's just it's virulent ability to infect removable devices and internal hard drives as well as the BIOS that makes it so persistent, if I understand things right. 74.211.60.182 (talk) 20:28, 12 October 2016 (UTC)
 * Yeah, what was notable was it's sheer persistence and difficulty in eradicating. It would infect the bios, and the hard drive firmware, and the flash controllers on usb flash drives, and possibly even NICs.  An infected bios would infect any boot device that was writable, and refuse to boot from anything it couldn't infect.  That was the telltale sign.  You can't boot from optical media anymore, period.  Inserting an infected usb flash drive or hard drive would own your bios and boot drive.  BadUSB is already proven to exist. The Equation Group has made malware that does most of these tricks.  — Preceding unsigned comment added by 2600:6C40:700:1B0:A9FF:C3E7:F534:ECA7 (talk) 15:48, 22 February 2022 (UTC)
 * BadBIOS is possibly real. It infects BIOS/UEFI and keeps some of the malware code in NVRAM. It is connected to the IME exploits. It jumps airgaps exploiting NFC, bluetooth, firewire and radio. Possibly HD audio networks as well, see a interesting publication on that one it was a POF. It alters sense codes of DVD's burning itself even on pressed storage media which are infecting a machine possibly even through drive seek. In addition it infects USB firmware, SATA interface and HD firmware. The SMART interface might be part of the exploit as well. BadBIOS is possibly not consisting of one piece of code but has the functionality to puzzle itself together step by step from different sources. The initial payload might possibly reside in any of the mentionend interfaces. From there the malware grows and starts jumping. And yes. It jumps. It also uses serial and parallel ports for communication possibly through field modulation on single pins imitating e.g. a modem. The initial payload can reach a machine as executable code contained e.g. in graphics files. Altered .wav files may play a role in communication. Check if your linux kernel accepts boot flags, e.g. nodrm but loads it anyways. A hoax? BadBIOS can be considered to be a military grade malware similar to STUXNET. Origin is unknown. Human intelligence might be behind steering an infected computer system. BadBIOS adapts to user behaviour, learning and even predicting user action. Analysis is extremely difficult as BadBIOS (or human int) detects analysis methods. Byte output of typical analysis tools (simple e.g. hdparm) is often swapped. As it detects anaylsis or desinfection methods it shuts down, so simply measuring radio waves is not as easy as you think. Check if your HD accepts --dco-queries. Check if you see no time difference between enhanced erase and normal security erase of the HD functionality (usually Seagate). Check using testdisk (6.13, US NAVY software) for deleted files, testdisk detects some, more than any other tool. Sincerely, BadBIOS destroyed my life. It is no hoax. On multicore systems badBIOS possibly boots up virtual computer systems unrecognized by the user (knoppix can sometimes detect unusual CPU activity). BadBIOS does not like gpt partition tables, prefers mbr and uses a hidden backup hybrid setup to restore malicious code. It uses grub and UUID e.g. to access video memory and locate and restore code on boot up. Check if your USB media are displaying less storage than you usually have (e.g. 15GB instead of 16, 58 instead of 64, 115 instead of 128 and no this is no calculation error of GB and GiB) usually pointing to malware code (whole linux distro?) which was dumped onto the device (possibly out of NVRAM or BIOS). E.g. After zeroing a harddisk using a cat dev/zero or simialar (dd) check for actual zeroing (hexdump)-BadBIOS dumps itself back on mbr and pbr's shortly after that. It stores code usually at the PHYSICAL end of the harddisk and is fooling partitioning and zeroing by switching the virtual order. If you can, erase front and end of HD at the same time it possibly moves code while drive access. It might store code in the hardware cache. BadBIOS pretends to the user e.g. a gpt partition table where in fact is creating logical drives in an extended partition on a mbr mimicking gpt table (more than 4 primary...). It is hard to get rid of it (if not impossible) as you need to renew and exchange so many different firmare parts of a system (you usually forget one). If you encounter some or all of the above mentionend hints to it - burn the computer. BadBIOS infects mobiles. as well, possibly through bluetooth. If you burn your computer and you had a mobile near to it - burn that as well. If you use a new and fresh computer system do not bring any mobile near to it, exchange your router or any broadcasting device with it, do not insert any burned medium you created on an infected machine, do not plug in any USB device that was connected to an infected machine, change your monitor. Destroy any IoT devices, or devices using bluetooth or radio that were near an infected machine. This is no joke. Good luck. May the force be with you. This is the most sophisticated shit I've ever seen.

Bad caps?
Hi, I found experimentally that a lot of "old" laptops and desktops get progressively more flaky over time because the capacitors on the motherboard degrade due to heat then causing in some cases the MOSFETs to fail while charging the battery which also degrades with time.

In a way this is very similar to the problems encountered on camcorders, and relatively easy to fix with the right tools. I have just such a machine here and a primary symptom is that it won't work correctly with external devices and randomly BSODs: RAM isn't the problem but noticed issues with even an SSD. Measured a huge ripple on the 5V line and SDR also shows anomalies so waiting on parts to fix it.

Another good test: build an active load and see when the port cuts out or voltage starts to drop. With a "good" laptop this should be about 500-600mA but bad ones can go down to less than 130mA! This can cause complete havoc with external drives even with shared power as the fault is caused by noise as well resulting in incomplete/corrupted files.

This is a good reason to use external powered hubs and a reliable non-SMPS medical grade power supply to avoid problems with earth loops. I have had issues with corrupted BIOS "black screen of death" related to this problem. — Preceding unsigned comment added by 185.3.100.0 (talk) 03:25, 5 March 2019 (UTC)

Update: also noticed that even powered external drives seem to be susceptible. A good test is to see what they do when optimized: if the port is even slightly glitchy the process will either stall or otherwise get interrupted and in severe cases the drive may become unresponsive. — Preceding unsigned comment added by 88.81.129.132 (talk) 21:19, 20 October 2020 (UTC)

Subsonic acoustic communication vs. infection are two different questions
It may be worth noting that the Hanspach-Goetz paper demonstrated subsonic communication through computers prepared to use it. In contrast, Ruiu's claim was that an air gapped machine was infected spontaneously via this channel.

As I recall, Ruiu simply hypothesized this explanation based on the fact that the machines were airgapped, thus, the only mechanism he could think of that could traverse the airgap was acoustics. It was never explained how a clean device could be infected via a communication channel that the device was not configured to receive information on -- much less convert to binary instruction to enact infection without any other indication.

It always seemed like investigator error or another vector was much more likely, such as, the other device wasn't actually clean, and perhaps had received the malware from the same source as the infected machine, or "dirty" handling of the machines, perhaps by an unwitting technician, or perhaps even just a coincidental infection of the same malware. Ruiu was simply assuming those things couldn't have happened.

In point of fact, the Hanspach-Goetz paper specifically says:


 * All participants must have installed a compatible acoustic communication system, either by infection of a malware or actively installed (on the attacker).

This specifically rules out the mechanism as an infection vector.

Keith D. Tyler &para; 22:53, 18 April 2022 (UTC)