The research comes from Michael Hanspach and Michael Goetz of the Fraunhofer Institute FKIE in Germany. It demonstrates how audio signals, hardly if at all discernible to the human ear, can be used to transmit data between computers that do not have a direct network connection.
We demonstrate, say the researchers, "how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications."
It is, they say "a considerable threat to computer security and might even break the security goals of high assurance computing systems based on formally verified micro kernels that did not consider acoustical networking in their security concept."
This in turn means that BadBIOS could be genuine; but the research needs to be taken in context. It demonstrates that a theoretical possibility can be made an actual reality – but not easily. The research does not demonstrate a new vulnerability or malware, nor does it describe a new method for compromising computers; it shows a method of exfiltrating data across an air gap from a machine that is already infected. This fits in with Ruiu's account of his 'infection:' the audio signals only became apparent after a system update, which is the suspected point and method of infection.
Craig Young, security researcher at Tripwire, says that the research reinforces "the plausibility of claims made by Dragos about phantom malware (BadBIOS) capable of communicating between infected systems without using traditional networking. It should serve as a reminder that air-gapped machines should be limited to only the hardware necessary to perform their intended functionality.”
Ken Westin, another Tripwire security researcher, points out that the system is "able to transmit data 20 meters but only at 20 bits per second so this approach is not exactly a key way to exfiltrate data." Acoustic exfiltration simply is not traditional malware: it requires extensive resources and effort for very little data return.
Jacob Appelbaum's tweet on BadBIOS takes on new impetus: "I think I know when and why @dragosr was owned. I also think I know who likely did it and many of the details. A hint: #NSA #CSE #GCHQ." Acoustic exfiltration is not suitable for traditional criminal activity; but is entirely suited to highly targeted, patient espionage.
It is also worth considering one other possibility in this era of nation-state cyberwarfare. Stuxnet showed years ago that agencies can infect computers across air gaps. But infecting an air-gapped computer with a trojan is one thing; maintaining control over that trojan going forward is altogether more difficult. Acoustic transmission may not be suitable for large scale exfiltration; but it could, says Westin, "easily be used to transmit commands.” This process may be better suited to control an air-gapped computer than to steal from it.