• United States




NSA’s backdoors are real — but prove nothing about BadBIOS

Jan 14, 20145 mins
Data and Information SecuritySecurity

NSA hacks are consistent with security researcher Dragos Ruiu's claims about BadBIOS, but too many questions persist

Recent revelations about NSA hardware and firmware backdoors gives all the evidence that those who believe BadBIOS Trojans exist need to see. The spying technology has arrived. The only question is if the BadBIOS incident truly happened.

To summarize, BadBIOS is the name for a purported superadvanced Trojan that has been battling against disclosure by respected security researcher Dragos Ruiu. Ruiu has reported that the cross-platform Trojan can survive reformattings, communicate using sound waves, and remove itself on the fly during forensics investigations. All those claims are technologically possible but, in my opinion, are unlikely to be come together in one Trojan and are unlikely to be used against Ruiu. Though some people concluded Ruiu was just seeking publicity, I felt Ruiu was misdiagnosing innocuous symptoms as evidence of maliciousness.

[ RIP, information security, done in by backdoors and secret deals | InfoWorld’s expert contributors show you how to protect your Web browsers in the “Web Browser Security Deep Dive” PDF guide. Download it today! | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

A two-week-old LeakSource report makes the case for BadBIOS more plausible. It appears the NSA has many software and firmware/hardware-based modules that can be placed either on devices after those devices are made or can be actually embedded onto the motherboard/circuitboard as a chip or other component. These devices can enable continued, hard-to-discover, unauthorized remote access for NSA monitors. And the behaviors described in the article seem to parallel many of those attributed to BadBIOS.

Here are some examples: The NSA’s Ironchef product “provides access persistence” using “a hardware implant that provides two-way RF communication” “by exploiting the motherboard BIOS.” Gourmettrough “is a user configurable persistence implant” for Juniper firewalls. “It persists [another NSA product] across reboots and OS upgrades.” Halluxwater is a “persistence Back Door implant” installed as a boot ROM upgrade on Huawei firewalls. Jetplow is the same thing for Cisco PIX and ASA devices. Loudauto is a small device that picks up room audio, which can then be collected using radar. Nightstand is a “802.11 wireless exploitation and injection tool for payload/exploit delivery into otherwise denied target space.” Ginsu is a PCI card that ensures the reinstall of other implants after physical removal of the other implant. Somberknave “is a software implant that surreptitiously routes TCP traffic from a designated process to a secondary network.”

Each “implant” is so devious that it was hard for me to decide what to include or not include as an example in the paragraph above. Many of these devices are intended to be used in combination with each other. Most have apparently been available for many years.

You can’t go through the full list without wondering if Ruiu was completely right all along. Have I and other skeptics been too disbelieving? Given just the few dozen devices revealed in the article, you would have to conclude that everything Ruiu has been claiming is possible. Maybe I was wrong!

I could be, but I doubt it. First, from the beginning I have stated that nearly everything Ruiu was claiming was possible. But I simply don’t believe Ruiu is a target of the NSA. Why should he be? Ruiu has yet to reveal any reason for why he would be targeted.

Now, many readers might argue, correctly, that our intelligence agencies have always spied for obscure reasons (such as the FBI’s surveillance of John Lennon). But if Ruiu thought there was a plausible motive, wouldn’t he offer it up? Maybe some intelligence agency is interested in what he or his partners have learned? Perhaps Ruiu has some insight into one of the NSA’s secret devices? If that seems possible, why not state the hypothesis?

The second reason I don’t think BadBIOS is composed of NSA implants is that certainly by now Ruiu would have located any malicious software or hardware implants. Ruiu has openly posted memory dumps and involved many forensic experts in his battle to detect his malicious foe. None of them have found anything out of the ordinary. The NSA may have lots of secret spy devices, but none would be able to hide from thorough examination. You cannot perfectly hide yourself.

Lastly, some of Ruiu’s claims, like disappearing evidence, are possible but highly unlikely in light of all the other (non-)evidence. I end with the same conclusion I had the last time I covered this topic. Everything Ruiu claims could be true, but it is the sheer amount of implants that would have to be secreted on all his computing devices, plus the huge fact that no forensic expert has found any evidence that leads me to believe that BadBIOS doesn’t exist.

Hang on, let me update that. From the NSA reveal, we’ve learned that many “BadBIOS” implants do exist. I just don’t think Ruiu has one.

This story, “NSA’s backdoors are real — but prove nothing about BadBIOS,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author