We've heard a lot about badBIOS and how low level rootkits can be used to exploit/bypass traditional security but can this story be true?
Also, if true, how would this change the way we do security?
The best analysis I've seen of badBIOS so far is from Robert Graham of Errata Security.
His conclusion:
Everything Dragos [Dragos Ruiu - the person who claims to have badBIOS in his lab] describes is plausible. It's not the mainstream of "hacking", but neither is it "nation state" level hacking. That it's all so plausible leads credence to the idea that Dragos isn't imagining it. Of course, since Dragos is an expert, his imagination is likely be full of factually correct details anyway, so maybe the plausibility of these hacks isn't such guarantee of truth.
Dragos has only been analyzing this for a few weeks. Presumably, he won't give us the full details for us to check out until the next CanSecWest conference. Until then, I guess we are all just blowing smoke about whether this is "real" or not.
While badBIOS is clearly in the realm of the possible, until somebody else get access to a sample of this malware, the question is really: Is Dragos Ruiu making this up or not? To be sure, we need to have his claims confirmed or falsified by independent researchers with access to a sample of this malware.
All of the elements suggested can be done. There's nothing far-fetched about any aspect of it. Whether or not it's all true in the one specific instance is not a question that can be answered by a forum of people who have no access to any evidence on the subject.
