Can a computer virus communicate via your speakers?

Dragos Ruiu first became suspicious when he was installing a new version of Apple's OS X onto his MacBook. Unasked, his laptop also started to update its BIOS – which boots up the OS and choreographs use of disc drives and memory. In the three years since, Ruiu's computers have continued to do strange things – even when unplugged and with the Wi-Fi and Bluetooth switched off. He now believes that hidden viruses on his machines are being controlled via ultrasound signals broadcast from one infected computer to another.

The incredible claims made by Ruiu, a respected computer security researcher from Vancouver, Canada, have sparked a row in the world of cyber security. Some doubt this sonic "backdoor" can be genuine – no one has yet tracked down computer code that can generate the audio. Although Ruiu's claim remains unproven, others say that audio-based malware is a very real possibility.

The row started on 15 October when Ruiu posted on his Google+ page that a high-pitched whine in his home sound system was not, as he'd suspected, being caused by electrical noise from his home wiring. Instead, his tests showed it was probably being caused by interference from ultrasonic audio being transmitted between the loudspeakers and microphones of nearby computers. He also found that the ultrasound broadcasts ceased when the receiving computer's microphone was disabled.

"We have recorded high-frequency audio signals between our computers and have seen the computers mysteriously change their configuration even when they don't have network connections, Wi-Fi cards or Bluetooth cards," Ruiu told New Scientist. "And we ran them on batteries so they were not receiving anything though the power lines."

Mind the gap

If Ruiu is right, it means that malware, which he has called "badBIOS", has somehow been installed in one of his computer's chips, only to lie dormant until an audio signal wakes it up. No malicious code has so far been found on Ruiu's "infected" machines. "This is all conjecture until forensic analysis finds something," he admits. Whether or not a virus is found this time, it raises the disturbing prospect of audio controlling malware between "air-gapped" computers – those with no electronic or wireless connections. Until now, most people thought this was an ultra-secure way to operate.

"Malware, as well as legitimate software, can use any kind of signals and inputs to activate and modify its operation, so that would certainly extend to audio inputs," says Ralph Langner, who is based in Hamburg, Germany, and discovered how the Stuxnet worm attacked Iran's nuclear fuel enrichment facilities.

But making audio malware would be far from simple because of its "unreliable" transmissions through the air and walls, says Boldi Bencsáth of the CrySys security lab in Budapest, Hungary. He says the widely varying specifications of sound cards would make it hard to ensure malicious instructions were received by all types of computer. "Maybe it could work for slowly sending a few bits per minute, but it won't work for downloading terabytes," he says. But that might be all it needs to send control information.

Orla Cox, security operations manager with antivirus firm Symantec's lab in Dublin, Ireland, agrees that audio control of malware between computers is theoretically possible. "You'd only use this for sophisticated attacks to get into somewhere that was highly secured. It would probably need a sophisticated, well resourced attack. It would also require a lot of skill – and most people out there are not that skilled."

Stuxnet, Cox says, is thought to have jumped the secure air gap at Iran's Natanz nuclear plant by using a mix of social engineering and Windows vulnerabilities: infected USB sticks distributed locally were picked up and used by off-duty staff – and a Windows autorun function ran Stuxnet when the sticks were later plugged into PCs inside the nuclear plant.

It would be a "big deal", Cox says, if Ruiu is right. "If badBIOS can jump air gaps with audio it would be the most sophisticated piece of malware we have seen. Stuxnet is the only other piece of malware that has jumped air gaps before."