[Cryptography] Previously unknown (I think) Malware

Ray Dillinger bear at sonic.net
Wed Sep 19 22:32:49 EDT 2018 


I have recently become aware of some previously unknown malware, and
need to move it toward analysis/publication/eventual CERT advisory.

It is tentatively named "Gaslight" because for a while the discoverer
thought he was going crazy.

It infects bluetooth devices and definitely does jump between paired
devices.  It was first observed on an Android/Pixel smartphone. I do not
know enough about bluetooth hardware to attempt to extract and analyze it.

I do not know the full extent of what it does.  I know some of what it
does and it's damned scary (turns almost any bluetooth device into an
audio bug - even devices without speakers or microphones).

I know some of the other things it does and there's no comprehensible
motive for a crook to make malware that does that. So there are some
serious unsolved puzzles.  I consider it very likely that it also does
other things.

I am looking for someone to whom I can forward infected hardware, who is
willing and able to extract and analyze, or at least fact check and
verify and publish about, this malware.

If this is you, and you want the credit for figuring it out, or if you
know who I ought to talk to in this vein, please send me email.

All the *known* affected devices have been contained and the environment
where they were installed seems clear of it now.

But it's never just the one place....  this thing is out there.

The situation is complicated by the fact that the parties whose hardware
was infected wish to keep their identities private and the infected
devices may contain identifying, confidential, and/or proprietary data
belonging to them.

Some of the affected devices cause other devices to make characteristic
noises.  You can detect it by hearing if you are in a very quiet
environment, paying close attention, and have sharp ears.  We have
recordings of some of the noises, but they are poor quality; it's just
at the lower edge of audible.  We are working to get higher quality
recordings to check for sound modulation as a possible inter-device or
data-exfiltration channel.


				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180919/d9169f37/attachment.sig>

More information about the cryptography mailing list