Interesting story. The use of audio is fascinating, even with 20khz carriers, using FSK[1] you're looking at maybe a 6666 baud which is 666 bytes per second. That is about 2 seconds per 1500 byte packet. So not exactly a "fast" way to communicate.
You might use QPSK (basically two FSK ranges using phase to indicate 00/01/10/11 states but that would still make for a pretty small pipe. Perhaps enough for a C&C channel be not really enough to exfiltrate data.
[1] Frequency Shift Keying - generally takes three complete cycles to of a 'tone' to reliably recognize the frequency. So 20,000 / 3 = 6666.666 bauds per second.
Okay, so because he could not remove the audio interface, is MUST was the only logical infection vector remaining? That is a very strong claim, particularly since I do not see any claims that he is also HEARING the requisit very long and loud screeching sounds that would imply. Audio data transmissions on consumer grade devices unavoidably involve sound, right?
Well that is the thing, if it were pitched high enough then no, you probably wouldn't hear it. (that is also beneficial for higher speed transfers).
What the article said was that he was seeing packets from the airgapped host (that means nothing but air around it, no wifi) which stopped when he disabled the speaker and microphone. That suggested that this was the 'wire' between the two.
One of the side effects of using peizo electric speakers (which are nice and flat so adored by mobile device makers and laptop makers alike) is that they often have frequency response ranges above 20khz. Many people cannot hear frequencies over 15Khz, although 15Hkz (which was the scan rate of CRT monitors) can be heard by some folks and poorly wound flyback transformers would drive them nuts.
> poorly wound flyback transformers would drive them nuts
Those and marginal capacitors do drive us nuts. And that's one reason such communication wouldn't have to be completely out of human hearing range. Those of us who can hear it aren't going to be shocked by yet another high-pitched whine in a room full of electronics.
I considered this before posting. If it was near ultrasonic it would have near zero chance of useful transmission unless the attacker and victim were very particularly aligned. The higher the sound frequency, the less sound curves around obstacles.
I once did some work for a team that did ELF communication from a small autonomous sub to a surface ship for mapping. They had a 1200 bps channel up to the ship for the map data...
(I didn't get to do anything with the sub - I was just brought in for two weeks to give them a way of feeding that data from a Sun workstation on the tracking ship to another station via GSM data (mainly for demo and testing purposes); trivial in comparison to the software controlling the sub, but it was fun getting to go out on the tracking ship when they did test runs)
> Perhaps enough for a C&C channel be not really enough to exfiltrate data.
I really really really hate to say "APT," but if you had a gapped, infected PC sitting next to an internet PC; and both were powered up 24x7 for months with the infection undiscovered, you could grab a significant amount of data.
Would it matter what frequency if the signal is a sequence of digital pulses, i.e., a digital secret knock encoded in compromised hardware or software, i.e. audio components and or drivers?
You might use QPSK (basically two FSK ranges using phase to indicate 00/01/10/11 states but that would still make for a pretty small pipe. Perhaps enough for a C&C channel be not really enough to exfiltrate data.
[1] Frequency Shift Keying - generally takes three complete cycles to of a 'tone' to reliably recognize the frequency. So 20,000 / 3 = 6666.666 bauds per second.