For a different perspective, and Arduino (Uno) has 32kb of available RAM (minus a tiny bot used by the bootloader).
There's a tremendous amount of projects demonstrating amazing things that can be done with much less computing resources available than a BIOS. I have _very_ little doubt that bit-twiddled 12-20kHz audio communication could easily be implemented in under 10% of the 383kB that seems to be available. (Assuming the speaker and microphone are available as GPIO-like interfaces to the BIOS/CPU.)
To me it depends; a simple exploit, sure. The air-gapped ip over bare audio seems like it would take a fair amount of processing on its own, unless the system libraries provide signal analysis functions. Also, unless it can just decode raw bits and somehow shuffle them to the network layer of one of the existing adapters you're going to need quite a bit of code to handle that part of it as well.
Look at the 4KB demo scene from the early PC era to see just what is possible with sound and video in a tiny amount of space. Audio processing algorithms can be extremely simple and tiny.
This is way out of my league and maybe not relevant at all, but the Demoscene has forever changed how much I think about what can be accomplished with tiny amount of code.
unless it can just decode raw bits and somehow shuffle them to the network layer of one of the existing adapters you're going to need quite a bit of code to handle that part of it as well.
I think he claimed that packet counts increased with the network hardware pulled from the system - maybe it knows how to stuff them into the loopback interface's queues.
The other option is that you don't have to do full tcp/ip over the "audio link" since it would only be used for specific types of traffic. If you control how the sender transmits you can ditch a ton of the tcp/ip logic and just hardcode to a minimalist subset of functionality.
> I think he claimed that packet counts increased with the network hardware pulled from the system - maybe it knows how to stuff them into the loopback interface's queues.
Ignoring that this doesn't make any sense as a symptom for communication over an audio channel - the whole reason he believes that it is communicating is because a packet counter increased. Not because he has any logs, or because he observed it being controlled, or because he saw any code doing this.
Why are we even discussing the feasibility of the covert channel if the only reason that this topic was even introduced was because he saw packet counts increasing?
I can think of a million benign reasons why packet counts would increase on an unplugged system. That in no way means that the system is compromised or communicating externally. It's not even a reason to be suspicious.
if the only reason that this topic was even introduced was because he saw packet counts increasing?
He saw packet counts increasing and it stopped when he disabled the audio hardware. Then there is all the other circumstantial evidence regarding booting from a CD, "self-healing" and systemic blocking of his debug attempts.
I think it is absolutely fair to critique the individual symptoms but the one critique that doesn't fly is that an individual symptom is the only symptom.
Ignoring that this doesn't make any sense as a symptom for communication over an audio channel
"After doing a software update, my Mac Pro got stuck on the gray screen after restart (seems like a very common problem recently). I am able to boot into safe mode by holding shift (only works like 10% of the time) and verified permissions. It says I need to repair my disk, but i can only do this by booting from my install disk.
However, I can not boot from my install disk. It gets stuck at the gray screen every single time."
> "self-healing"
Didn't happen. Because there was nothing to self-heal.
> and systemic blocking of his debug attempts.
It didn't block any debug attempts. He says it disappears on him when he goes to look at it. That's because it isn't there. That's like saying the ghost beside me is evading my photography attempts, and citing this evasion as proof that something is up.
> In what way does that not make sense?
Beeps on the speakers or listening on the mic doesn't involve packets to begin with! Even if that was true, it wouldn't make packet counts go up. You would have to go out of your way to implement this in the stupidest possible way for your audio channel to have anything to do with a network interface. Compared to the obvious way, it would take way more code, completely ruin your stealth, be far less reliable, and add a ton of packet header overhead over what is already extremely low bandwidth. You cannot be smart enough to implement this malware and also be stupid enough to put your covert channel through network interfaces. Yet we are supposed to believe it's so stealthy that no debugging tools can see it ever, and it's disappearing from low level memory accesses and disk reads wherever he looks for it. But it's spewing packets out on an interface that it doesn't actually need to communicate. I mean...really?
But it's spewing packets out on an interface that it doesn't actually need to communicate. I mean...really?
Because bridging an air-gap firewall is the holy grail of network penetration. You can't discover the guy on the other side of the air-gap without "spewing" announcement packets.
Yes you can. By spewing them on the audio interface, which wireshark doesn't monitor and decode into packets, instead of onto a network interface, which is easily monitored. Especially when there is no reason to involve the network interface at all.
Beeps on the speakers or listening on the mic doesn't involve packets to begin with!
All communication is analog at the lowest level, all common forms of network transmission are serial at the lowest level -- your analysis is all argument from ignorance.
Then there is the Blurt project - an 802.11 physical layer interface that runs over speakers and microphones. Its early stage but its just one guy hacking at it, not some billion dollar spy agency.
> All communication is analog at the lowest level, all common forms of network transmission are serial at the lowest level -- your analysis is all argument from ignorance.
No, but evidently yours is. Sorry, this is quite straightforward to anyone who has ever used a packet sniffer. The fact that it's analog has nothing whatsoever to do with how packet sniffers work, and he wasn't monitoring a serial bus.
Blurt doesn't do what is being described here. It wouldn't show up in packet logs. Which proves my point.
Your conflating "serial bus" with serial transmission suggests that you don't even have the vocabulary necessary to participate in an informed discussion on the topic. Because of that I am kind of at a loss for where exactly to begin.
Here's a simplified start: all common network interfaces transmit serially at the physical layer - one bit at a time, wired ethernet, wifi, 3G/4G/LTE, WiMAX, fibre channel, dsl. None of them are inherently packetized at the very lowest level, they are all just a series of bits. Packetization is done through either synchronous clocking (fixed transmission periods) or, more commonly today, asynchronously via a special sequence of bits that indicate start/stop of a packet.
This is layer 1 of the OSI 7 layer model, we are not even talking packetization like a typical packet sniffer would see, that comes after the physical interface has decoded the transmission like OFDM and undone the 8b/10b then stripped off the bits that make up stuff like the preamble and frame delimiter in the case of ethernet.
Packet sniffers typically work at layer 2, where you can see things like MAC addresses or layer 3 where you see full-fledged IP packets. You run wireshark and you won't see things frame-start bits or the 8b/10b encoding because all that stuff is going on at a level that packet sniffers aren't intended for.
Any audio-based network system like Blurt and the suspected BadBios mechanism would be a full layer 1 implementation. They might do higher layers too or they might encapsulate IP packets and hand them off to the OS's network stack to handle, but the idea that "beeps" don't involve packets is pure ignorance of how modern datacomm systems work. It is ALL analog "beeps" at the lowest level, be it EM "beeps" or audio "beeps." Packetization occurs further up the stack.
Are you actually thinking before you say this? None of this is relevant to the claim being made and you're attacking a straw man. Let me make it really simple:
1. Play audio on one endpoint and record it from another
2. Open wireshark
YOU WON'T SEE THE AUDIO.
This is how he claimed to see it was communicating. Over IPv6 no less. IF it was happening, it wouldn't show up in a packet sniffer.
I am confused, do you mean that in the general case? That I should do that experiment right now and because wireshark won't show anything on my systems, that means whatever is going on with his systems is made up?
Yes. Whether your mic is picking up background noise, your own voice, or a legitimate modulated covert channel, wireshark is incapable of even attempting to pretend it's a network interface. At no point could this ever show up in wireshark.
I strongly suggest you try using a packet sniffer before you stubbornly engage in arguments about what they can and can't see.
I will send you $100 if you can configure wireshark to do what you describe. Using any of the tools in this thread, or any of your own, go ahead and try capturing even 1 packet from an audio interface in wireshark and post the pcap file.
It's not over anyone's head - we have interns who understand why this doesn't work. I have no idea why you might think it would.
Why do you need IP over airgap? A basic carrier sense scheme with maybe a 44khz fft can ensure atleast a slow speed networking even an arduino with 16kb(or probably even 8kb) flash can do this. This isnt like wifi where you would need complex signal analysis.
