This article, recently published in the Journal of Communications, adds another log to the BadBIOS fire. It has been stated that devices in the BadBIOS case are communicating across an air-gap with commodity PC audio hardware. This paper clearly spells out one workable way to communicate in this way. Even if this doesn’t end up being related to BadBIOS, it has solid potential as a data exfiltration methodology.
First, I want to clearly state that this is only a communication channel and NOT an infection vector as some articles may lead you to think. At this moment, there is no published technique for infecting a system across an air-gap with audio alone (though you should probably treat Siri with a little more respect from now on).
This method works by adapting an old system for underwater communication to frequencies approaching the upper limit of human hearing. Human hearing is generally defined as covering the frequency range from 20Hz to 20KHz. For comparison, dogs can hear up into the 60KHz range. Our ability to hear the higher frequencies deteriorates as we age. In this case, that natural degradation creates a gap between the design specifications of common computer hardware (i.e., 20Hz to 20KHz) and what most users can hear (let’s say, up to around 17KHz for this discussion).
After some initial testing, we found that in our 20 person sample, about 2 might have heard tones at 17.5KHz. So far our testing at 18.5KHz has gone un-detected. Any application with access to the sound hardware on a subject system can communicate this way, noting that Mac and Linux systems may require different approaches in software. All hardware used was off the shelf and unmodified. It is also useful to note that the 18.5KHz tones were not transmitted over the telephone or the videoconferencing links that we tested.
Hack-a-day has a good demo of this approach working with GNU Radio, though it might be hard to miss GNU Radio running on a system where it doesn’t belong. For our next test, we wanted to look for range, reliability, and the possibility of using commodity software. We were able to use a simple Perl script to convert a text message into Morse code audio at a frequency of 18.5KHz. In a non-prepared environment (e.g., fan noise, machine noise, music, etc. ), we were easily able to decode tones using some simple spectrum analyzer software at over 6 meters or 20 feet.
Figure 1. The message is “This is a test”, with music playing at the same time from the same system
I don’t think it’s time for a rack-mountable “cone of silence” just yet. However, I do believe that it’s time we consider ultrasonic (or at least, high frequency) data transmission with stock computer hardware as both possible and practical. At the moment, the best recommendation would be to physically remove audio hardware from any systems that are currently defended by an air-gap and have no need for audio capability.