Interresting article. Although I guess that any person experiencing that bit would tend to start believing in ghost before they found something that could attribute it to. It would be quite eerie to have systems behaving that way.
With regards to speakers, high audio frequencies might not be feasable on small computer systems, but once you get into higher end speakers, it's easy to go beyond audible range since most speakers generally want to go as high as possible to avoid having a to low breakup frequency on the tweeter. Chipsets are certainly capable - Here, any better chipset should be ablt to get a fair bit past 20K -
http://techreport.com/review/23358/asus ... reviewed/9Amp's shouldnt be that much of a problem either, the thing is the speakers, although higher end ones easily do it. Now I have nice speakers in my home theater, they are actually capable of going up to almost 30Khz within the normal specifications of being "flat" as in the decently non-flat +-3db thing.
Also, if you have access to audio chipset, you can probably monitor the mic for input and only transmit when it's at its lowest points over a certain amount of time, that would give you better SNR and lower the chance of detection a fair bit I would think. And there is certainly other side-channel attacks that you can use on various levels. Sound can be detection by laser and minute vibrations on physical objects. If you have a bug in a QR reader, you could probably spread malware on fairs with false blank mysterious businesscards or making something ARG-like. You have the old tempest and van Eck.
The really scary thing with this is that it is on such a basic level of the hardware it supposedly act on. Then you have the range and that it might actually be feasiable to get a relativitely reliable connection on. Most of the hardware, especially portable hardware has decently fair capabilities nowdays. Add newfangled things like Kinect, Webcams. Look at an iphone or similar smartphone for instance, powerfull small speakers, a sensitive mic that can actually be calibrated fairly enough to measure things, and you will carry it with you and have the ability to infect other,. talk about a wildfire spreading. As for information flow, you could probably even use 3D tv's with variable updating speed and a photodetector to transfer information, lightboost/g-sync anyone ?
Now, I wonder how long it will take until we get into Snow Crash territory
Basically, epilepsi is already a crude brain nuke for some...
MonocultureWhile cost and convienence may be a thing over security, monoculture might also have pretty benefits, so it's not really clearcut. If you assume a hardware vulnerability, then sure, if you have it on one piece, you have it on all, but you also only have one kind of equipment to audit and test for faults and mitigate. And you might just miss a few hardware software incompabilities that might introduce new faults by themselves. And while deployment has certainly gotten easier thanks to a more soft policy with the ability to request and schedule updates on individual needs makes multiculture way more feasable, in large companies I still think scale would win economically for monoculture.
JBL - of course the above doesnt take into account the skill of the ones putting together the platform, because there is really no reason today that anything should slow down that much if done properly, and while having defense in depth and multitude of protection programs, loading all of on a client is actually counter intuitive in many ways. You can bet they still wont cant some vulnerbilities that lets an attacker shut them all off anyway so...
Not to mention that while clients are nice, they are often used as a stepping stone for many other things, not a target byselves. A former colleque of mine that works on Outpost24 together with a guy from Kasperky did a practical test on social engineering and also looked at vulnerbilites. Let's just say that good patch management has some ways to go before people start to use 0-day things to be effective, more like... 2-month vulnerbilities in reality in many places.
http://usa.kaspersky.com/about-us/press ... d-overlook /
http://www.securelist.com/en/blog/8132/ ... o_overlookFull paper is here -
http://www.securelist.com/en/downloads/ ... erlook.pdf