High frequency sonic data transfer with commodity hardware

So, I saw this thing called “badBIOS” on the news, and its supposed ability to transfer data over the air. Intrigued by this, I tested a few scenarios which involved the playback and recording of high-frequency sound signals with some fairly affordable gear. Here are the spectrograms and details of these scenarios.

For the most part, the signals were inaudible to me, apart from the examples near 17kHz. Frequencies a couple of thousand Hertz higher were of course somewhat audible but could've been mistaken for background noise in an uncontrolled environment.

The spectrograms were created with the following command using SoX:

sox -d -n remix - spectrogram

2kHz – 20kHz triangle wave

This was played through my Siberia V2 headset and recorded with its microphone very close to the element.

play -n synth 2.5 tri 2000:20000 spectrogram

As you can see, the signal was pretty clear.

20kHz – 24kHz - 20kHz sine wave

Again played with the headset. This time around the microphone was dangling out as I wore the headset, and this essentially leaked through.

play -n synth 2 sin 20000-24000 sin 24000-20000 delay 0 2 remix - splice 2 spectrogram

Not bad, don't you think?

17kHz – 24kHz - 17kHz sine wave

This time around I played back the audio with my Dell laptop and recorded it, again, with my trusty headset microphone with the laptop stationed about two meters away.

play -n synth 2 sin 17000-24000 sin 24000-17000 delay 0 2 remix - splice 2 spectrogram

The significantly lower frequency ceiling could most likely be attributed to the laptop's internal speakers.

Here's another instance of the same sound being played, this time played through my headphones and recorded with the laptop's integrated microphone. The headset was held on top of the laptop keyboard during the test.


Again we see the laptop perform somewhat worse than the headset connected to my desktop. The anomalies at very low frequencies might be caused by the laptop fans.

This, however, does not mean it performed poorly – quite the contrary. I was expecting significantly worse performance both input- and output-wise.


“Yes, we can do that.” As demonstrated by the above, it is pretty easy to send and receive high-frequency signals on commodity hardware, and thus test the output or conduct a signal search on inaudible frequencies.

So, let's take a fairly simple Morse code example, the S-O-S. (··· ––– ···)

Based on our findings, 20kHz is a fairly safe channel for our data. Now, let's form a command and record it!

play -n synth 1.5 synth sin 20000 \ pad 0.1@0.1 0.1@0.2 0.3@0.3 0.1@0.6 0.1@0.9 0.3@1.2 0.1@1.3 0.1@1.4 \ splice 0.1 0.2 0.3 0.4 0.5 0.8 1.1 1.2 1.5 1.6 1.9 2.2 2.3 2.4 2.5 2.6

That sure is a mouthful. But hey, it works.


The image output looks nice as well.


We could even use more than one frequency for our communication, so we could even do binary! I've chosen 19kHz to represent zeroes and 20kHz to represent ones.

So, let's do the ASCII character 'a'. The lowercase ASCII 'a' is represented by the decimal byte value 97. This translates to binary as 01100001. play -n synth 0.1 sin 19500 sin 20000 sin 20000 sin 19500 sin 19500 sin 19500 sin 19500 sin 20000 \ delay 0 0.2 0.4 0.6 0.8 1 1.2 1.4 \ splice 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 1.1 1.2 1.3 1.4 channels 1 spectrogram

That's a pretty clear signal. This could even be extended to have another band configuration, such as the following:
{ 0 = 19kHz, 1 = 19.5kHz }, { 0 = 20kHz, 1 = 20.5kHz }

That's it. Thanks for skimming through!