Very interesting, and this is pretty damn scary if it's real. I'm pretty skeptical on this being real though. It sounds like a horror story for Halloween. If an infected machine is disconnected from the network, and the speakers removed... how is this going to even possibly transmit? This is some sci-fi stuff right here. Viral transmission via audio is crazy, and I'd LOVE to see anything transmit strictly through audio wave signal alone. The implications behind figuring out how to do that could greatly surpass any of the negative implications behind badBIOS itself. Essentially if this is at all real, the implications would indicate I could construct and then transmit a specific frequency from my smartphone to any machine with a built in microphone on a network and pentest the hell out of that given network. If anything, it's potentially being surface disguised as audio transmission and in reality being transmitted via a wifi signal. A desktop with wired ethernet only, and no speakers should have absolutely no way to transmit anything so long as it has been disconnected from a network. Either way, if you're not already following @dragosr you probably should if you're in the IT world.
I wouldn't be too suspicious. The guy's career is built on reputation. He wouldn't risk it for a silly joke. Besides, if you ask most anyone in cybersec, they will tell you that this is very, very possible. Multiple governments have used similar things before, albeit perhaps not all at once (or perhaps they have, but it hasn't been released publicly). The only suspicious thing is why HE was the target.
Wait, why are you promoting the guy's Twitter if you're suspicious? I got more suspicious because of the audio transmission portion, but that was after the article mentioned OpenBSD getting a problem. If this guy is such an expert, then he should have no problem testing a desktop system without audio connections. Instead he "noticed" a high-pitched whine but hasn't analyzed it in the two weeks since mentioning it on his Google Plus feed. Note also that said feed has not been updated since October 26th or so (it just says "six days ago" on Hallowe'en). There are lots of missing parts in his own writing. When I tear down weird installs or set up new boxes, I write a lot of notes. I'm in tech support and technical writing, so I know the format that conveys boring facts effectively. This rambles too much. Something is unfocused, and that doesn't speak well. I guess what's most suspicious is that he has this uber-malware that can spread almost psychically to any OS on a Wintel box. However he's the only person reporting it.
This is the perfect story to read on halloween. I'm really curious about that high frequency speaker data transfer theory. That sounds fun to play with. Anyone seen anything about this? All I found (via very, very casual googling) was this Chirp thingy a year ago.
Here's a Javascript library that provides ultrasonic audio networking in the browser. It's more hobbyist or proof of concept at the moment. Ultrasonic communications has already made its way into kids' toys ( Furby for example ) Those two are unidirectional but show it's possible. It is a leap from the possibility to using it as a command and control system, but not much of a leap.
You're not wrong: I have an airgapped computer, nothing critical or sus, mainly just for writing and work, on a computer that is less privy to pinging, attacks, malware etc, and while the badBIOS seems to be something utilised towards high-value persons, you can imagine the damage that could happen if it spreads in the wild, and begins attacking indiscriminately.
I'm choosing to assume that this guy is a moron rather than that some incredible genius has created a virus that defies all logical explanation.