The Premise
A covert channel is a communication path that was never intended to transfer information. Classic examples exploit CPU cache timing, network packet timing, or shared memory. This work explores a less-studied surface: the Linux desktop audio subsystem.
The core question: can audio hardware and software infrastructure — PipeWire, ALSA, the kernel audio stack — be used to exfiltrate data from a host without triggering conventional detection mechanisms?
Why Audio
Audio is interesting as a covert channel carrier for several reasons:
- Microphone and speaker access is broadly granted on desktop Linux with minimal ACL enforcement
- Audio streams are not inspected by standard endpoint detection tools
- The channel is bidirectional — both injection and exfiltration are theoretically possible
- Timing and amplitude modulation are both available as encoding dimensions
Design
The Invisible Wire channel encodes data using amplitude-shift keying (ASK) over ultrasonic frequencies (18kHz–22kHz), operating above the typical human hearing threshold but within the capture range of most laptop microphones.
Sender Receiver
| |
|-- encode data as ASK --------> |
| over 20kHz carrier |
| via PipeWire loopback |
| |-- decode ASK
| |-- reconstruct data
Note
This channel requires both sender and receiver to have audio hardware access on the same physical machine or within acoustic range. It is not a remote exploit primitive — it is an exfiltration channel for post-compromise scenarios.
Detection Gap
Standard Linux security tooling — auditd, eBPF-based monitors — captures process-level audio device access but does not inspect audio content or frequency characteristics. A process with legitimate audio access (music player, communication app) can operate this channel invisibly within normal behavioral baselines.
Status
Implementation and measurement complete. Paper in preparation.
Detection countermeasures and access control recommendations will be included in the full publication.