(no title)

How would Wireshark reveal this kind of attack? If the management chip has direct hardware access, it can hide data in innocuous-looking packets that the host machine never sees. You would have to monitor both the packets that the OS thinks it's sending, and the packets actually received by the switch, and constantly compare them for mismatches. Given the performance cost, I find it hard to believe that anyone except the most paranoid organizations would actually do this.

And of course, if you block the obvious exfiltration methods, all you do is force the attacker to do something more creative. Like modulating inter-packet timings, or even sending data to a nearby radio receiver by using the system bus as an antenna.

There are ways of doing it invisibly. Change timestamps in very subtle ways, Embed data in lossy media formats, etc.

If the code says "phone home if anywhere on the screen you see one of the following email addresses" then it won't show up in a normal security audit, unless you email one of those people during the audit. All the NSA has to do is make the phoning home rare enough that it's probabilisticly unlikely to be observed.

Exfiltration of logged keystrokes and other data is possible through introducing network packet jitter by the ME. This is virtually undetectable.

https://events.ccc.de/congress/2013/Fahrplan/events/5380.htm...