> How would Wireshark reveal this kind of attack? If the management chip has direct hardware access, it can hide data in innocuous-looking packets that the host machine never sees.
Lots of organizations use various forms of intrusion detection. A network intrusion detection system (NIDS) would be an off-device system which monitors network traffic for suspicious or obviously malicious packets.
It's certainly no guarantee, but somewhere along the line someone probably would have noticed something if these systems were exfiltrating data via the network using something like IPv4 headers. Specifically, a quick look makes it look like Snort (an open source NIDS) may actually be distributed with rules to alert on IPv4 reserved bits being set.
You keep saying that "someone should have noticed something" but as the old adage goes, absence of evidence is not evidence of absence
What you seem to keep missing is that we know from the Snowden leaks that the capability already exists, and NSA has successfully used implants to do data exfil in the past.
Lots of organizations use various forms of intrusion detection. A network intrusion detection system (NIDS) would be an off-device system which monitors network traffic for suspicious or obviously malicious packets.
It's certainly no guarantee, but somewhere along the line someone probably would have noticed something if these systems were exfiltrating data via the network using something like IPv4 headers. Specifically, a quick look makes it look like Snort (an open source NIDS) may actually be distributed with rules to alert on IPv4 reserved bits being set.