Forem: Clark Fieseln

Endpoint Security: A Low-Cost Data Diode

Clark Fieseln — Thu, 01 May 2025 12:38:34 +0000

You’ve installed all security patches and updates on your system.

You’ve run a complete system scan with updated antivirus software.

You’ve tightened your firewall rules and started a VPN connection.

On top of all that, you use a secure messenger with end-to-end encryption (E2EE).

Now you can safely chat with your friends and family, right?

Well... no.

All these measures may still not effectively address threats and operational challenges.

For example, end-to-end encryption does not directly mitigate risks at the communication endpoints themselves.

Each user's computer can still be hacked to steal their cryptographic keys (enabling a MITM attack) or to simply read the recipient’s decrypted messages, both in real time and from log files.

Weaknesses of Endpoint Security Measures

The following table summarizes some of the weaknesses of the most common endpoint security measures:

Measure	Weaknesses
VPN	- Vulnerable to weak or outdated encryption protocols (e.g., PPTP) - Susceptible to implementation flaws, misconfigurations, and unpatched software - DNS and IP leaks
E2EE	- Does not protect data on compromised endpoints; decrypted data is vulnerable on receiving devices - Key management is complex; compromised keys mean compromised data
Sandbox	- Evasion techniques: malware can detect sandbox environments and alter behavior or remain dormant, evading detection - Time-limited analysis may miss delayed or time-triggered malware
Firewall	- Cannot detect lateral movement within the network - Limited visibility into encrypted traffic - May block legitimate traffic (false positives) or allow malicious traffic if rules are too permissive - Limited protection against malware
Antivirus	- Limited protection against emerging threats: antivirus software often relies on predefined signatures to detect malware.
IDS	- Passive: detects but does not prevent threats; requires manual response - High volume of alerts and false positives can overwhelm security teams (alert fatigue) - Limited visibility into encrypted traffic; cannot inspect encrypted packets
IDP	- Complexity in deployment and configuration; requires specialized expertise - False positives may disrupt legitimate activities, eroding trust in the system

Data Diode as a Complementary Endpoint Security Measure

What if you didn’t have to deal with such problems and time-consuming, ineffective measures in the first place?

Endpoint hardening alone is not the appropriate paradigm to fully address endpoint security.

Instead, a completely different and complementary approach is required.

This is what the tool tea2adt addresses for several use cases, by providing an extremely low-cost solution based on audio data diodes and "enhanced" end-to-end encryption.

Integrating a data diode with a secure offline device addresses critical gaps in endpoint-centric security by enforcing physically unidirectional data flow.

This approach fundamentally redefines the communication architecture.

How Data Diodes Enhance Security Beyond Endpoint Hardening

1. Hardware-Enforced Unidirectional Flow

Physically prevents reverse data transmission using fiber optics or audio connections, creating an air gap in one direction while allowing controlled data export or import.
Unlike firewalls or VPNs, it cannot be bypassed via software exploits or protocol manipulation.

2. Key Use Cases for Offline/Secure Devices

Secure Backups: Transfer backups to offline storage without exposing primary systems to ransomware (e.g., nuclear plant control systems).
Sensor Networks: Export IoT/OT sensor data from air-gapped industrial systems to monitoring platforms while blocking malware ingress.
Classified Data Transfer: Government agencies use diodes to move intelligence between Top Secret and unclassified networks.
Secure Chat!

3. Operational Benefits

Zero Trust at the Hardware Level: Eliminates the return path for attackers, even if endpoints are compromised.
Compliance: Meets NIST AC-4(7) for one-way flow control and SC-7 for boundary protection.
Ubiquity: tea2adt can be used in almost any existing audio infrastructure!

Data diodes provide physical verification of data flow constraints that software-based solutions cannot match, making them essential for protecting air-gapped systems and critical infrastructure.

tea2adt

tea2adt is a free and open source Linux command-line utility for Chat, Remote Shell, Remote AI Prompt and File Transfer, that reads and writes encrypted data across peer-to-peer or broadcast audio connections, using minimodem and gpg.

It supports a flexible and low-cost implementation which addresses many use cases.

Give it a try and improve security and privacy!

Links

Article on dev.to

https://dev.to/clarkfieseln/tea2adt-b6j

PyPi Project

https://pypi.org/project/tea2adt

GitHub Project

https://github.com/ClarkFieseln/tea2adt

Documentation

https://github.com/ClarkFieseln/tea2adt/blob/main/doc/documentation.md

Screenshots

https://github.com/ClarkFieseln/tea2adt/tree/main/screenshots

Videos

https://www.youtube.com/playlist?list=PLX24fhcibpHXllvUgFUw6Ly9cwQcTcKac

"Enhanced"-end-to-end encryption (E-E2EE) to increase security and privacy

Clark Fieseln — Thu, 17 Apr 2025 07:56:37 +0000

It is a powerful tool that can be combined with any audio infrastructure (like PSTN, cellular network, internet, radio, walkie-talkies) to provide a secure communication channel through an audio tunnel.

The audio interfaces behave like data-diodes, each allowing unidirectional data transmission only, thus preventing data-leaks and malware-injection.

This enables an "enhanced"-end-to-end encryption (E-E2EE) which notably increases security and privacy, especially when the end devices are completely offline (air-gapped-system), thus providing an effective barrier against "legal or illegal" client-side-scanning!

Installation

  pip install tea2adt

or with git:

  git clone https://github.com/ClarkFieseln/tea2adt.git

  cd tea2adt_source

  chmod +x tea2adt

  chmod +x *.sh

during first execution you will be asked to install dependencies: minimodem, gpg, bc, tmux, ...

but you can also install them yourself with:

  sudo apt install minimodem
  sudo apt install gpg
  sudo apt install bc
  sudo apt install tmux
  ...

How to use (pip installation)

Chat/Messenger

  tea2adt -c

enter and confirm password

On the other device a chat, a remote shell or a remote AI prompt can be started.

Remote Shell

  tea2adt -s

then enter and confirm password

On the other device a chat shall be started to command the remote shell.

Note that this is technically a "reverse shell" which gives access to your system!

Remote AI Prompt

  tea2adt -l

then enter and confirm password

On the other device a chat shall be started to interact with the remote AI prompt.

With this option you may remotely access your local, secure, and self-hosted AI (like ollama) in a secure way!

File Transfer

  tea2adt -f

enter and confirm password

On the other device a file transfer shall be started.

Probe

To check connectivity and adjust volumes if required.

  tea2adt -p

In addition, a separate terminal will be opened to read unencrypted probe messages being sent by the other side.

Configuration

Adapt the configuration as required using the 'terminal GUI' with:

  tea2adt -g

Alternatively, you may change the configuration by editing the files in the cfg folder directly. The 'Location' can be found with:

  tea2adt -d

The most important settings are:

baud
keepalive_time_sec
retransmission_timeout_sec
split_tx_lines
volume_microphone
volume_speaker_left
volume_speaker_right
llm_cmd
text_to_speech

How to use (git installation)

When installed with git, tea2adt may be called with:

  python3 tea2adt.py -c
  # or
  ./tea2adt -c

This is an example to start a chat, but this is the same for any other option.

For more information check the documentation.

Features

on top of the audio modem provided by minimodem and encryption provided by GPG, tea2adt offers a reliable transport layer and many other features:

modes: chat, remote-shell, remote-AI-prompt, file transfer (future: sniffer)
text-to-speech (TTS): synthesize speech from the text received in the chat
full-duplex communication
retransmit messages automatically after communication errors
split big messages into smaller data chunks in order to increase the probability of reception, thus reducing retransmissions
[keepalive] messages
redundant transmission of "data-messages"
composition of piped commands hidden to the user
tmp folder located in a configurable path beneath $HOME, independent of the current path.
probe, to check volume on receiver and adjust manually if needed (very high and very low volumes may produce signal distortions)
"braodcast" transmissions also possible, e.g. when ACKs are deactivated use-case: walkie-talkie, Radio station, ...
several configuration options: preamble, trailer, delays, cipher algorithm, confidence, log to file, verbose, etc.

Possible Abuses

please don't do the following if you are not allowed (it might be illegal!):

exfiltrate data over the air or cable to a nearby or remote computer
remote control over the air or cable from a nearby or remote computer
exfiltrate data from a computer evading classical auditing (be aware that if you do this on your employer's computer you might be infringing the law!)
use the tool as a "side-channel" for covert communication e.g. to spread or inject malware, even worse when combined with steganography (e.g. low volumes, data hidden in noise)

Typical Configuration

A: tea2adt in offline PC (Alice)

D: tea2adt in offline PC (Bob)

B, C: smartphone with call session (mobile, messenger app, etc.)

diodes: audio connections (sink/speaker -> source/microphone)

Communication in Linux over Linphone

A: tea2adt in offline PC (Alice)

D: tea2adt in offline PC (Bob)

B, C: smartphone with Linphone call session

Communication in Termux over qTox

A: tea2adt in offline smartphone with Termux (Alice)

D: tea2adt in offline smartphone with Termux (Bob)

B, C: PC with qTox call session

Communication in Linux over Walkie Talkies

Split Configuration

A: tea2adt in offline PC (Alice)

D: tea2adt in offline PC (Bob)

B1, B2, C1, C2: waklie-talkie

Text-to-speech (TTS)

The text received in the chat is synthesized to speech and output to a separate audio interface.

Text-to-speech demo video: https://www.youtube.com/watch?v=-ikTdBzhCSw&list=PLX24fhcibpHUx7ej_Tp4neobJUqOkqliN&index=10

Remote AI Prompt

With this option you may remotely access your local, secure, and self-hosted AI (like ollama) in a secure way!

Remote AI prompt, demo video: https://www.youtube.com/watch?v=6jYEBNAay64&list=PLX24fhcibpHXllvUgFUw6Ly9cwQcTcKac&index=1&pp=gAQBiAQB

Limitations

The data transfer is usually done at low rates, typical of audio systems. Therefore, this tool is not adequate to transmit big files which may take a long time to complete.

Hints

Avoid using tools like PulseEffects, they may produce glitches!

In PuseEffects you may check the 'Add to Block List' option for minimodem and qtox.

PyPi Project

https://pypi.org/project/tea2adt

GitHub Project

https://github.com/ClarkFieseln/tea2adt

Documentation

https://github.com/ClarkFieseln/tea2adt/blob/main/doc/documentation.md

Screenshots

https://github.com/ClarkFieseln/tea2adt/tree/main/screenshots

Videos

https://www.youtube.com/playlist?list=PLX24fhcibpHXllvUgFUw6Ly9cwQcTcKac

License

tea2adt is licensed under the MIT license. See LICENSE for details.