[geofft]

Yes, you could use it to jump air gaps. (In fact, that technology is already deployed in production in Chromecast pairing, when your phone is not on the same network as your Chromecast.)

But don't you need something on the other side to receive and decode the data being sent? What's the BadBIOS story for how the infection initially happened?

(Is the assertion that something along the lines of Intel ME is already listening for control instructions over ultrasound?)

[zdkl]

The CIA has been known to tamper with electronics, so between that and pre-backdoored hardware (IME) it's fairly likely that a determined opponent has one or more means to passively wait for a payload in a hard to detect manner.

From there, it's turtles all the way down; you "only" need to deliver an ulterior, possibly tailored, payload from any of the several methods described in this thread.