 And the talk post lunch is a little heavy to drag with but just bear with me for half an hour or maybe less than that So the the talk that would be delivering here is is on code channels in wireless basically It's about it's about how one can actually ship certain data not in the payload field, but some other field and Let's begin. So we are actually me Rishikesh and my co-author Amrita somehow she couldn't travel because of a visa issue So we've been we've been trying to understand wireless communications in detail for like almost four years We have been trying to understand many of the questions in wireless communications in a different way different approaches So it was actually in nullcon 2014 We have delivered a talk on rogue access point detection from clients perspective that we came to Reach another question where we've we've been trying to answer like okay There are rogue access points. There are different attacks happening in the IEEE to 2.11 standard and things like that, but then is That only detection and prevention is the way to actually solve these all questions Or is there something else that we can come up with in order to? address certain security issues in IEEE to 2.11 well before we begin this whole Discussion would be going around IEEE to 2.11 specific to open wireless networks. We won't be dealing with any Encryption or something like that here. So these are open wireless networks max to max from captive portal that may come in picture So while answering that particular question, where is there any way around to? to to come up with some new preventive major apart from like Wireless sensors or maybe wireless ideas or something like that. What else can be done? So we came to know like what if we try to ship certain data into into frames? Where usually data is not sitting. So this is where this whole concept started taking place Rather started in sifting I would say So yes, Amrita. She is a test analyst having more than 10 years of experience. I am security analyst and part-time researcher So that is much on to the introduction part So yes by the time we started solving this question. This was our state of mind cluttered They were like plethora of things and the more of layers different timing paradigms and whatnot But there are many presumptions as well. So like something that's kept from disclosing. Yes, indeed There are always otherwise usages of things that purposely were not mentioned into the standard documentations And so is the wireless the holy dot 11 or maybe I typically to 2.11 So some characters very basics if somebody is not aware access point the device which will actually avail a Network connectivity to hosts and hosts are nothing but the stations which would be actually consuming such network connectivity and will be Doing some productive or unproductive use of that connectivity so back to the basics Introduction, I think we have done a little bit. So here it is We all here sitting at least have some understanding about I triple A to 2.11 and then the misuse that's always been done about Around I triple A to 2.11. So what what do we really need to prove it again and again? I Since like 1998 we've been attacking I triple A to 2.11 and still is the state of This whole wireless the network scenario. Okay, fine. So what what can be a bullet? Lying for this particular blame for that mad we can say a hole in the network parameter open wireless networks Weps bad configs default username passwords and whatnot Loose link in the client security. Yes Offensive rogue access points if dropping in socially dense areas connectivity mess ups. Yes, when we say connectivity mess ups It would only be known to attacker. Otherwise. It's a seamless experience for rest of the victims So who the victims are? I know a couple of boring slides. These are Curse you to omnipresence and eat ease of access wireless mobile phones cameras printers gaming consoles laptops Desktops majority of gadgets nowadays. We are using in thanks to IOT many more things in extended surface to attack All in all many victims attacking exploitation so any any or other majority of I triple A to 2.11 Compliant devices have certain modes of operation out of that first is managed mode that is more of our our Wireless network interface card which usually operates in at hook mode Which is kind of a maybe a patch driver or maybe some edited stack Presenting to I triple A to 2.11 protocol stack and we are using it for some ad hoc purpose for that matter master access an access point and Monitor mode one of very favorite mode of an attacker for that matter allows monitoring and injecting traffic on various channels synonymous to promise kiss mode in case of wired network So covert communications by book in computer security a court channel is a type of computer security attack that creates a capability to transfer Information objects between processes that are not supposed to be allowed to communicate By the computer security policy. I know pretty heavy definition They have always been a ways to basically smuggle your data Using various layers in the ISO SI model well to mention here actually One of my paper got declined in positive-hack days, but their review was really fantastic this particular line has actually Strike to me after that review like why it has only supposed to be a Specific layer why cannot be there are more than one layer on which we can ship covert data or rather We can initiate core channel So yes, thanks to phd for that So we've been focusing on some of the aspects in data link layer This is where we have actually zeroed down on data link layer and we started focusing on yes, this could be the perspective Region we can actually explore in order to initiate our covert channel and that too specifically on beacons and probes Why we would come to know in some time So some basics dot eleven frame types management frames control frames data frames Forget about control frames on data frames because we would be only dealing here in this talk about management frames and that too about only these three Frames which are highlighted in red that is probe request probe response and beacon frame So while doing this all we have taken help of a particular tool called escapee So escapee is a packet manipulation tool a program allows forging and crafting packets and frames Supports various protocols for escapee wireless friends are just a set of layers in sub layers. How we will come to know soon So layers in escapee. So this is how actually escapee understands our wireless frame So the first layer in the wireless frame for escapee is radio tap Then the other layer is dot eleven then the third layer is dot eleven beacon or probe request or response and then succeeding with Dot eleven ELT ELT stands for information elements. So, yeah, this was like some Some convinced thought of mine after like six months So beacon frame. Oh This is Fine we can actually inject these things in more of an OOP way or Things like that. So basically it's a radio tap layer as we have said as we have spoken already Then there is a dot eleven address one, which is like a broadcast address here Address two is nothing but your bss id address three is again a bss id and Then dot eleven beacon that actually starts with cap cap equal to zero x two one zero four cap is nothing But a field which is usually a capability information deals with lot of hardware and network related information for that particular network Network interface card and same about wireless access card as well Sorry wireless access point as well. My plug is for typo and Yes, the the other thing is like dot eleven ELT id equal to zero here id is nothing but a Field which which will be telling you like which kind of information element that you are trying to address here So in case it is id is zero then that particular information element is ss id. So the info field will actually populate that particular Information about that id. So here it is demo demo demo. So that is ss id that I have Forced here of that matter showed here. So theoretically this is how beacon frame looks like a Lot of header and bytes led that information time stamp frame control and many things in Functional context this is what beacon frame does so assume that particular rolling circle or rather the growing circle is a beacon frame As soon as it reaches to a particular station it it gives that particular station Intelligence that yes there is particular access point presenting to the local radio periphery So yes, there's a lot of information stuffs inside the wireless frames in our context beacon and probe Edit the fields which have better length In order to ship data. Yes, that is what we'd be doing and soon we'll be seeing like what exactly Is a significance of that particular statement interesting elements ss id DS set TIM rates ES rates TPC rates responses Sorry TPC requests and responses Country and etc. There are like plethora of such elements available So to to sell through certain elements I have referred to IEEE to 2.11 standard document Where where these elements are written so basically in in our escapee context if we see here The id field here Represents same id here as well so the element id is nothing but the id field in case of escapee a dot 11 a to dot 11 Elt context fine and the length if you see like here we have SSID it's got like 34 octets supported rates 10 octets TIM 256 octets TIM stands for traffic indication map So like that there are many such Elements available so couple of them we have picked up and tried understand like if they really work the way we want it to Can we show this particular thing these particular frames because they do not require any authentication Neither they require any association With access point to to broadcast themselves to air themselves being broadcast There's no need to zero down on whole selection so this this would be like kind of a Broadcast attack we need not Zero down on a specific user. Okay. This is what I'm trying this this is a particular user. I'm trying to attack No, not needed we can actually target many people at a time So, yes, that did you say supine a bit Presence of these frames in multitude in local wireless periphery is a common phenomenon. Yes so by design in these frames are meant to be Available in abundance into the local radio periphery. So that actually gives us a rather an attacker an age to actually Stay low on to suspicion Yes, so again the multitude will always facilitate the larger chunk of data to ship Yes, this particular thing the multitude of larger chunk of data. We still are working on this But yes, we are able to ship a data, but we are still not being able to sequence it in the proper way because of some Lossy channels for that matter So using this outbreak of malware pretty much a possibility some field allows pushing more than 250 bytes of data in a single frame Edit to this particular statement Now it could be more than like 500 or maybe like 750 bytes of data in the single frame. We will show you show you how Fine. So 250 bytes are quite enough for malicious payload. Yes, those who are exploit writers here They they understand importance of 250 bytes So for representation perspective, we have picked up a particular information element and that is team that is traffic indication map So why specifically team? It is because of this was the first element information element which allowed us shipping to 50 bytes of data in some non payload feed And yes, it was pretty easy to fabricate the frame in escapee using this particular information element Those were like days when I was not much Way to actually land our shellcode and make it executable directly onto the remote box for that matter. So yes Demo Four-liner of file on a scripts. I'll show you the scripts as well. They are pretty easy to understand So here hundred bytes of data or like 750 bytes of data in in one particular frame Like we are yet to study rest of the elements Or other information elements for that matter which will actually allow us shipping like little larger chunk of data into the same single frame for that matter so you can see The volume has been increased of the string So some issues about this approach. There are certain issues that that we are still trying to rectify we can say so deep packet inspection firewalls will still raise an alarm if they see like there are certain different information elements which are being populated with some some suspicious data Yes, reordering the data at receiver end could be an issue should sequencing is not taken taken care of before showing in the data now the second part of this particular fact is like though we take care of sequence into Into the transmitter and we still are feeling we still are facing problems by the time we receive the data There is still a problem with reordering that data because there are certain frames which are getting dropped because of some noisy channel and all So that is giving us no clue like how to again reorder this whole chunk of information in a in a in a single line for that matter But yes, this particular timing parameter On in SKP there is particular command send P which actually allows you sending data with specific time timing interval So we can use this particular timing interval in order to ship the data and in sequence But the same problem arrives like how to acknowledge and how to retransmit that data So there is another way that we have been able to actually come up with is like Retransmit that whole chunk of data after like 0.2 milliseconds or something like that But that will only result in a lot of garbage at receiver end But yes, honestly, we are yet to find an exhaustive solution to this particular question as of now So no retrieval of loss frame so far. Yes So work in progress that just I have told you like there are things we are trying to understand how a loss frame can be retrieved So yes apart from that there are many information elements. We are yet to test Fields pertaining timing parameters may be of help, but yet to be tested though now Why timing parameters would come in pictures specifically like PS pole frames or Frames which are more concerned about timing which are like timing sensitive frames So they can actually be used in in order to Write in a lot of data in a different way like instead of that particular ID again in timing Field we can use some string to be showed in there or maybe a hexadecimal representative of that string and can ship the data We are we are still trying to understand that thing in detail Yes synchronize file transfer. This is something We are halfway into as I have told like yes using that particular point to milliseconds delay into the frame burst we can actually reorder the data, but As I've told like it's only that loss frames that we are yet to work upon So conclusion we have used Broadcast frames as a mean of running covert channels the approach we have proposed is still in development getting visa and flying was like real dream kind of thing for me But it's just because of him that happened We wake Ram Chandran for his fantastic literature on wireless basic security Scripting everything and Yes, Defcon 24 wireless village for giving me an opportunity to share what I've learned with everybody around here Thank you so very much If you have any question, I'll try to answer that legitimate There was no effect Nobody It smoothly escapes the host company as well as it gets properly Interpreted by the victim colonel as well any other question. Yes, honestly, I'm yet to Excel into those all mathematical algorithms So is the reason I haven't touched encryption Yes any question anymore Thank you everybody for being such a nice audience and Thank you for giving the opportunity to deliver my talk. Thank you