 So this is a lecture on the packet and packet attack technique We're familiar with attacks of the standard sorts right I mean we understand how to do a stack buffer overflow in order to get execution of machine code in a vulnerable binary and in that case we're exploiting the CPU itself, so like a string buffer runs long something. It's overwritten and that's a software bug And we understand it as a class of software bugs and there's been so much research into extending it into doing it in more difficult situations We also understand attacks for SQL query injection and These are similar in that we're injecting code in both locations where we should only control data But they're both software bugs as different as SQL injection and stack buffer overflows are This lecture is about packet-in-packet injection attacks which are not attacking a software bug This is a way to remotely inject a layer one packet by abusing a Sort of chance happening at the physical layer In a perfectly standard compliant way So in this lecture and in all of the examples that I show you in this lecture everything that I am doing in my attack techniques will Exploit a perfectly standard compliant implementation of the relevant protocol first for a to two dot fifteen out four and two FSK and Then later for a to two dot eleven B in the second half of this lecture Sergey Bratis is my co-author on the original paper and I would like you to read the fucking paper Sergey has 30 copies of this printed you can mob him afterward not me And he'll be happy to pass them out. Thank you, Tress. It's very kind of you neighbor So I'm gonna let him introduce the technique and then I'll continue on for the remainder of the lecture So this is why we're standing here. This is how it's happened In 2005 something really interesting was happening Joining cash was pictured you see in this sort of pseudo chat illustration Came up with a trick that Allowed him to do a virtual W lands by switching the BSS ID in the Association response and then also as he noticed In the authentication response one of those things was standard compliant. The other was not yet The key observation was that For various implementations of 8 to 2 11 the response of clients was different and For some of those the response was that the client required power cycling Before it could connect. So when you have Differences like that on that level, you know, you can exploit them. And so in 2006 That was the seed for hijacking the Mac book in 60 seconds again by journey cash and David Maynard And then the month of Colonel bugs so that's hopefully, you know the month of Colonel bugs and I Was there a torque on when he gave that lecture and I was thinking well this has got to be fingerprintable and it turned out to be fingerprintable and If you're wondering why a cat the cat is sort of what you really want to see when you don't want to see me My picture really would not come out. Well, so Fingerprint but then of course that was layer 2 But there is layer 1 and layer 1 for it 8 to 2 11 is Quite complex. So you've got all of these fields before you see anything that why a shark would show you and I was thinking well if we could manipulate that Maybe we could do interesting things with the actual chip that is Responsible for processing all of these fields behind is beyond these fields. You've got the actual layer 2 and the Mac and all the flags and the nice exploitable Complex frames, but what if the exploitation starts well before in layer 1? Well The next thing to come up was Travis Goodspeed and Mike Osman a playing with the other kind of Digital radio chips. This is the chip con 2420 and this is the I am me that's been turned into a spectrum analyzer and Wow, you know, this is a chip. That's a lot more malleable and a lot easier to control than your 8 to 2 11 chip, which is kind of looked down and so Zigbee is what these chips were produced to implement or rather 8 to 2 15 point 4 and various other proprietary things besides Zigbee and so Why can't we fingerprint that? based on how Chips respond to various irregularities in these layer 1 logical fields and Indeed, you know, I met up with Travis. I think it was a recon. Yes. Yes Yeah, and I said well fingerprint and he said hell. Yeah, and I said well So let's get some really expensive hardware This is your usrp2 sells for something like $3.5,000 and Travis said hell no we are going to use the commodity chips and So we started a fingerprinting effort which has produced interesting results yet to be published But in the process while playing with these Layer 1 fields something else which was a lot more interesting came up And that was So this was a remote physical layer frame injection exploit While we were working on Packets and packets. I mean unpacking some packets while we were working on fingerprinting We got a little bit bored because fingerprinting is largely defensive and it's largely nitpicking you have to find You know, which parameters vary between all sorts of different? Chipsets there are lots of experiments that have to be run lots of data that has to be collected and at the end of the day The only difference is that you can You know distinguish two different brands so to make it more interesting. That's what we thought though. Yeah But as you're doing fingerprinting as you're studying it you sort of have to learn what's going on under the hood and in the same way that You know someone with layer 7 understanding of how a network works won't be able to write Lower-level exploit or anything that takes advantage to say layer 2 You can't exploit layer 1 until you understand it and the only way to understand it is to go through the rather painful process of Reading a standard and seeing how it works So what we came up with was a remote file air injection We had a theory of how the vulnerability should work. This theory was completely wrong But the exploit worked anyways This almost never happens, but in this case it did and The resulting attacks turned out not to just be specific to that radio, but actually portable to the entire class So we're dealing with a situation which Mallory wants to attack Bob But Mallory does not have a radio and Mallory's exploit only works over the radio For example, you might want to attack someone over the internet through a Wi-Fi beacon frame exploit such as those published in Uninformed volume 6 Well, there's no way prior to pack it and pack it to wrap a beacon frame exploit into Regular TCP packet you are not supposed to be able to send Wi-Fi beacons or probes or probe responses over the internet these exist outside of TCP IP they exist outside of all of that and When you want to remotely inject them you're kind of out of luck The same goes if you want to change fields that are properly locked down by a firewall So suppose that a firewall does not allow me to send any broadcast packets remotely But I want to send one anyways Before packet and packet I would be out of luck supposing that the firewall were properly configured and Fragmentation tricks when it work and that sort of stuff So a packet and packet injection works by especially crafting a string So that when this string is sent at any higher layer Sometimes it gets lucky and drops out and becomes a layer one packet so you can then take any sort of wireless frame that you would want and Wrap it up with a bit of padding send to that over the internet as an email attachment as an HTTP download as a UDP frame as The body of an ICMP ping in anything so long as it is unencrypted and So long as the wireless network that you're trying to inject through supports a variable frame length And we'll get to why these are important later but The these aren't very hard criteria to meet This hits everything in industrial control systems This hits a lot of the digital radio standards for handheld radios You can do all sorts of nastiness with this and it's portable among them And when I actually show you the exploit you're gonna think there's no way and how that can work And then I'll go back and show you how it works Helps when this thing is turned on Sergey. Yeah, so I have a confession to make These are the things that I would not have challenged when presented with them You know prior to February 2011 I used to believe that you only get frames Over the radio that are sent by a compatible device or an expensive software-defined radio Which sends a compatible signal basically? impersonating a compatible device, but on the a frame that got sent and Did not get damaged Could be received I used to believe and that turned out to be a lie And I mean how many of you believe these things before the start of this lecture? I mean these are not unreasonable assumptions everything that you get is either perfect or has a bad checksum right, so you drop it and you don't see those things as being a problem and As computer scientists and as computer programmers were taught that noise is something that has been taken care of by the abstraction layers and Is not our responsibility to deal with and most importantly? you're not getting something that Somebody did not transmit as such correctly and this is a lie Okay So I'm gonna take it for here from here for the remainder of the lecture Sergey and I will be giving a different packet-in-packet lecture at Berlin sides And he's the one that you should hunt down for a copy of these Thank you kindly So the source of these misunderstandings is that we treat layer one as a black box We don't think that it's our responsibility to learn how it works and the OSI model it discourages us from attempting to learn how it works and This wrecks all sorts of havoc We're taught that the black box will only deliver valid or slightly noise damaged frames And that this noise can always be identified and taken care of That's not true This is the exploit as it's framed for Zigbee This is a complete layer one frame This is more than your packet sniffer would show you and The difference is just in these first few bytes. Does anyone have an illegally powerful laser pointer? Mine was taken in Scandinavia, but excellent If I could borrow that for the duration of this lecture, it'd be ever so grateful So these first four bytes are the preamble and they're all zeros in Zigbee and this only exists to Present the the timing This final byte in the beginning this a7 That's the start of frame delimiter and inside of the radio chip. There is a physical machine Okay, it's a shift register and all this shift register does is cycle packets through Until it sees this final zero byte and the a7 You can even reconfigure it to different values, which is used in my attacks on the Microsoft wireless keyboard Which I would love them to issue an advisory for by the way The So these zero and the a7 This gets latched in The receiver is sitting there spinning processing background noise as bytes It's pulling bytes out of the air until it finds zero zero a7 and then it snaps in and that's where the packet begins It doesn't matter that no packet existed before them Because the radio chip doesn't understand the concept of they're not being data on the line You can actually tell the radio to give you data when there is none and it will give you bytes up Because that's what a radio does This is then followed by the familiar fields the 19 hexes the length Zero one zero eight eight two. Those are flags Cafe is the source address and babe is the destination address or the other way around And then if inside of the packet anywhere inside of the packet You put that same beginning these zeros the a7 and then you have a shorter frame. That's the one in italics here That ends with a valid checksum We actually found a typo in this the zero a should be a zero nine, but In any case if you send this string across Then most of the time you'll get the full packet Or if you're at the edge of the range or if you have Wi-Fi around because none of us ever have Wi-Fi around The packet might be damaged in different areas. So if you start sniffing with checksumming disabled Which you should always do just so that you have a more complete record You'll start seeing some of these bits flip or some of these words flip Enzyme the nibble size is Sorry, enzyme the symbol size is one nibble. So you'll usually see damage of an entire nibble instead of an individual bit Like F and D are not are no closer to each other than F and zero are or F and AR But and when this happens your driver will see that the checksum is wrong and it will throw it out And that's why we're told that this isn't something that needs to be worried about in Communications theory textbooks they'll go over the probabilities of these individual bytes being damaged But the thing that they miss out on is that some bytes are more fragile than others in In particular, it's more likely for you to have a large expanse of your packet blotted out by interference then for Individual bits to flip by accident and if the top gets blotted out Then as the receiver is spinning around and it's looking for that 00 a7 pattern it never finds it Until it gets into the body which the attacker controls So if you transmit this packet a few thousand times a Few hundred times if you're lucky Most of the time your packet sniffer will see the entire packet But about one time in a thousand the tail end of a Wi-Fi frame will stomp on the beginning of the Zigbee frame and That a7 or that 00 will change to a different number and Then the start of frame latcher never latches on it never realizes that the packet has begun So when it's receiving the remaining bytes of the packet it thinks it's listening to background noise and that no packet has begun yet and Then it will latch on to the a7 that the attacker controls See the length that the attacker controls count off that many bytes of data that the attacker controls Look at the checksum that the attacker controls See the inner packet is being valid and then it forwards it on The operating system can't know that it's fake because the operating system doesn't see anything before it and This is perfectly standard compliant because the standard has no way of dealing with noise other than checksumming And this is true of the Zigbee. This is true of 802.11. This is true of several other protocols This is a photograph of the first time that we got it working We transmitted the longer packet which I've highlighted here and that highlighted region became the shorter packet in the second recording The second recording differs in that we're only sniffing the broadcast address so the difference in addresses of the two packets is enough to To grab the right one This is the packet format as it's drawn in crayon It begins with a preamble that's the the bytes of zeros in frequency shift key radios such as the The app code project 25 radios that I hacked recently It's just the high frequency and then the low frequency alternating For direct sequence spread spectrum. They have more choice in which symbol they use This is followed by the synchronization field which is intended to mark where the bits begin and This is where we're looking for damage. It's perfectly okay of more than the sink gets damaged and The interference in the damage is not attack or controlled the attacker just waits until he gets lucky and It doesn't take that long Packets are damaged in the air all the time. They collide all the time things like clear channel assessments Only work as a performance hack. They don't actually prevent collisions from happening so this packet and packet injection attack in which the A preamble the synchronization and a complete body are just placed inside of another packet is sufficient to remotely inject a layer one frame and It works so this style of Having a beginning to the packet then a middle and then the end and counting on the receiver Missing the beginning in Order to hear something else or didn't misinterpret the entire message was done before I Have a running competition with Meredith Patterson to see who can cite older papers. I Win with 1938 She's of course threatened to follow this up with an attack on the Babbage differential engine So in the war of the world's broadcast Which wrecked havoc in many of the countries in which it was played and many of the languages in which it was translated The play begins with a two minute and twenty second long introduction That says you are listening to the Mercury radio theater in the air with HG Wells War of the Worlds as performed by Orson Welles And it tells you what you're listening to but that's only two minutes and 20 seconds long and As people are channel surfing They might move past the station and come back and not know that it's the same thing or they might not hear it at all And this started at exactly eight o'clock on a Friday night It's then followed with a 38 minute long first act And in this first act there is not one word out of character. There is not one message from a sponsor There is not one commercial break and there is not one station announcement Most communications government agencies now have laws against this because When people were listening to this, you know, and they're told that they're listening to a musical show to Ricky Raquello's orchestra in the air which we interrupt for an emergency broadcast from the National Weather Service And this continued repeated interruptions, you know the first the weather service then the New Jersey militia the militia actually nationalizes the Central Broadcasting Service Because of a state of emergency during the broadcast When they translated this to Spanish and played it in Peru the audience was listening to it and you know, they heard that the army was going up the road to Attack the aliens. They thought bullshit if this were true Then we could look out the window and see the army, but the army had heard the same broadcast and thought it couldn't hurt to send a couple of tanks I mean we laugh, but in the ensuing riots. They burnt down the Radio station killed six people and the director had to flee to another country And then we laugh some more So these packets work the same way whether it's a 30 minute long broadcast or a very Short broadcast the only difference is that in a short broadcast you have more preambles and synchronization frames to catch That's why in a modern radio broadcast. You'll hear the station identified several times throughout the show So that you won't be confused for very long You could imagine a packet-in-packet defense in which every packet was fragmented and then the individual fragments were checked to Make sure that they all matched up with one another This would then require the attacker to have multiple synchronization frames damaged, which would reduce his odds But in the end this radio signal is a lot like an audio signal when you're using software to find radio you might even record both as a wave file before demodulating and You can put one message inside of another If you control 30 minutes of my audio broadcast You can wreck havoc You could pretend to be another station you could have a fake government announcement You could announce Some sort of news event or terrorist attack which hasn't happened and get people to freak out And in the same way you can trick a computer by putting what it expects to see in the middle of a packet What it expects to see in the beginning of the packet into the middle This is a picture from a textbook on the OSI model And raise your hand if you thought it was useful to read about the OSI model Usually when I ask that I barely see one hand and that guy's like embarrassed and he's pulling it down afterward So the OSI model is sort of force-fed to us, you know, if you take any sort of networking course If you read any textbook on networking Even in casual conversation You're told that you need to learn the OSI model even though the seven-layer count might be antiquated What the OSI model does is it encourages us to build layers of abstraction around each layer of the packet so that we can build them up and Make very complicated machines using Like base components that we don't really understand It's possible to write a web server without learning how TCP sequence numbers work Because from the layer seven view You just have text coming in and text going out and it's not until you need a high performance. So you need to understand Specific attacks against sequence numbers that you ever care that they're not in order or you ever come across the notion that they might not be in order and We're taught that you know just like these little Russian dolls these things just sort of nest inside of each other and they don't break out and We're told that this is because of check something But check something only goes so low So this is how it's supposed to work in theory and this is how it works in practice And this is how I make it work in practice Because if you control the middle and you have encapsulation with errors Then you can make one thing burst out of the other and at the bottom of the seven-layer model You've got this little black box physical layer That you're taught is voodoo magic that only people working on software-defined radio should ever care about and By coincidence the people working on software-defined radios are usually just trying to get packets in and out And when they're finished with that they're done or they can move their exploit to a higher layer But what packet-in-packet shows is that you can also do these exploits at layer one and you can trigger them from a much higher layer You don't need a software-defined radio to mess with the radio remotely You don't need any radio at all. You can let your victim take care of the radio and when these things are plugged together You wind up with horrifically fragile contraptions that happen to work because the lower layers fake reliability If any of you seen this one If this had worked it would have shipped last Russian construction forum slide. I promised When you plug these things together How embarrassing would it be to have died while taking this photo? So don't trust this black box Specifically I've attacked the synchronization or starter friend the limiter matcher There are other machines inside of every computer that are less than Turing machines But there are exploits that can be written for things that are less than Turing machines this synchronization field matcher is a Lot simpler than even a regular expression engine a Regular expression engine cannot properly filter html You have similar computational limits here And you have a machine that cannot distinguish between malicious and non-malicious traffic and you can exploit that machine This is what the machine looks like You know, it's hardwired There is no patch for it This is the chip kind of 1110. It's what I used in the girl tech. I am me You can even zoom in on the logo and such but the the physical chip itself Contains as hardware the implementation of the language and like any other language you can come up with an exploit for it The difference is that it's not a driver. It's not an application. It's not something that can be patched these vulnerabilities for defenses to be made they have to be figured out and Patched before the product ship or before the standards ship if I keep this up. They're gonna draft me into a standards body God help me So these lang fields are terrible because they can't tell the difference between data and metadata and they make a context sensitive language This is both bad for parses and bad for input handlers and it's really bad for hardware because it can't be fixed Lens has been in Meredith Patterson made a video that you can find called towards a formal theory of computer insecurity a language theoretic approach That explains this at the theoretical level and it works on the practical level Yes, go to Meredith's talk tomorrow. What time? four o'clock tomorrow So there are complications though in Zigbee. I had the advantage that Zigbee's layer one is quite simple if anyone from Chip Con were in the audience. I'd have something thrown at me by now, so But it's simple in that the packet only exists at one data rate Every Zigbee packet is 256 kilobits per second and no other rate and Every Zigbee packet is in the same set of symbols. So you never have to worry about One piece of a Zigbee packet being slower or faster than another The similar linemen is easy so long as my Zigbee attack is aligned properly to a nibble boundary Then the inner side will go through and the injection will work if I make it off by some Number of bits that's not evenly divisible by four Then it will stop working But that's not Complicated to find out and in the end you can just stick the bytes in and transmit it and it works The Wi-Fi is a lot more complicated Other complications include differential signaling Which isn't so hard to match but allows you to create obfuscations of your packet and packet injections So you can create packets that do not look anything in hexadecimal like the packet you intend to inject but wind up producing the same sounds on the air and allowing for the injection So don't think that in any case or that in every case these will be as easy to inject as the example I've shown you or that they will be as easy to recognize as the example that I've shown you We saw the same thing with SQL injection in that when SQL injection attacks first Came about and they started happening people said oh you just have to double the number of single quotes And yeah, that keeps a little timmy from doing it, but You know later on you realize that you have character set differences That you can use a backslash to escape one of the things all of these different complications That don't necessarily make it impossible, but do make it harder and Wi-Fi accidentally implements some of them Bluetooth has a particularly interesting one in that it reuses the address as the synchronization field The Microsoft wireless keyboards do the same thing. So in Bluetooth One device Can't actually know that another device's packet has already begun So I don't have to gamble on any damage to do injections into those sorts of devices if you're trying to inject from a Microsoft keyboard into a similar device and You know, it's whitening state you can do so reliably like hole in one every time you send the packet out It gets misinterpreted you can even do it across data rates The Nordic chips used in the Microsoft keyboards run at either one or two megabits per second at two megabits per second You can just double every bit and it falls through and it works. I wish Wi-Fi were that easy, but and so Wi-Fi Various the data rate inside of each packet Wi-Fi packet will begin at one megabit per second always So you have to be able to produce one megabit per second Wi-Fi sounds and symbols In order to inject a Wi-Fi frame This might not be true for 11n, but I'm only dealing with B for the subject of this lecture Wi-Fi also varies the encoding so if you have a Wi-Fi packet that begins at one megabit per second for the header Halfway through the header it'll decide that it would rather be at two megabits per second because that takes less time on the air and that improves performance and Two megabits per second is the fastest that the header is allowed to run Then at the end of the header it will actually switch to an even higher rate. It is 5.5 or 11 megabits and In the shift between two megabits and 5.5 it actually changes its encoding mechanism entirely I've not yet figured out how to inject Wi-Fi packets from 5.5 or 11 megabits but I can do it from one megabit per second rather easily and I can do it from two megabits with some effort The effort is manageable and we'll get to that in a minute GSM uses time slots and 3g has its symbol coatings and These things are also difficult to work around and in some cases it might be that there is no workaround But there's a lot of new work to be done in porting this attack to new sorts of radios and a lot of them are going to be vulnerable So this is the end of part one in which I've covered pip injection for a to 2.15 out 4 and we're now going to move on to a to 2.11 To quickly review in 15 out 4. We just put 4 or 5 bytes of zeros and a single byte of a7 before our packet If you take that you put it before the length field of the packet that your packets never gives you have a valid check Some at the end send that as a string over ZigBee a thousand times it will fall through and you will have an injection I think escapee plug-in has already been committed One for Wi-Fi should be coming soon enough And there's a general pattern you're trying to put in those bytes that when sent over the air will produce the sounds That could be mistaken for a packet by a receiver that doesn't know it's inside of a message So for part two, I'm going to show you how to do this for a to 2.11 b The complication of this is that half an hour is not enough time to explain the entire 11b standard I'm going to be leaving some parts out and I'm going to be coming out with a very long very detailed paper on how to do this later on If you've ever read the Wi-Fi standard We should start a support group So as I already mentioned the editor 11b header always begins at one megabit per second But it can jump up to two megabits per second The first half has to always be one the second half will probably be two But for simplicity if you're injecting and you leave it at one, that's not a problem The body is then one two five point five or eleven megabits Sometimes radios will not support transmitting at one megabit per second Especially in Linux a lot of the drivers were just pushed far enough to get WPA connections and no further So in many radios, you won't be able to sniff packets with damaged checksums You won't be able to force a data rate of anything awkward We've had good luck with the atheros chipsets The other problem is that because one megabit doesn't offer many performance advantages over two megabit as far as reliability goes That a lot of radios won't drop that low So for practical injections you want to be able to inject at both one and two megabits per second You'll also want to be able to port this to 11g and n and a and the rest So you have three data rates you have three different five standards and you can only inject from the fastest one This sucks Because it means that if my payload is going over your radio at 11 megabits per second I have to inject from one very different style of radio to another and I haven't yet figured out the translations for that Now the final data rate varies with signal strength and with packet loss and This I like because this means that when the radio is getting interfered with It will drop its data rate to spot it which I can attack it And it's when it's being interfered with that it's easiest for me to do my injection So this works out in my favor and the final rate because it varies with signal strength and with packet loss it sometimes helps to cause extra traffic all of these techniques for causing Extra bandwidth usage on the local network like you could easily write JavaScript that just Waste the time of the browser and waste the bandwidth of it that can help in packet and packet injection Although it's not necessary So how slow is the fastest? At one megabit per second Everything becomes as easy as Zigbee If you put the bytes in the error in the right order everything works out But many networks can't or won't drop that low at two megabits you can recreate one megabit symbols In the same way that on the Nordic radio you could just double every bit to go from two megabits to one That almost works here, although for a different reason and there's also a scrambler In radio protocols, it's bad form to send a lot of low bits or a lot of high bits in a row because this Fails arbitrary communications tests for like the FCC so if my radio sends lots of zero bits and lots of one bits I'm likely to be disqualified and I won't be able to ship my product The solution to this is a scrambler, but the scrambler is not intended for security reasons, it's only intended to Pass an arbitrary test, you know, you have to keep the signal strength beneath such and such a bar When sending anything or else you get in trouble, but it's averaged over time So if they have two peaks instead of one then they pass the test So the state of the scrambler is only seven bits Which I like because it's only a hundred and twenty eight Possible values So I can guess one of them. It's not even required that these be random Although in practice if there's a single byte before your packet that you don't know then you likely won't know the scrambler state For 5.5 megabits 11 megabits and 8211 g you have very different body rates and occasionally you're allowed different header rates the header and Wi-Fi is Very sparse all it says is that the following body is at such and such data rate and It specifies how long that body will be in microseconds because it doesn't even Demand that the receiver support that style of packet If you have a palm pilot that it only does one megabit per second That palm pilot will still recognize that an 802 to 11g packet is going to be on the air for so long And that it shouldn't try to broadcast over it even though it has no ability to receive 802 to 11g This is what the preamble looks like after going through the scrambler this is just the beginning of it it's much longer and The preamble in the unscramble form is just 128 ones This runs through a scrambler to produce the waveform that you see below and the scrambled form Never includes regions of lots of ones or lots of zeros This is how the machine looks like on paper. I have verilog code for this on github A nifty thing about this is that you have these different tap points and if you run data through the upper device and Then you get the scrambled bits out when you run those same bits through the d scrambler function itself synchronizes and automatically fixes everything It will even do this if you choose any other set of bits to run through the function So if you mess this up or if you haven't off by one error while reading it Not that I would ever confess to such a thing The bytes will come out in a way that looks like you got it right If they had made this 128 bits long Then you might have to guess on a 128 bit number Or even if they made it 32 or 64 bits long it would drastically reduce the ability to do a rate-to-rate transition the reason why we don't need to To mess with this scrambler at 1 megabit per second is because at 1 megabit per second We don't have to do any simple corrections so if you remember in The FSK radios where zero zero at two megabits would become a single zero at one megabit Here you have to double those bits in the unscramble state and You can't do that if you don't control what they are If you don't control which rate your sounds will appear in the air and it's legal for this to be initialized to anything But all ones So if you are a hardware engineer and I tell you to initialize something to anything But all ones you will obviously initialize it to all zeros which is perfectly legal by the standard Because again, there's no requirement that it's random. This was not intended as a security feature You can either predict this or you can guess it There are 127 different start positions, but by the time it gets to you There's probably one bite before your packet that you don't control like a sequence counter or something like that So it might as well be 128 And it self synchronizes but the attacker can't observe the bits so the attacker can't follow the self synchronization Because remember in our attack the attacker does not have a radio Not even for listening So for one megabit to make it to one megabit. There's the same symbol set same data rate It's just like Zigbee These are the exact bytes that you put in if you want to inject a one megabit per second packet You do 128 bits of ones or F So whatever you want to call them then you have F3a0. This is the Wi-Fi equivalent of the a7 You then have your flags your data rate Your checks on but this is a check some for the header not for the body So you can take this magic string and you can put any body with a proper checks on after it And that body will go in at one megabit per second To inject from two megabits per second your symbol set changes So in one megabit per second you have zero degrees difference and pi degrees difference So the phase is changing by up to half of a waveform Two megabits you have four symbols you have zero pi over two That's a quarter circle then a half circle then three-quarters circle, right? But you notice that the two symbols that you need for one megabit exist in the two megabit version and you can correct for them So because all of the one megabit per second symbols exist at two megabits This is not true of the five point five megabit per second This is the table Again zero zero represents zero and one one represents one, but these have to be after scrambling and We don't know how our data will be scrambled At one megabit the scrambler fixes itself, and we don't have anything to worry about But at two megabits per second we can't count on the scrambler So because this scrambler no longer self-corrects we have to guess it and then we have to produce a string That when scrambled with our guess Produces the two megabit symbols that we actually want to be on the air To match the one megabit per second symbols that we need for our injection Very long code for doing this is at that URL just github.com slash Travis Goodspeed So the the present state of packet in packet in wi-fi Is that 11b is definitely vulnerable at one megabit ended two But only when the network transmission is in clear text I've got a lot of you are thinking i use wpa, so I don't have a problem here But in uninformed 6 2 there's this nifty little exploit The hd more and scape and jenny cash wrote And they attack wi-fi beacon frames Your laptop will receive and interpret a wi-fi beacon frame even if you're not associated the network Better still the attacker does not need to know your mac address Or anything unique to your connection so In that paper they present a number of wi-fi exploits some of them require a probe response, but others do not For the ones that do not the ones that work on a straight beacon frame You can take that beacon frame and you can embed that into a packet and packet injection Throw that into a large file download like an iso image Put it up on a web server and say hey download this And then if you're sitting in your office on the wpa protected network with cryptography that my packet and packet techniques can't touch and your um Your neighbor is using a wi-fi hotspot in a cafe In clear text and is downloading the size of image Then the beacon can fall through and hit you Even though you did nothing stupid even though you downloaded no untrustworthy files Just by the very fact that you're sitting there Through packet and packet injection another lovely Attack of the sort You can inject into satellite communications this way So when you have a satellite network, uh, let's say a geosynchronous satellite You know, you've got your victim somewhere you can watch all of the downstream traffic just by pointing a dish at the right bird Okay, but injecting something that the bird won't carry over is rather hard Because in order to aim the antenna properly you would have to launch a spaceship get a bit higher in orbit and get the same pattern It becomes unmanageable with packet and packet you can just send a message that gets ferried over to any other user of the same transponder on the same frequency That contains a malicious packet And whenever the message comes to the victim's radio It either works or it doesn't this is a probabilistic attack You have to try it lots of times whenever it doesn't work the victim's radio says oh, this isn't addressed to me I'm going to ignore it because gentlemen did not read each other's emails So from that user's perspective the injection becomes a whole in one And we have all sorts of these different pieces of technology based upon layer one Uh protocols that we don't understand Or that are so complicated that you can't easily understand it the The key um the key piece of this Is that when you have these layers of abstraction in the osi model They become boundaries of competence They become pieces that you're not allowed to look beneath And you begin to respect these boundaries even as you're smashing ones a few layers up Even as you're jumping down to layer two to do layer two attacks you're still using a layer one infrastructure that You haven't had time to learn yet And you shouldn't assume that just because it's so Low level that it can't be implemented in software That it doesn't have vulnerabilities or that it doesn't have exploits so It intended to demo this for wi-fi And then the demo god struck Instead I have it running for a zigbee and for the duration of the conference If you packet sniff me anywhere within the conference hall You will be able to catch both the outer form and the inner form The wi-fi preamble and plcp header are included in these slides You can also find the verilog code for the scrambler up on github And escapee plug-in should be ready soon enough Are there any questions? So the question was why don't I want to have a radio? And I don't want to have a radio because having a radio puts a greater requirement on the attack Packet-in-packet certainly works when I do have a radio and that's how I test it in the lab and that's how I write the x-plates But when you start using them in the field Quite often you don't have physical access to the victim's environment I don't have a spaceship so I can't fly up to attack geosynchronous satellite receivers Packet-in-packet is specifically targeted at those sorts of situations in which you don't have the ability to bring in a radio Or in which you don't know where the physical environment is Or in which you want your radio attack to spread further than you can individually send packets Any other questions? Yes uh, I was wondering if you have any lessons learned from that especially uh as Quite now there are more and more industrial protocols being developed based on 15.4 especially I know And I know that especially uh because of European legislation there is within the etsy a new harmonization going on between all those uh networks based on In the ism bands, so if you have any lessons learned to prevent these problems So cryptography prevents this attack even when the cryptography is bad Um, wep is really crappy cryptography It can be broken by scripts that you can download anywhere But it's still effective at preventing packet-in-packet injection because packet-in-packet injection only works for the attacker knows what the symbols will look like on the air So using cryptography and using good or at least mediocre cryptography is an effective defense to packet-in-packet Yes, okay, I think you left out a fairly important detail given a reasonably well connection with low noise How much data do you actually have to send until you get a reasonable good probability that you will hit one of these possibly exploits? I haven't measured in a very low noise environment But in the average university building We tested it in a laboratory room at Dartmouth College in New Hampshire We began broadcasting packets repeatedly over a to 2.15.4 And it was less than two minutes before the packets began to arrive They also tended to arrive in clusters when the nearby wi-fi networks became busier So you have to be patient but not terribly patient In the two megabit to one megabit injection this might become an hour or two Okay, but it still falls through if you want to make your evaluation stronger I would like to see something like a 3d graph with the probability of the injection the data rate that you need and things like that Thank you kindly