Packet-in-packet: the Orson Welles

attacks on digital radio

Travis GoodspeedSergey BratusRyan Speers

Ricky MelgaresRebecca Shapiro

How it happened

Toor 2005, BH 2006: 802.11 drivers/fw suck

?

!

+

?

!

$$$$$ ?

!

What I believed about Digital Radio

• You only get frames sent as such by a compatible device (or an SDR)

• For you to get a frame, someone has to send this exact frame somehow

• Sometimes a frame gets corrupted by noise (FCS doesn’t checks out), then you get nothing in normal mode

• Barring SDRs, you get in PHY only what comes from someone’s compatible radio’s Link layer

“A Black Box of PHY”

“A Black Box of PHY”

• “The black box will deliver only valid or almost- valid (slightly noise-damaged) link layer frames”

Encapsulation FTW?

“A Black Box PHY”

• “The black box will deliver only valid or almost- valid (slightly noise-damaged) frames”

802.15.4 Really? Really.

802.15.4 Really? Really.

Where is your encapsulation now?

• 802.15.4 PHY is not a validity/integrity filter

• It does not somehow “enforce” encapsulation

• Receiver is getting the “internal” packet contained in the “data” area of a frame

• WTF?

Prior Art: Orson Welles,

1938• “The War of the Worlds” broadcast

• 2 min 20 sec long intro (during a popular show on another station)

• 38 min of 1st Act, starting with a fake weather report and a music concert, interrupted by fake news, interviews, eyewitness reports, and so on

• Listeners who missed the intro believed they were listening to real news of a Martian invasion

A packet is a packet is a packet

“intro”

How did this work?

Encapsulation: textbook view

Encapsulation in practice (with noise)

Encapsulation in practice (with noise)

PIP

“Packet-in-packet”

A packet IN a packet IN a packet

+++ATH

• Hayes patented sequence “pause, +++, pause” for switching to command mode, charged $1/modem

• Other modem vendors drop pauses, avoid fee

• Hayes press release is labeled +++ATH

• “What escapes the escape symbols?”

• this is a formal languages theory question

“Don’t trust the black box”

• It’s just a bit-shift register FSM that matches SYNC

• That FSM + CRC logic cannot provide any sort of “encapsulation validation” in the presence of noise.

• “Packet is wherever/whenever a SYNC is”

“Length fields considered harmful”

• Parser can’t tell data from metadata without context

• Makes packets a “context-sensitive language” -- this is BAD for parsers and input handlers

• Watch “Towards a Formal Theory of Computer Insecurity: a Language-theoretic Approach”, by Len Sassaman & Meredith L. Patterson

What caused it?

• Cross-layer misunderstanding (Link vs Physical)

• Layer abstractions are a convenient fiction, nothing more

• Layers of abstraction become boundaries of competence

“Composition Kills”

• Let there always be PEEK and POKE to break abstractions & look across layers

• Lest we cheat ourselves (again)

What breaks PIP?

• This only works if the attacker can predict the bits over the air

• Different encoding/modulation for signaling will break it (802.11g is hard)

• Any kind of encryption will break it. “WEP is not dead!”

802.11g serendipity

What’s next?

• Satellite

• Plenty of noise, huge footprint

• 802.3!

• if a good source of noise can be found

Thank you!

• http://travisgoodspeed.blogspot.com/

• http://packet-in-packet.com/

• http://langsec.org/ (up in a week) “There are bytes in the air...”