Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Packet-in-packet:the Orson Welles     attacks on digital radio     Travis Goodspeed      Sergey Bratus       Ryan Speers  ...
How it happenedToor 2005, BH 2006: 802.11 drivers/fw suck                         +                                       ...
?!$$$$$ ?          !
What I believed about    Digital Radio• You only get frames sent as such by a compatible  device (or an SDR)• For you to g...
“A Black Box of PHY”
“A Black Box of PHY”• “The black box will deliver only valid or almost-  valid (slightly noise-damaged) link layer frames”
Encapsulation FTW?
“A Black Box PHY”• “The black box will deliver only valid or almost-  valid (slightly noise-damaged) frames”
802.15.4 Really?    Really.
802.15.4 Really?    Really.
Where is your    encapsulation now?• 802.15.4 PHY is not a validity/integrity filter• It does not somehow “enforce” encapsu...
Prior Art:      Orson Welles,          1938• “The War of the Worlds” broadcast• 2 min 20 sec long intro (during a  popular...
A packet is a packet is      a packet   “intro”
How did this work?
Encapsulation: textbook view
Encapsulation inpractice (with noise)
Encapsulation in  practice (with noise)PIP
“Packet-in-packet”
A packet IN a packet IN       a packet
+++ATH• Hayes patented sequence “pause, +++, pause” for  switching to command mode, charged $1/modem• Other modem vendors ...
“Don’t trust the   black box”• It’s just a bit-shift register FSM that matches SYNC• That FSM + CRC logic cannot provide a...
“Length fields  considered harmful”• Parser can’t tell data from metadata without context• Makes packets a “context-sensiti...
What caused it?• Cross-layer misunderstanding (Link vs Physical)• Layer abstractions are a convenient fiction,  nothing mor...
“Composition   Kills”• Let there always be PEEK  and POKE to break  abstractions &  look across layers• Lest we cheat ours...
What breaks PIP? • This only works if the attacker can predict   the bits over the air • Different encoding/modulation for...
802.11g serendipity
What’s next?• Satellite    • Plenty of noise, huge footprint• 802.3!    • if a good source of noise can be found
Thank you!• http://travisgoodspeed.blogspot.com/• http://packet-in-packet.com/• http://langsec.org/    (up in a week)    “...
Upcoming SlideShare
Loading in …5
×

Packet-in-packet: the Orson Welles attacks on digital radio

1,075 views

Published on

  • Be the first to comment

  • Be the first to like this

Packet-in-packet: the Orson Welles attacks on digital radio

  1. 1. Packet-in-packet:the Orson Welles attacks on digital radio Travis Goodspeed Sergey Bratus Ryan Speers Ricky Melgares Rebecca Shapiro
  2. 2. How it happenedToor 2005, BH 2006: 802.11 drivers/fw suck + ? !
  3. 3. ?!$$$$$ ? !
  4. 4. What I believed about Digital Radio• You only get frames sent as such by a compatible device (or an SDR)• For you to get a frame, someone has to send this exact frame somehow• Sometimes a frame gets corrupted by noise (FCS doesn’t checks out), then you get nothing in normal mode• Barring SDRs, you get in PHY only what comes from someone’s compatible radio’s Link layer
  5. 5. “A Black Box of PHY”
  6. 6. “A Black Box of PHY”• “The black box will deliver only valid or almost- valid (slightly noise-damaged) link layer frames”
  7. 7. Encapsulation FTW?
  8. 8. “A Black Box PHY”• “The black box will deliver only valid or almost- valid (slightly noise-damaged) frames”
  9. 9. 802.15.4 Really? Really.
  10. 10. 802.15.4 Really? Really.
  11. 11. Where is your encapsulation now?• 802.15.4 PHY is not a validity/integrity filter• It does not somehow “enforce” encapsulation• Receiver is getting the “internal” packet contained in the “data” area of a frame• WTF?
  12. 12. Prior Art: Orson Welles, 1938• “The War of the Worlds” broadcast• 2 min 20 sec long intro (during a popular show on another station)• 38 min of 1st Act, starting with a fake weather report and a music concert, interrupted by fake news, interviews, eyewitness reports, and so on• Listeners who missed the intro believed they were listening to real news of a Martian invasion
  13. 13. A packet is a packet is a packet “intro”
  14. 14. How did this work?
  15. 15. Encapsulation: textbook view
  16. 16. Encapsulation inpractice (with noise)
  17. 17. Encapsulation in practice (with noise)PIP
  18. 18. “Packet-in-packet”
  19. 19. A packet IN a packet IN a packet
  20. 20. +++ATH• Hayes patented sequence “pause, +++, pause” for switching to command mode, charged $1/modem• Other modem vendors drop pauses, avoid fee• Hayes press release is labeled +++ATH• “What escapes the escape symbols?” • this is a formal languages theory question
  21. 21. “Don’t trust the black box”• It’s just a bit-shift register FSM that matches SYNC• That FSM + CRC logic cannot provide any sort of “encapsulation validation” in the presence of noise.• “Packet is wherever/whenever a SYNC is”
  22. 22. “Length fields considered harmful”• Parser can’t tell data from metadata without context• Makes packets a “context-sensitive language” -- this is BAD for parsers and input handlers• Watch “Towards a Formal Theory of Computer Insecurity: a Language-theoretic Approach”, by Len Sassaman & Meredith L. Patterson
  23. 23. What caused it?• Cross-layer misunderstanding (Link vs Physical)• Layer abstractions are a convenient fiction, nothing more• Layers of abstraction become boundaries of competence
  24. 24. “Composition Kills”• Let there always be PEEK and POKE to break abstractions & look across layers• Lest we cheat ourselves (again)
  25. 25. What breaks PIP? • This only works if the attacker can predict the bits over the air • Different encoding/modulation for signaling will break it (802.11g is hard) • Any kind of encryption will break it. “WEP is not dead!”
  26. 26. 802.11g serendipity
  27. 27. What’s next?• Satellite • Plenty of noise, huge footprint• 802.3! • if a good source of noise can be found
  28. 28. Thank you!• http://travisgoodspeed.blogspot.com/• http://packet-in-packet.com/• http://langsec.org/ (up in a week) “There are bytes in the air...”

×