packet-in-packet: the orson welles attacks on digital radio
TRANSCRIPT
![Page 1: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/1.jpg)
Packet-in-packet: the Orson Welles
attacks on digital radio
Travis GoodspeedSergey BratusRyan Speers
Ricky MelgaresRebecca Shapiro
![Page 2: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/2.jpg)
How it happened
Toor 2005, BH 2006: 802.11 drivers/fw suck
?
!
+
![Page 3: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/3.jpg)
?
!
$$$$$ ?
!
![Page 4: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/4.jpg)
What I believed about Digital Radio
• You only get frames sent as such by a compatible device (or an SDR)
• For you to get a frame, someone has to send this exact frame somehow
• Sometimes a frame gets corrupted by noise (FCS doesn’t checks out), then you get nothing in normal mode
• Barring SDRs, you get in PHY only what comes from someone’s compatible radio’s Link layer
![Page 5: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/5.jpg)
“A Black Box of PHY”
![Page 6: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/6.jpg)
“A Black Box of PHY”
• “The black box will deliver only valid or almost- valid (slightly noise-damaged) link layer frames”
![Page 7: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/7.jpg)
Encapsulation FTW?
![Page 8: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/8.jpg)
“A Black Box PHY”
• “The black box will deliver only valid or almost- valid (slightly noise-damaged) frames”
![Page 9: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/9.jpg)
802.15.4 Really? Really.
![Page 10: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/10.jpg)
802.15.4 Really? Really.
![Page 11: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/11.jpg)
Where is your encapsulation now?
• 802.15.4 PHY is not a validity/integrity filter
• It does not somehow “enforce” encapsulation
• Receiver is getting the “internal” packet contained in the “data” area of a frame
• WTF?
![Page 12: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/12.jpg)
Prior Art: Orson Welles,
1938• “The War of the Worlds” broadcast
• 2 min 20 sec long intro (during a popular show on another station)
• 38 min of 1st Act, starting with a fake weather report and a music concert, interrupted by fake news, interviews, eyewitness reports, and so on
• Listeners who missed the intro believed they were listening to real news of a Martian invasion
![Page 13: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/13.jpg)
A packet is a packet is a packet
“intro”
![Page 14: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/14.jpg)
How did this work?
![Page 15: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/15.jpg)
Encapsulation: textbook view
![Page 16: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/16.jpg)
Encapsulation in practice (with noise)
![Page 17: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/17.jpg)
Encapsulation in practice (with noise)
PIP
![Page 18: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/18.jpg)
“Packet-in-packet”
![Page 19: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/19.jpg)
A packet IN a packet IN a packet
![Page 20: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/20.jpg)
+++ATH
• Hayes patented sequence “pause, +++, pause” for switching to command mode, charged $1/modem
• Other modem vendors drop pauses, avoid fee
• Hayes press release is labeled +++ATH
• “What escapes the escape symbols?”
• this is a formal languages theory question
![Page 21: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/21.jpg)
“Don’t trust the black box”
• It’s just a bit-shift register FSM that matches SYNC
• That FSM + CRC logic cannot provide any sort of “encapsulation validation” in the presence of noise.
• “Packet is wherever/whenever a SYNC is”
![Page 22: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/22.jpg)
“Length fields considered harmful”
• Parser can’t tell data from metadata without context
• Makes packets a “context-sensitive language” -- this is BAD for parsers and input handlers
• Watch “Towards a Formal Theory of Computer Insecurity: a Language-theoretic Approach”, by Len Sassaman & Meredith L. Patterson
![Page 23: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/23.jpg)
What caused it?
• Cross-layer misunderstanding (Link vs Physical)
• Layer abstractions are a convenient fiction, nothing more
• Layers of abstraction become boundaries of competence
![Page 24: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/24.jpg)
“Composition Kills”
• Let there always be PEEK and POKE to break abstractions & look across layers
• Lest we cheat ourselves (again)
![Page 25: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/25.jpg)
What breaks PIP?
• This only works if the attacker can predict the bits over the air
• Different encoding/modulation for signaling will break it (802.11g is hard)
• Any kind of encryption will break it. “WEP is not dead!”
![Page 26: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/26.jpg)
802.11g serendipity
![Page 27: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/27.jpg)
What’s next?
• Satellite
• Plenty of noise, huge footprint
• 802.3!
• if a good source of noise can be found
![Page 28: Packet-in-packet: the Orson Welles attacks on digital radio](https://reader033.vdocuments.net/reader033/viewer/2022052323/558e152d1a28abf95a8b4644/html5/thumbnails/28.jpg)
Thank you!
• http://travisgoodspeed.blogspot.com/
• http://packet-in-packet.com/
• http://langsec.org/ (up in a week) “There are bytes in the air...”