Packet-in-packet: the Orson Welles attacks on digital radio
•
0 gostou•903 visualizações
Recomendados
Recomendados
Mais conteúdo relacionado
Mais de Positive Hack Days
Mais de Positive Hack Days (20)
Último
Último (20)
Packet-in-packet: the Orson Welles attacks on digital radio
- 1. Packet-in-packet: the Orson Welles attacks on digital radio Travis Goodspeed Sergey Bratus Ryan Speers Ricky Melgares Rebecca Shapiro
- 2. How it happened Toor 2005, BH 2006: 802.11 drivers/fw suck + ? !
- 3. ? ! $$$$$ ? !
- 4. What I believed about Digital Radio • You only get frames sent as such by a compatible device (or an SDR) • For you to get a frame, someone has to send this exact frame somehow • Sometimes a frame gets corrupted by noise (FCS doesn’t checks out), then you get nothing in normal mode • Barring SDRs, you get in PHY only what comes from someone’s compatible radio’s Link layer
- 5. “A Black Box of PHY”
- 6. “A Black Box of PHY” • “The black box will deliver only valid or almost- valid (slightly noise-damaged) link layer frames”
- 8. “A Black Box PHY” • “The black box will deliver only valid or almost- valid (slightly noise-damaged) frames”
- 9. 802.15.4 Really? Really.
- 10. 802.15.4 Really? Really.
- 11. Where is your encapsulation now? • 802.15.4 PHY is not a validity/integrity filter • It does not somehow “enforce” encapsulation • Receiver is getting the “internal” packet contained in the “data” area of a frame • WTF?
- 12. Prior Art: Orson Welles, 1938 • “The War of the Worlds” broadcast • 2 min 20 sec long intro (during a popular show on another station) • 38 min of 1st Act, starting with a fake weather report and a music concert, interrupted by fake news, interviews, eyewitness reports, and so on • Listeners who missed the intro believed they were listening to real news of a Martian invasion
- 13. A packet is a packet is a packet “intro”
- 14. How did this work?
- 16. Encapsulation in practice (with noise)
- 17. Encapsulation in practice (with noise) PIP
- 19. A packet IN a packet IN a packet
- 20. +++ATH • Hayes patented sequence “pause, +++, pause” for switching to command mode, charged $1/modem • Other modem vendors drop pauses, avoid fee • Hayes press release is labeled +++ATH • “What escapes the escape symbols?” • this is a formal languages theory question
- 21. “Don’t trust the black box” • It’s just a bit-shift register FSM that matches SYNC • That FSM + CRC logic cannot provide any sort of “encapsulation validation” in the presence of noise. • “Packet is wherever/whenever a SYNC is”
- 22. “Length fields considered harmful” • Parser can’t tell data from metadata without context • Makes packets a “context-sensitive language” -- this is BAD for parsers and input handlers • Watch “Towards a Formal Theory of Computer Insecurity: a Language-theoretic Approach”, by Len Sassaman & Meredith L. Patterson
- 23. What caused it? • Cross-layer misunderstanding (Link vs Physical) • Layer abstractions are a convenient fiction, nothing more • Layers of abstraction become boundaries of competence
- 24. “Composition Kills” • Let there always be PEEK and POKE to break abstractions & look across layers • Lest we cheat ourselves (again)
- 25. What breaks PIP? • This only works if the attacker can predict the bits over the air • Different encoding/modulation for signaling will break it (802.11g is hard) • Any kind of encryption will break it. “WEP is not dead!”
- 27. What’s next? • Satellite • Plenty of noise, huge footprint • 802.3! • if a good source of noise can be found
- 28. Thank you! • http://travisgoodspeed.blogspot.com/ • http://packet-in-packet.com/ • http://langsec.org/ (up in a week) “There are bytes in the air...”