Packets in Packets: OrsonWelles’ In-Band Signaling Attacks for Modern Radios

[Nytro]

Packets in Packets:

OrsonWelles’ In-Band Signaling Attacks for Modern Radios

Travis Goodspeed

University of Pennsylvania

Sergey Bratus

Dartmouth College

Ricky Melgares

Dartmouth College

Rebecca Shapiro

Dartmouth College

Ryan Speers

Dartmouth College

Abstract

Here we present methods for injecting raw frames at

Layer 1 from within upper-layer protocols by abuse of

in-band signaling mechanisms common to most digital

radio protocols. This packet piggy-backing technique allows

attackers to hide malicious packets inside packets

that are permitted on the network. When these carefully

crafted Packets-in-Packets (PIPs) traverse a wireless network,

a bit error in the outer frame will cause the inner

frame to be interpreted instead. This allows an attacker

to evade firewalls, intrusion detection/prevention systems,

user-land networking restrictions, and other such

defenses. As packets are constructed using interior fields

of higher networking layers, the attacker only needs the

authority to send cleartext data over the air, even if it is

wrapped within several networking layers.

This paper includes tested examples of raw frame injection

for IEEE 802.15.4 and 2-FSK radios. Additionally,

implementation complications are described for

802.11 and a variety of other modern radios. Finally,

we present suggestions for how this technique might be

extended from wireless radio protocols to Ethernet and

other wired links.

Download:

http://static.usenix.org/events/woot11/tech/final_files/Goodspeed.pdf