Packets in Packets: Remotely Exploiting Layer 1 presented at HITBMalaysia 2011

by Travis Goodspeed,

Summary : In digital radios, a Layer 1 frame consists of a Preamble, a Start of Frame Delimiter (SFD), and a Layer 2 packet. When a receiver misses the SFD, it remains in a receiving state but does not know that a packet has begun. In that state, a complete Layer 1 frame placed /inside/ of the L2 frame will be mistaken for a freestanding packet, allowing an attacker to remotely inject frames into any unencrypted wireless hop of a network.
This presentation will show working, tested examples of remote Packet-in-Packet frame injection exploits for a variety of radios.