DemystiPHYing 802.15.4 Digital Radio; or, How to Weaponize Fingerprinting for Packet-in-Packet Mitigation Bypasses presented at InfoSecSouthWest 2014

by Sergey Bratus, Travis Goodspeed,

Summary : The PHY layer of digital radio is commonly viewed as a black box that takes logical frames on one side of a radio connection and magically pops them out on the other (or doesn't, if control sums don't match). The internals of the black box are shrouded in mystery and magic. Antennas, modulation, and error correction are somehow involved, but they seem to exist in a different dimension that cannot be manipulated digitally at byte-level like call stacks, binaries, or parser bugs. For those of us who can't design radio circuits, it seems to be at best a minecraft game of GnuRadio blocks.
But in reality this just ain't so. The PHY in fact contains several digital layers and mechanisms, which can be manipulated without software-defined radio. We will demystify these mechanisms for the 802.15.4 PHY and will show them in action for sending arbitrary bytes and frames through the air without a software radio, sending frames that aren't heard by WIDS but heard by targets if they use different radio chips, "borrowing" error-correction logic to bypass defenses, and fingerprinting chipset families. Orson Welles may have beat us to the Packet-in-packet technique, but he has nothing on our one-eighth-of-a-nybble mitigation bypass and make-your-own-packet cut-out paper games!

Sergey Bratus: Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He enjoys wireless and wired network hacking and tries to help fellow academics to understand its value and relevance. Before coming to Dartmouth, he worked on machine learning for natural text processing at BBN Technologies. He has a Ph.D. In Mathematics from Northeastern University.