Presentation Title Packets in Packets: Remotely Exploiting Layer 1
In digital radios, a Layer 1 frame consists of a Preamble, a Start of Frame Delimiter (SFD), and a Layer 2 packet. When a receiver misses the SFD, it remains in a receiving state but does not know that a packet has begun. In that state, a complete Layer 1 frame placed /inside/ of the L2 frame will be mistaken for a freestanding packet, allowing an attacker to remotely inject frames into any unencrypted wireless hop of a network.
This presentation will show working, tested examples of remote Packet-in-Packet frame injection exploits for a variety of radios.
About Travis Goodspeed
Travis Goodspeed is a neighborly reverse engineer of embedded systems from Knoxville in Southern Appalachia. Lately he has been exploring the lowest layers of radio, looking for vulnerabilities in places previously–and incorrectly–assumed because of their simplicity to be of no security relevance.