Security Theater Seminar, Sun 15/Jan/2012 at 14:00 - I heard you like packets

3 views

Skip to first unread message

Yossef Oren

unread,

Jan 12, 2012, 5:46:57 PM1/12/12

to iritn, Galit Herzberg, security-theater-announcements

Electrical Engineering Labs Building (חשמל מעבדות), Room 146 ^{Join us virtually!}

Sunday, January 15, 2:00pm

802.11 Packets in Packets

Abstract: New to 2011, packet-in-packet exploits allow for injection of raw radio frames into remote wireless networks. In these exploits, an attacker crafts a string that when transmitted over the air creates the symbols of a complete and valid radio packet. When radio interference damages the beginning of the outer packet, the receiver is tricked into seeing only the inner packet, allowing a frame to be remotely injected. The attacker requires no radio, and injection occurs without a software or hardware bug. This lecture presents the first implementation of Packet-in-Packet injection for 802.11B, allowing malicious PHY-Layer frames to be remotely injected. The attack is standards-compliant and compatible with all vendors and drivers.

Unlike the simpler implementations for 802.15.4 and 2FSK, 802.11B presents a number of unique challenges to the PIP implementer. A single packet can use up to three symbol sets and three data-rates, switching rates once within the header and a second time for the beginning of the body. Additionally, a 7-bit scrambler randomizes the encoding of each packet, so the same string of text can be represented 128 different ways at the exact same rate and encoding.

This lecture presents the first implementation of Packet-in-Packet injection for 802.11B, allowing malicious PHY-Layer frames to be remotely injected. The attack is standards-compliant and compatible with all vendors and drivers.

As a demo, we intend to present a malicious string which can be embedded in any file with lots of slack space, such as an ISO image. When this image is downloaded over HTTP on 802.11B, beacon frames will be injected. For the demo, we will be injecting the SSID stack buffer overflow frames from Uninformed Volume 6.

Speaker Bio: Travis Goodspeed is a neighborly reverse engineer from Knoxville, Tennessee

For more information about the Security Theater, please visit: http://www.eng.tau.ac.il/~consel/SecurityTheater

The Security Theater is generously sponsored by the Check Point Institute for Information Security.

To join the Security Theater Announcement mailing list, please mail the words "subscribe theater" to Yossi Oren at y...@eng.tau.ac.il

Reply all

Reply to author

Forward

0 new messages