Thursday, September 1, 2011

Remotely Exploiting the PHY Layer

or, Bobby Tables from 1938 to 2011

by Travis Goodspeed <travis at>
concerning research performed in collaboration with
Sergey Bratus, Ricky Melgares, Rebecca Shapiro, and Ryan Speers.


The following technique is a trick that some very good neighbors and I present in Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios (pdf) at Usenix WOOT 2011. As the title suggests, Orson Welles authored and implemented the attack in 1938 as a form of social engineering, but our version acts to remotely inject raw frames into wireless networks by abuse of the PHY layer. As that paper is limited to a formal, academic style, I'd like to take the opportunity to describe the technique here in my people's native language, which has none of that formal mumbo-jumbo and high-faluttin' wordsmithin'. This being just a teaser, please read the paper for full technical details.

The idea is this: Layer 1 radio protocols are vulnerable injections similar to those that plague naively implemented SQL websites. You can place one packet inside of another packet and have the inner packet drop out to become a frame of its own. We call the technique Packet-in-Packet, or PIP for short.

As I've mentioned in my article on promiscuously sniffing nRF24L01+ traffic, every modern digital radio has a Layer 1 form that consists of a Preamble, followed by a Sync, followed by a Body. The Body here is Layer 2, and that is the lowest that a normal packet sniffer will give you. (Keykeriki, Ubertooth, and GoodFET/NRF give a bit more.)

In the specific case of IEEE 802.15.4, which underlies ZigBee, the Preamble consists of the 0 symbol repeated eight times, or 00000000. The Sync is A7. After that comes the Body, which begins with a byte for the length, a few bytes for flags, the addresses, and some sort of data. Suppose that an attacker, Mallory, controls some of that data, in the same way that she might control an HTTP GET parameter. To cause a PIP injection of a Layer 2 packet, she need only prepend that packet with 00000000A7 then retransmit a large--but not unmanageably large--number of times. I'm not joking, and I'm not exaggerating. It actually works like that.

Below is a photograph of the first packet capture in which we had this technique working. The upper packet capture shows those packets addressed to any address, while the lower capture only sniffs broadcast (0xFFFF) messages. The highlighted region is a PIP injection, a broadcast packet that the transmitter intended to only be data within the payload of an outer packet.

How it works.

When Alice transmits a packet containing Mallory's PIP to Bob, Bob's interpretation can go one of three ways, two of which are depicted in the diagram below. In the first case, as shown in the left column, Bob receives every symbol correctly and interprets the packet as Alice would like him to, with Mallory's payload sitting harmlessly in the Body. In the second case, which is not depicted, a symbol error within the Body causes the packet's checksum to fail, and Mallory's packet is dropped along with the rest of Alice's.

802.15.4 PIP

The third interpretation, shown above in the right column, is the interesting one. If a symbol error occurs before the Body, within the Preamble or the Sync, then there's no checksum to cause the packet to be dropped. Instead, the receiver does not know that it is within a packet, and Mallory's PIP is mistaken as a frame of its own. Mallory's Preamble and Sync will mark the start of the frame, and Mallory's Body will be returned to the receiver.

In this way, Mallory can remotely inject radio frames from anywhere on the network to which she can send her payload. That is, this is a PHY-Layer radio vulnerability that requires no physical access to the radio environment. Read the WOOT paper for complications that arise when applying this to IEEE 802.11, as well as the conditions under which a PIP injection can succeed on every attempt.

War of the Worlds

In 1938, Orson Welles implemented a similar exploit as a form of social engineering in order to cause panic with his War of the Worlds (mp3, transcript) performance.

Recall that PIP injection works by having the victim miss the real start of frame marker, then fraudulently including another start of frame marker inside of the broadcast. As per the FCC requirements of his time, Orson begins with a real start of broadcast marker:

ANNOUNCER: The Columbia Broadcasting System and its affiliated stations present Orson Welles and the Mercury Theatre on the Air in The War of the Worlds by H. G. Wells.


ANNOUNCER: Ladies and gentlemen: the director of the Mercury Theatre and star of these broadcasts, Orson Welles . . .

ORSON WELLES: We know now that in the early years of the twentieth century this world was being watched closely by intelligences greater than man's and yet as mortal as his own. We know now that as human beings busied themselves about their various concerns they were scrutinized and studied, perhaps almost as narrowly as a man with a microscope might scrutinize the transient creatures that swarm and multiply in a drop of water. With infinite complacence people went to and fro over the earth about their little affairs, serene in the assurance of their dominion over this small spinning fragment of solar driftwood which by chance or design man has inherited out of the dark mystery of Time and Space. Yet across an immense ethereal gulf, minds that to our minds as ours are to the beasts in the jungle, intellects vast, cool and unsympathetic, regarded this earth with envious eyes and slowly and surely drew their plans against us. In the thirty-ninth year of the twentieth century came the great disillusionment.
It was near the end of October. Business was better. The war scare was over. More men were back at work. Sales were picking up. On this particular evening, October 30, the Crosley service estimated that thirty-two million people were listening in on radios.

That introduction is two minutes and twenty seconds long, and it was scheduled to begin while a popular show on another station was still in progress. Many of the listeners tuned in late, causing them to miss the Sync and not know which show they were listening to, just as in a PIP injection! What follows is thirty-eight minutes of a first act, without a single word out of character or a single commercial message from a sponsor. The play begins in the middle of a weather report, followed by repeated false station and show announcements, a few of which follow.

We now take you to the Meridian Room in the Hotel Park Plaza in downtown New York, where you will be entertained by the music of Ramón Raquello and his orchestra.
From the Meridian Room in the Park Plaza in New York City, we bring you the music of Ramón Raquello and his orchestra.
Ladies and gentlemen, we interrupt our program of dance music to bring you a special bulletin from the Intercontinental Radio News.
We are now ready to take you to the Princeton Observatory at Princeton where Carl Phillips, or commentator, will interview Professor Richard Pierson, famous astronomer.
Good evening, ladies and gentlemen. This is Carl Phillips, speaking to you from the observatory at Princeton.
Just a moment, ladies and gentlemen, someone has just handed Professor Pierson a message. While he reads it, let me remind you that we are speaking to you from the observatory in Princeton, New Jersey, where we are interviewing the world- famous astronomer, Professor Pierson.

By repeatedly lying to the listeners about the station and the program, Welles was able to convince them that they were listening to legitimate news broadcasts of an alien invasion. Ensuring that the listener missed the starting broadcast announcement breaks the encapsulation that was intended to prevent such confusion, just as a PIP injection relies upon the start of frame to be missed in order to break OSI model encapsulation.

How the hell did this happen?

This class of vulnerability is a really, really big deal. An attacker can use it to inject raw frames into any wireless network that lacks cryptography, such as a satellite link or an open wifi hotspot. Not only that, but because the injection is remote, the attacker needs no radio to perform the injection! Not only that, but this vulnerability has sat unexploited in nearly every unencrypted digital radio protocol that allows for variable frame length since digital radio began! So why did no one notice before 2011?

Packet in Packet injection works because when Bob forwards a wrapped string to Alice over the air, he is trusting Mallory to control the radio symbols that are broadcast for that amount of time. The potential for abusing that trust wasn't considered, despite communications experts knowing full well that sometimes a false Sync was detected or a true Sync missed. This is because a symbol error in the Sync field causes the packet to be implicitly dropped, with the same behavioral effect that would be had if the error were later in the packet and it were explicitly dropped. Except when faced with a weaponized PIP injection, nothing seems strange or amiss. Sync errors were just a nuisance to communications engineers, as we security guys were staying a few layers higher, allowing those layers of abstraction to become boundaries of competence.

That same trust is given in wired networks and busses, with the lesser probability of missing a Sync being the only defense against PIP injection. Just as PIP has shown that unencrypted wireless networks are vulnerable even when the attacker is not physically present, I expect wired networks to be found vulnerable as soon as an appropriate source of packet errors is identified. Packet collisions provide this in unswitched Ethernet networks, and noisy or especially long links might provide it for more modern wired networks.

If I've not yet convinced you that this attack is worth studying, I probably won't be able to. For the rest of you, please print and read the paper and extend this research yourself. There's a hell of a lot left to be done at the PHY layer, and it might as well be you who does it.

Thank you kindly,
--Travis Goodspeed


sgstair said...

Very nice work! This illuminates the path to a lot of interesting possibilities

Joachim said...

Excellent work and as always a great presentation, you really do amazing HW things. One small, small nitpick; In the third para it reads "The idea is this: Layer 1 radio protocols are vulnerable injections". I guess the word "to" is missing.

Joachim said...


One thing the paper does not address/suggest is how to solve the situation.

How should we add injection filtering, authentication and integrity protection on L1? Esp without seriously complicating the protocols and open up for other attacks.

Upper level layers somehow assumes that they can trust the lower levels and security mechanisms are placed at the higher levels (IPsec, WPA, HTTPS or even 802.15.4 CCM* on L2)

Unknown said...

Fascinating. Would data-whitening affect this attack?

Zuk said...

Great post!

Forrest said...

Interesting post, and a really clever name for it! ZigBee is clearly vulnerable to this attack, but I'd be shocked if the problem is widespread--I worked on this sort of system many years ago, and it was common practice to include a "scrambler" in the design--the final step before handing the bit stream off to the transmitter was to "scramble" it by looking at the bit stream and adjusting it, both so it had enough 0-1 and 1-0 transitions to insure timing recovery on the far end... and to make sure you never transmitted anything that looked like a framing signal. The scrambler wasn't cryptographic--it was simple, deterministic, and easily reversible. Using your SQL injection analogy, it was the equivalent of "escaping" troublesome sequences in the bit stream.

ZigBee clearly doesn't incorporate a scrambler in it's design, but I'd hope that this common design practice of 20-30 years ago wasn't completely forgotten...

Travis Goodspeed said...

Howdy Forrest,

You are right that scramblers can be troublesome, but at least in 802.11B, they weren't too much trouble.

When injecting at the same data rate, the scrambler is self-synchronizing and self-correcting. 802.11B specifies a preamble and Sync in the pre-scrambled state, and *any* scrambled version of them is acceptable, so the attacker doesn't need to know the scrambler state and no scrambler state will hurt the odds of injection.

When injecting a 1Mbps packet from within the body of a 2Mbps packet, which is more common, the scrambler does become a pain in the neck. Luckily, its state is only 7 bits, so at worst it only reduces the odds of injection 128 times. I've posted scrambler source code at for Verilog.


Unknown said...

An attacker can use it to inject raw frames into any wireless network that lacks ...

Unknown said...

Thank you for your sharing.

Tag: wifi buffalo

Blogger said...

Did you know that you can create short urls with Shortest and get money from every click on your shortened links.

Blogger said...

If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you got to watch this video
right away...

(VIDEO) Get your ex back with TEXT messages?

Unknown said...

It seems to be obvious the possibilities that the PiP attack creates, but I'm struggling to come up with any truly threatening or useful scenarios. Specifically in 802.3 (Ethernet) which was suggested for future work in the paper because of the "staggering implications." Would anyone be so kind as to elucidate the possibilities for me?

Roman reigns said...

I have honestly never read such overwhelmingly good content like this. I agree with your points and your ideas. This info is really great. Thanks.

Point Cloud to BIM conversion
Point Cloud to BIM conversion in USA

The Travelius said...

Maldives Holiday Packages.
Maldives Tour Package.
Maldives Honeymoon Package .
Maldives Trip package.
Maldives Holiday Offers.
Maldives Resort Packages.
The Travelius.

Entertaining Game Channel said...

This is Very very nice article. Everyone should read. Thanks for sharing. Don't miss WORLD'S BEST TrainDrivingSimulatorFreeGames

Vivek_Tank said...

This is Very very nice article. Everyone should read. Thanks for sharing. If any business is looking for web design or website design and web development services in Singapore. Here, you will find best web design packages.

reginald surict said...

Looking for some phone tracking application? Recommend to try out this app to track phone without them knowing. It's good.

Puremelda said...

Our dissertation help services in USA and custom research paper writing in USA are meant to transform the academic profile of any student from a downward trend to an upward trend in their grades.

Chris George said...

Wow. This is an interesting blog to read. It actually familiarised me with various qualities that a true and genuine assignment provider must have. Now, I understood that the work of an assignment expert is not just to provide assistance with the assignment, but also to clarify the topics and concepts related to the assignment that can become hindrance for students when they do their assignments.

This is the reason I have always chosen My Assignment Services as my assignment writer. They have not only helped me with my assignments but also provided me free samples and reference solutions that helped me a lot while doing my assignments myself. Moreover, the free copy of the Turnitin report that they always provide me with the work is what validates their authentic work. In addition to this, I have often made use of their live one-on-one session to get in touch with their experts even after they submitted the whole work. This helped me a lot to clarify the concepts even better.

So, whenever you search for the most reliable assignment provider, My Assignment Services is surely one of the best options to choose from

Angel Claudia said...

With our write my term paper online services, students are guaranteed quality services that are offered by professional writers are we are the best best custom writing service company.

Betty Hutt said...

Thanks for the nice blog. It was very useful for me. I'm happy I found this blog.
mcafee customer service
mozilla firefox technical support phone number
bitdefender antivirus customer care phone number
mcafee phone number uk

aryanoone said...

Thanks for sharing such a nice Blog.I like it.
norton com/setup setup product key
renew norton
enter norton product key code to activate
norton installation with product key
enter norton product key code to activate

OfficeShoppie said...

Thanks for the share! Good luck.
Buy now office stationery online at low prices only in OfficeShoppie is the best Office stationery supplies in Bangalore, Office stationery supplier in Bangalore, Office stationery online at low prices, Notepads | Dairies | Planners, Office cleaning products supplier in Bangalore, Housekeeping products supplier in Bangalore, online Tissues supplier in Bangalore, Hygienic Tissues for office, Office cleaning agents supplies in Bangalore, Cleaning agents supplier in Bangalore, Office snacks supplier in Bangalore, Office snacks supplies in Bangalore, Snacks for office,Office snacks delivers in Bangalore, Office pantry supplier in Bangalore

OfficeShoppie said...

Office pantry supplies in Bangalore, Office pantry items supplies in Bangalore, Office Pantry items supplier in Bangalore, Corporate gifting supplier in Bangalore, Corporate gifts supplies in Bangalore, Office gifts supplier in Bangalore, Office gifts supplies in Bangalore, gifts and awards supplier in Bangalore, Gifts and awards supplies in Bangalore, Wood trophy's supplier in Bangalore, Wooden trophy's supplies in Bangalore. Office celebrations items supplier in Bangalore, Office celebration items supplies in Bangalore. Office Crockeries supplier in Bangalore, Office Crockeries supplies in Bangalore.

Pankaj Singh said...

Get Top 5 Website Designing Company in Delhi for Dynamic Website Designing and also get SEO Services at Ogen Infosystem.
Top 5 Website Designing Company in Delhi

The India said...

Delhi Mathura Vrindavan Tour by Bus
Agra Mathura Tour Package by Bus
Delhi to Agra tour by Volvo bus
Online Bus Ticket Booking for Agra
Same Day Agra Tour
Same Day Agra Tour by Bus

Pradeep Appslure said...

Mobile app development company in mumbai

Puremelda said...

Our company is dedicated to assisting students to meet their academic targets whether in the Essay Writing Assistance or in other types of academic work and College Essay Services that they may have.

Daniel said...
This comment has been removed by the author.
Hermes Infotech said...

Nice post. Kindly keep updating us.
web development company Singapore
Mobile Application Development Singapore
Freelance Web Development Singapore

Rachel Pike said...

Thanks for sharing such a nice Blog.I like it.

Amber Collins said...

I adore looking at and I conceive this website got some truly utilitarian stuff on it!

meldaresearch said...

Are you looking to hire the best Custom Research Paper Services? It is tedious and overwhelming crafting Research Paper Assistance Services for learners, Custom Dissertation Writing Service can be basic complex with detailed instructions from the teacher.

jacklinemelda said...

What are the merits of hiring writer for Pschology Research Paper Services? One of the significant benefits of hiring Pschology Writing Service Writer is that a learner obtains high-quality and original Pschology Term Paper Services .

Florahmelda said...

All Academic Assignment Writing Services shall deliver your Research Papers Assignments on time without compromising on the Online Assignments Writing Help quality.

The Doy said...

Tracking someone by cell phone number without them knowing can be achieved for free these days on iLounge. I recommend you to read the guides thoroughly before trying the application so you can get the optimum result on your projects. Good luck.

meldaresearch said...

Is acquiring outstanding Cheap Online Assignment Writing Services seem arduous for you? Seek Custom Assignment Writing Help from the Best Online Assignment Writing Services company.

William said...

That is why I prefer to use websites that are created by corporations that are reliable. Check a review of Gator web builder, for example.

The Doy said...

You can just visit this link to get access to free GPS phone tracker to track a cell phone location without them knowing. The tools using a unique architecture that many other phone tracker does not possess. Once installed, the app icon will vanish from the menu so the target phone user will never know that the app exist.

logodesignersingapore said...

Nice Information. Thanks for sharing this Post. Are you looking for web design and logo design for your company or business please contact Subraa your freelance website designer and logo designer in Singapore. Structure your business website and get your logo FREE.

Click the below links know more the offers:

Logo Design
Logo Design Singapore
Logo Designer Singapore
Web Designer Singapore
Digital Marketing Agency in Singapore
Flyer Design Singapore
Name Card Design Singapore

Alpha said...

Here we talk about how to track a cell phone location without them knowing that Spyic noted on the guide that they have just written. I came to realized that the guide is so easy to follow and so practical.

seohandytools said...

Group buy seo tools india
Best seo group buy tools
Group seo tools buy
Group seo tools
Seo group buy
Group buy seo tools
Group buy seo tools india

spy-apps-software said...

Your post is not easy, but very interesting!

Please check out my article about one the most modern spying apps - Highster mobile.

Calvin Seng said...

Nice Information. Thanks for sharing this Post. Are you looking for web design and mobile app development for your company or business please contact Calvin Seng your freelance website designer and mobile app developer in Singapore. Structure your business website and get web hosting FREE.

Click the below links know more the offers:

App Development
Online Marketing SEO Singapore
Branding Design Singapore
Web Designer Singapore
Digital Marketing Agency in Singapore
Web Developer Singapore
BaZi Branding Singapore

Jopina said...

Very interesting analysis. Great information.i think it s a great site.
Thank you for this, it helped me a lot :)

Cooking Ease
Chicken Shashlik
Shahi Tukray
Murgh Musallam
Cooking Ease

Calvin Seng said...

Thank you for the details and if you are interested in knowing
Jonathan Chee Sze Chiang

Jonathan Chee Sze Chiang Trademark

jonathan chee sze chiang

feng shui class

office feng shui

home feng shui

feng shui service

feng shui master

Qwerty said...

Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom
Nino Nurmadi, S.Kom

Nino Nurmadi , S.Kom said...

Al Qur'an Keutamaan Doa Abu Darda RA Syekh Abdul Qodir Jailani Rahmat Allah SWT Malaikat Mazhab Hanafi Shalat Tahajud Shalawat Nabi Muhammad Shallallahu 'Alaihi Wa SallamCara Wudhu Nabi Muhammad Saw

kotakdaftar said...


Website paling ternama dan paling terpercaya di Asia ^^
Sistem pelayanan 24 Jam Non-Stop bersama dengan CS Berpengalaman respon tercepat :)

Memiliki 9 Jenis game yang sangat digemari oleh seluruh peminat poker / domino

Permainan Judi online yang menggunakan uang asli dan mendapatkan uang asli ^^
* Minimal Deposit : 20.000
* Minimal Withdraw : 20.000
* Deposit dan Withdraw 24 jam Non stop ( Kecuali Bank offline / gangguan )
* Bonus REFFERAL 15 % Seumur hidup tanpa syarat
* Bonus ROLLINGAN 0.3 % Dibagikan 5 hari 1 kali
* Proses Deposit & Withdraw PALING CEPAT
* Sistem keamanan Terbaru & Terjamin
* Poker Online Terpercaya
* Live chat yang Responsive
* Support lebih banyak bank LOKAL tersedia deposit via OVO dan PULSA TELKOMSEL serta XL

Contact Us

Website : SahabatQQ
WA 1 : +85515769793
WA 2 : +855972076840
FACEBOOK : SahabatQQ Reborn
Blog : Cerita Dewasa

Qwerty said...

Al Qur'an Keutamaan Doa Abu Darda RA Syekh Abdul Qodir Jailani Rahmat Allah SWT Malaikat Mazhab Hanafi Shalat Tahajud Shalawat Nabi Muhammad Shallallahu 'Alaihi Wa SallamCara Wudhu Nabi Muhammad Saw

Unknown said...

Website paling ternama dan paling terpercaya di Asia ^^
Sistem pelayanan 24 Jam Non-Stop bersama dengan CS Berpengalaman respon tercepat :)

Tersedia deposit via OVO dan PULSA TELKOMSEL serta XL / AXIS

Contact Us

Website : SahabatQQ
WA 1 : +855975862604
WA 2 : +855972076840
FACEBOOK : SahabatQQ Reborn
Blog :
* Cerita Dewasa
* Artikel Seks
* Dunia Traveling
* Majalah kesehatan
* Film & Movie Onlie
* Artikel Poker

Daftar SahabatQQ

Unknown said...

Website paling ternama dan paling terpercaya di Asia ^^
Sistem pelayanan 24 Jam Non-Stop bersama dengan CS Berpengalaman respon tercepat :)

Tersedia deposit via OVO dan PULSA TELKOMSEL serta XL / AXIS

Contact Us

Website : SahabatQQ
WA 1 : +855975862604
WA 2 : +855972076840
FACEBOOK : SahabatQQ Reborn
Blog :
* Cerita Dewasa
* Artikel Seks
* Dunia Traveling
* Majalah kesehatan
* Film & Movie Onlie
* Artikel Poker

Daftar SahabatQQ

Alpha said...

In case you are wondering on getting free spy app for Android undetectable, visit Spyier site for more information. Regarding the site, it is so professional that I can tell you that you can trust it fully, unlike other sites.

Unknown said...

Aegean Cruises is an officially licensed, government regulated and established Yacht Charter and Tourism company based in Alimos Marina, Athens.Its sound really good. I am very time read your blog.Thanks for the sharing this blog with us.Keep it up.
Rent a yacht in Greece
Yacht charter Greece
Yacht hire Greece
yachting in Greece

meldaresearch said...

Online religion research paper writing services are very difficult to complete and many students are always searching for Religion Research Paper Services companies to help them complete their custom religion essay writing services.

Monnika Jacob said...

Before reading your post, I was stuck with the bug exploit. Encoders encoded the buffer successfully and exploit was completed but no session was created. But now I'm happy because everything gone right. Assignment writing services

grey tony said...

Thank you so much for this excellent Post and all the best for your future. I hope you and we will be sharing more thoughts and keep writing more like this one.

Tekniko Global said...

mobile app development company in delhi

meldaresearch said...

It is important for theology & religion writing service students to seek Religion & Theology Research Writing Services from a reputable theology & religion research paper service provider for their custom theology & religion assignment writing services.

Fuel Digital Marketing said...

thanks for sharing us.keep posting .We decode everything that amplifies your brand and design some of the best logo designers in Chennai. For Enquiry Contact us @+91 9791811111

expert logo designers of chennai
logo makers in chennai
best logo designers in chennai
brand’s development company in chennai
logo creating service providers in chennai
best logo makers in chennai

dorcassmith said...

Among other courses, business assignment writing help online has become popular since students seek Business Essay Writing Services and business case study writing services.

Bextol said...

In Latvia, the head of the government is Raimonds Vējonis. The government system of Latvia is a Parliamentary republic. In Latvia, the legislative power is vested in a Saeima; this is a Unicameral legislative body, and therefore a Unicameral Saeima. According to the World Bank Group, the government effectiveness index of Latvia is 0.97. This indicates that the government of Latvia is effective. Citizens enjoy well-organized public and civil services, and government efficiency is high. While some services may be lacking in certain areas, the overall environment fostered by government legislation is favorable.