CG - Demystiphying and Fingerprinting the 802.15.4/ZigBee PHY - Sergey Bratus & Ira Ray Jenkins

yeah she the most interesting thing is happening over there right like the magic the capture how great okay so this is a talk on demystifying 8215 dot 4 which is the file layer for zigbee and zigbee you know maybe in your home maybe in your hospital maybe around your person if you're into 6lowpan ah and it's kind of creeping up on us because smart meters and things like that so it's kind of important I thought to miss to demystify that particular file layer and we started an effort at Dartmouth doing just that and a lot of neighbors helped Travis Goodspeed whose name is on the slide but unfortunately he could not be here he'll be here later in the week

you can ask him questions and you know hang out ray Jenkins who is my student who did all the work I'm sure Gabe rattus I'm what they call a research associate professor at Dartmouth and are here with us are Ryan Spears and David out wave who designed the hardware peripheral that can send a row USB frames wrote up the USB up into 2 15 dot for this is not a face dancer talk right if you want the face dancer I might have one on my person later and so what we're going to do is demystify 80 to 15 dot for and then learn to fingerprinted and there might be an attack component as well so you should know thy Phi people

look at the end this is of course the of Babylon we are in Babylon of various protocols and those protocols are a mess and those protocols have nasty surprises for us and I will always start this with the rights principle which we made up and named after Joshua right after his coat at the to work on when he presented the killer bee framework which ryan and david now maintain more than a half of um the principle is security won't get better until tools for practical exploration of the attack surface are made available that is to say can have all the theory and all the understanding but until there is an easy way to poke at those

things that you can do in python or your other favorite scripting language and just kick out of your USB port and have it transmitted over the air security will not get better and so this layered cake those two little layers of fifteen dot for well let's see how much better we can make them by poking at them ah we have a tool suite of tools but force KP with which you can make a 15 dot for frames and 15 dot for frames are simpler than a two to 11 frames and that's the most you can say for them because they aren't really all that simple and it actually gets better because the fields of that protocol r cross dependent and

this is what you need escapee our module for when you build them so that only those of the really relationships that you intend to violate and fuzz are violated and fast and the rest are correct and you have that with our dot 15d for now the kind of hardware that we work with comes from a few different manufacturers there is what they call the atty mode sky tell us be those were really really a common around universities for a while when a sensor networks were being paid for there are at Mel RZ USB stick a freak doin Achebe that involved that includes a 15 doll for chip and a whole bunch of others one platform that we're not using is

software-defined radios because those are expensive and we kind of operate on a shoestring budget so we started with a team outs but team outs are hard to buy and unless you're you have a line to university that keeps throwing them out and you keep picking them up and we literally roam the halls harvesting the abandoned sticks plugged in in various corners left from various sensor network experiments well you can now get the AP mode version four from us I have some to give out and this is a capable of peripheral it will do a raw frame injection for you it the chip you see in the middle is the msp430 Travis's favorite ship this thing is actually

based on the good fat as you can see by the name of the one bank of headers and the other chip there are the one surrounded by an antenna is a chip corn 2420 again we're going to talk about it we are going to give a talk about the architecture of this thing at the DEF CON wireless village and maybe if we have the time Ryan will go over the scheme but this is just literally something that you connect to your machine through a USB and Fire 8215 dot for frames that you make with skippy out of so to code Travis there is this profession liar two children some people call it teacher right so you hear that there are those

things called frames and sometimes they call them link layer frames and you see a nice diagrams of those frames you know here's the frame control field two bytes here is the data sequence number and here is the a bunch of mac addresses and the payload and the frame check sequence at the end but those things don't exist they're a lie they are a fairy tale if you will fairy tales have their uses but what you get over the air is just this waveform and so there is this enormous gap in the way that people think about um I stacked a radio stack and this gap is kind of like this right so you somehow collect a waveform and then you

get the nice frame with byte values out of it right so and this is the magic of abstraction and let's just see how magical that magic is in fact what you get is noise I mean most of the time what you get is noise and in magic happens and suddenly this noise becomes the frame and then magic has to happen again for the frame to end and to the new phone for noise to begin and how does your hardware know well it has little automata baked into its silicon that do this magic those automatic differ between chips you can fingerprint different chips from different vendors by that by those responses by those automata by their differences and this

is where really interesting things start so for example if you twist it just right you can make chips a one maker here the frame while none others do now think of this as say an IDs evasion technique or a technique for scanning for just this particular building man energy management system while leaving everyone else's stuff alone so you know there is this magic magic magic happening and the reason for this magic is that the thing is just a layer cake and everyone eats the top layer and kind of ignores the bottom ones so the point of this talk is to have you you know eat the lower layers and pound them and just basically play with them and when we

started I knew that something interesting was there but really we didn't know all that much about it and we discovered quite a few things and you know this is what we're sharing so here is uh the what you actually get out of the air before that frame starts there is other stuff in the air that you're a chip responds to and this stuff is the preamble the sink they start a frame delimiter this is what makes the magic of recording the bites start this is what puts the chip into the I am in the frame mode and then for the ending magic there is a length so only so many bytes as follow the sink will be recorded and

you can mess with all of those three fields so um think of your a typical zigbee peripheral as something that has a radio chip that radio chip is connected to an antenna gets the waveform and what it spits out to a microcontroller something more capable than just the radio chip is nibbles or bytes received over the air in the case of 8215 dot for the symbols are nibbles Huff bytes and this is a lie right the this too is a lie we'll see just how much of a lie this is and what connects those chips is a serial bus so you just bang out the bits that you received serially with a clock and that's how are those things talk and

this is how this thing is made so you just send a the frame that you want to send out in a buffer that buffer goes to the microcontroller over the spy bus it goes to the chip then you give the chip the command to transmit and it transmits that buffer as as waveforms and so we're not going to look at layer 2 which is the rest of that frame we're going to look at the highlight of layer 1 which is the preamble let's start the frame delimiter & the links and this is the part that Wireshark just doesn't show you because the chips don't give it to you they consider it for their own consumption but we will learn to send

those parts of the frame under our control so what we could do for example is very the size of the preamble very easy start a frame delimiter and very the links now if I send you a longer length then the existing body what will happen the noise in the air will be picked up as the remaining bytes so this is a very poor man sniffer right we call this packet out of packet trip so and let's start from the beginning why preamble right so we make our signals out of sine waves right so we modulate the sine wave by amplitude or by frequency or by phase but you know this is for sending data but forget

about date how about we just learn to synchronize the clocks and this is not trivial because in order to receive a sine wave you have to know something about the period about the frequency you need clocks to do that and the problem is that clocks drift right clocks drift clocks drift are considerably for those four for the cheaper peripherals that you normally use so you need to synchronize the clocks this is what the preamble is for see you send a repetitive signal unknown repetitive signal and an inelegant log part of the chip synchronizes itself are based on receiving that kind of a signal and this is not actually recorded digitally as far as we know this is essentially the

purpose of this is to synchronize the clocks and get rid of the clock drift and adjust the clock and of course you can finger print our chips based on their clock drift and we've done that a few years ago at shmoocon if you're interested and people have claimed that you can actually do that armed with a pretty good accuracy on forge ibly and we show that this was in fact not true but you know that's that's a different story and so the question is how many of those bytes is actually enough so for nibbles four bytes eight nibbles chem o'clock synchronize itself with the shorter sequence luckily we can check that a cheap con 2420 has a special

register that contains the preamble length so we can send different sized preambles and we can receive different sized preambles and cooks drift differently in fact it depends on the temperature so the first look is well what if i send shorter preambles right and you know I can send up to eight um I can send shorter preambles a preamble as eight nibbles so what if i send no preamble at all or just one nibble or two or three and you know what different chips actually receive those things differently so the red is the team out and the team out our works receives all of those shortened preamble packets of frames starting with a tuna bowls and

and that's a chip con ship RZ USB stick which is the atmel chip one Lee here's things with six or seven nibbles and even that not very well and this dick duena is somewhere in the middle so I can take it I can talk the dialect of a particular of just varying preamble and already distinguish between the chips and the method here is a way I send a beacon request and if they hear that they can request they respond and we catch the response so and this is uh this is already enough to distinguish between those chips on this axis ok let's go on why the start to frame delimiter well so your preamble has synchronized your

receiver and now you can trust the bits that you're getting the symbols that you are getting out of your digital receiver remember it's all noise and there is always noise and you can't tell whether there is something being transmitted or there is noise or it's just a frame that sent by a very weak signal so now we have to look into the frame and you know start believing the miracle that we are actually receiving data and there is a shift register that matches for the standard sink a 7 ok and until they shift register matches and lifts that flag we're out of frame and once it matches we're in frame and the next thing is that we're going to record that

many bytes and we're going to feed them as we go into our check some routine and then we'll know if the packet arrived intact or was damaged was stepped on by noise because noise can step on any bite or any nibble ok is there something strange with this the start of frame delimiter the preamble they're encoded exactly the same way as the body of the frame right so the sfd is actually in the symbol set this is not the case forever nap this is not the case where pci express this is not the case for the packet radio it is the case for a 2 215 dot 4 and it is actually the case kind

of for 8211 bng the problem with PNG is that they switch the modulation in the middle of the frame as a part of the transition from b2g and of course n is even more interesting it might work for a but let's see what we can do with that so here is this packet what happens if that particular sink turns into a pumpkin you know there is always not right what happens is you can actually send a packet that contains in its body which is modulated and encoded exactly the same as the Phi a preamble and sync the preamble the sink and the body of a frame in frame and that frame will be received as the valid one because the

starter frame delimiter will sink on the sink in the body of the frame so we call this Pakatan packet and we describe this in 2011 so you know here's a full frame right and if the sink goes bad turns into a pumpkin then that will be hurt think about this you can transmit Phi Rho Phi layer Priya payloads if you control the higher layer the application layer of the frame with when 6lowpan r becomes an IP packets over zigbee becomes a thing you can actually email a beacon ah aren't those things wonderful I mean hey people who design this aim for simplification of the protocol compared to 8211 they simplified it too much so you can send a 55 frame without

the radio the only thing you want is noise there is always noise there is absolutely always noise and the noise is actually peaked so it tends to kill one or two nibbles as it were well um yeah so this is the packet and packet paper Orson Welles actually pulled that trick in his famous were the Worlds broadcast and you know go online and listen to travis's talk about that that got a pony award that tree got the pony award in 2011 this all that I told you so far was actually a lie that thing about nibbles being sent over the air well they're not what is being sent over the air what is being sent over the air is chips a chip

is an error correcting code so when I say that the symbol is a nibble it's not actually true the nipple is this sequence ones and zeros which are error corrected that is to say if you receive one of those with a few bits flipped you take the next closest by the a bit difference distance and you get your nibble and this is in the silicon of the chip and it you can be exploited so this is you know for example the difference the distance between those two codes for one for the nibbles 1 and 0 is 16 bits the difference between and that's that's enough basically you need less than 16 bits flipped to recover by by the by the

noise to recover the symbol this is pretty good right ah this happens before sfd match so in fact you can use the error-correcting logic to send those sequences out of alignment you're seriously helped in this by the fact that those codes are actually rotated they are circular copies of themselves in two orbits as we call them and Travis was playing the cut out game with those and if you look at the International Journal of PRC or GTFO the previous issue you will find that cut out game and you can play it yourself so these are bits if you write them as a hex remember this is the code that underlies the nibbles you can see that they are

rotated if you miss align those which you can do with the packet and packet trick that we just discussed no this is great please allow me to yes ok so if you miss align your chips by 18 I thought I killed that thing uh well now I did so you can actually send the stream of symbols that is that will be received nothing like it was sent this is really interesting because if you are matching the packet and packet tricks and you're trying to see that there is no packet in the payload and you can try to insert a few bites before after the sfd and then account for that and then exclude that from the payload as some

researchers have done a u.s. Wharton because if you send a sequence that is misaligned by one eighth of your nibble in chips that will be read as the S of D because you see those codes are really well aligned so what that means is that the distance between them is much less than the 16 of the error correction so you will be receiving a frame that is nothing like it was sent all you need to do is dissing kryn eyes that by that much of over nibble so you sort of have this illusion of the Phi layer is taking a frame and transmitting a frame and you getting a frame and you expect to get a

frame that was never that way that was assumed or you expect to not get it because it was damaged by noise nowhere in your threat model is the idea that you could be getting a completely different valid frame than the one that was transmitted yet the magic of Phi makes this possible so you can actually receive frames that share no symbol with the same frame it's interesting so and again those tricks you can do with if you control the stream of bytes that goes out of your radio and you can do that ok so then of course for completeness we should look at the modulation of chips and modulation is you know conceptually is quite simple

again you have your a sine wave at a particular frequency and you can do things to it modified and the receiver on the other hand I will pick up on that so you can have the amplitude modulation or the frequency modulation or the or the phase shift modulation so we can have just one off key and one of key is just well you send the you have a telegraph key and you press it and hey the there comes the sine wave and then you let it go and then there is no sine wave and then of course this is the Morse code what you can do is you can actually transmit Morse code if you can control a higher

level protocol so this is Morse code over na 2 211 when you are and this is uh this is a cosine of that you are that you can transmit that way and this is a really good signal because yeah you know Wi-Fi has its own modulation but that doesn't matter it really looks it could really be made to look like an off-key so Phi layers nest you can emulate 15 layer with another that is interesting isn't it so you can actually mill in the middle and ssl session that way ah and hear it from rather far away right and I you just need to control the higher layer so the Phi is not the black box

well there is the frequency shift keying when you send a slightly faster oscillating a signal and a slightly slower oscillating and this is what bluetooth users ah that's also interesting because you will hear a ghosting of that on the neighboring channel if you think about this and it's an inverted signal with phase shift keying you are shift the phase of the sine wave so think of it as sending sine or cosine and again think of it as you having a sine wave going and a cosine wave going which are just shifted in time in phase and then you switch between the two depending on whether you want to send one or zero and a variation

on that is what is used for BPSK we're working on ways to cheat chips and to transmit signals that are both a a psk and something else at once but again once you understand how that works it becomes easy it becomes demystified so a 0 is a0 and the one is the one except when they aren't so that thing about chips right that was a lie as well right they're just pieces of the sine wave so and now we come to the real question do radios have dialects well in fact they do we can send arbitrary symbol streams with chip 1 24 20 and we can align them differently and I the chip actually has

a register that allows us to change the start of frame delimiter so we can set it to something which is not the standard start of frame delimiter and transmit anything we like as the inner packet of the frame so just think of it as an arbitrary injection utility just like you can use a raw socket to inject into your other net we corrupt the packets we find out what corruptions work and this has two uses one use is that we can finger print those chips by what corruption what corruptions that what variations that respond to and the other is that we can bypass a wireless internet detection systems and this is separate from any manipulation of single strength or range

or anything like that this is purely logical what sort of bits you send for your preamble & sfd and so we had this argument to a Travis he's like fingerprinting man you know here's your captain obvious right a rock is a rock great and of course radiate chips are all different and then you start to sing well who else looked at how basic chemical elements are different right so there are nuclei differ in the number of neutrons that you have still the same element a bit heavier Colonel so until that who cares until it turns out that you actually do care and you discover a thing that goes boom and this is the chain reaction and this is the nuke so

we called our finger printing system isotope for that reason so let's talk about the actual fingerprinting and what we can do this one will call the cumberland gap because cumberland gap is how you get to tennessee from the east and this is travis's native culture and I can actually I will not try to sing the song drink a little whiskey take a little nap we're 15 miles from the Cumberland Gap my he tells me that everything I sing comes out as hop on the Magic School Bus so yeah no vocals so here is a normal frame I and it's good the eight nibbles of the preamble which of course are chips which of course are

pieces of sine waves and then the start of frame delimiter the interesting point is that the start of frame limiter is matched after all of the chip and sign magic what if we sin and we already tried reducing the preamble but what if we send the what if we send the preamble then start at the frame then a bad length or a bad as a deep and then start in you a packet so presumably the chip would spend some time to recover from this badness and you can finger print the the timing difference here's another one which turned out to be simpler and work better in the preamble some of those zeros you replace with f's we call

it franconia notch because this is how you get to New Hampshire where we all um we are we're we're all neighbors from you know less Hospital hospitable parts of New England such as Massachusetts so again drink a little whiskey take a little nap there is another one that we call the front cornea bridge this one uh uses the full preamble but inserts garbage bites of F's between the start of frame delimiter & the preamble so now you think how could this be well the preamble mostly pertains to the N log part of the chip the s of d is matched digitally by the shift register those extra f's well maybe they won't bring that a a chip out of a sink

depending on how many we are so the sort of bridge that space between the preamble and the s.o.d and here's your typical New Hampshire covered bridge because getting snow of bridges in the winter kinda sucks so here is the franconia notch in detail right so you start replacing the a preamble with your FS and you start sending those frames and what do you see the atmel chip on the RC USB we'll get them all the chip con ship will not accept for a weird fluke that one in the second coat so you can actually have an ethanol chip here your frames and respond to them while the chip con ship is none the wiser and

thinks that there are no packets in the air that there is on the garbage isn't that interesting so in that range you can remain unheard even though you're transmitting like crazy now think of those chips say sitting in your thermostats or your smart meters smart right there is this joke about you know if you call something as science it usually isn't that pertains to computer science to a certain extent well so if you call something smart it's usually isn't uh so you know some people say you know smart grid or you know smart homes and what you hear is like really really dumb systems that you can uh five minutes yes okay so um and we

have similar results across other chips and they are in our technical report which is posted online you're welcome to it this is what you actually here with a packet analyzer that comes with the arse USB chip that gives you the preamble right so this is the a pcap and you can see that only a few of those packets with the full preambles make it and others don't so we call that we decided to call this a dialect right you speak past some chips to the others of course what you speak might be an actual exploit or you know an actual fake frame or something like that so another name for that dialect is shaped charge and

you're welcome again you're welcome to play with with these things ah well Phi is not mysterious why is in fact and it's certainly not a black box and the interesting thing is that all the boundaries between the layers are imaginary all the boundaries between constructs of those layers such as bits or nibbles or symbols or bytes or fields of a frame they're all imaginary they do not exist there a lie there fairy tale told to engineers to allow them to sleep and then of course what comes out of that is is pwnage so the deeper layer the simpler are its machines because they don't know the intent of what they receive they just match a particular

sequence of symbols or nibbles I and then checks on them and do those things so in fact you can same things that you receive things that will never send as such you know of course the lesson of this is that layers of abstraction become boundaries of competence and fairy tales do have a use but they are also quite dangerous if you base your security on them so fairy tale based security of layers of network stack is a prevalent and we are in fact in Babylon with respect to the design of protocols and you know Tower of Babel imagine the Tower of Babel somewhere in the picture and enjoy it you know enjoy battle