Packet-in-packet Exploits on 802.15.4

Michael MillianDartmouth College

Vibhu YadavDartmouth College

Abstract—This paper presents an outline for packet-in-packetinjections and various techniques that can be utilized to achievesuch attacks. For the purpose of experiments ZigBee was chosenas a Wireless standard for the attack for both being a meshnetwork and because of increasing number of ZigBee devicespopulating the market in Internet of Things. Injections like theseput these mesh devices which talk to each other in a vulnerablestate and such attacks can give a malicious user freedom to harmthese IoT devices. The various results show that this type of attackis very viable and is able to intrude in a mesh of network. Furtherresearch might be able to use different Wireless standards ascarriers of such an attack and using adjacent channels to avoidIntrusion detection systems.

Keywords—ZigBee, 802.15.4, packet-in-packet, Intrusion detec-tion systems.

I. INTRODUCTION

In 1938 Orson Welles broadcast the radio show “Warof the Worlds” for the first time. The introduction of theshow begins broadcast seven minutes before the hour, andafter a two-minute introduction, the hour-long drama proceedswithout commercial breaks - although there are several cutsand “commercial breaks” written into the script. The result isthat anyone tuning in late - after the introduction - mistakes theradio show for real radio. This misinterpretation of a messagepayload as a message proper is the first cited example of apacket-in-packet attack[1].

Packet-in-packet allows a user to send an ordinary radiosignal that, because of quirks at the physical level, is parseddifferently a small percentage of the time[1, 2, 3]. The tech-nique has use in the toolkit of the attacker - as a means to avoiddetection while injecting malicious code- and for an ordinaryuser - to send covert, off-band transmissions which will belogged by an eavesdropper with incorrect data and metadata.

In this paper we explore several side-channel attacks basedon packet-in-packet for radio protocols, specifically 802.15.4.ZigBee is becoming popular among many Internet of Thingsdevices[4]. The proliferation of IoT devices will result inwidespread use of ZigBee and the underlying 802.15.4 pro-tocol. ZigBee devices consume very less power when com-pared to WiFi and Bluetooth and thus are ideal choice ofIoT devices.[3, 4]. Thus, our work understanding 802.15.4 istimely.

One use for packet-in-packet is implementing a version offirewalking. Because ZigBee sensors are likely configured ina mesh network[4], we can transmit a packet that morphs asit traverses the network, obfuscating the original sender.

We provide a proof-of-concept for some packet-in-packettechniques, and propose more research into physical layer

spoofing to allow non-homogeneous radio sets to communi-cate. We also cite the possibility of Ghosting and using OtherWireless Standards like WiFi as carriers for ZigBee packets.

A. 802.15.4 Physical Layer

The physical layer (L1) packet of the 802.15.4 contains aPhysical Header and Physical Payload(which also is the frameat L2 i.e. Data Link Layer)[5]. The Fig. 1 shows how thepacket looks superficially and the noise that surrounds thepacket. The Fig. 2 gives the detailed packet fields inside thephysical frame of ZigBee packet. The Physical medium usedby ZigBee is Air and much like WiFi it transmits at 2.4GHz.Where it differs from WiFi is in the modulation technique andthat it transmits on a lower power. This makes ZigBee devicesconsume far less power than it counterparts. Being in thefamily of 802.15 this network is aimed at mesh/PAN(PersonalArea Network) networks like Bluetooth and are able to sharepackets among other ZigBee devices on the same network.

Fig. 1. A Physical Frame at L1

Fig. 2. Detailed Physical Frame with all the fields

The CC2420 uses Q-PSK(Quadrature Phase Shift Keying)modulation technique with half-sine chip snapping [6] whichis different from both 802.11a which uses OFDM(Orthogonalfrequency-division multiplexing) and 802.11b which usesDSSS(direct-sequence spread spectrum) and hence forth802.11bg(uses both) and 802.11ac(OFDM). The four states ofQ-PSK helps the chip to process two bits at a time. The phaseshift keying on CC2420 transmits alternately in the I and Qchannels with one half chip period offset, see Fig.3. The chipitself is not a Turing capable and all the processing is doneby the main processor. The chip can be configured to be usedin either transmit or receive mode depending on the moderequired and hence is not duplex.

This Physical medium propagation is really important tounderstand to be able to fully utilize the complex attacks at thePhysical Layer. Given how different the modulation techniquesare for ZigBee and WiFi, 802.15.4 packet in 802.11 packet is

Fig. 3. Q-PSK signal transmitting on I and Q channels

not feasible. Initially simply putting a ZigBee packet in WiFipacket obviously did not work. But if somehow a mapping of 4states of Q-PSK to OFDM is achievable. Thereby tricking theQ-PSK states into FSK(Frequency Shift Keying - where morecompressed and often changes will result in a more compressedfrequency in FSK domain and hence bearing a value 1 willwider changes will result in 0) would be really interesting.This has been left for future work. Ghosting attacks might bepossible once the 4-state and channel mapping is aligned andwill require bit of radio engineering sophistication. This alsohas been left for future work.

B. Setup

For the purpose of this paper, we used the API-Motewith the CC2420 transceiver to transmit and receive 802.15.4packets. The API-mote is a custom made ZigBee trans-receiverbuilt by River Loop Security. We wrote our packets in pythonusing Scapy(A python library for packet crafting) and theKillerBee framework(Open Source Libraries which works withfew other firmwares apart from API-mote). We view receivedpackets in Wireshark and save the pcap results from Wireshark.Because API-Mote is half-duplex, we use one API-Mote as atransmitter and one API-Mote as a receiver. For a particularinjection like Firewalk we needed 4 of these devices andmapped the range of transmissions.

Fig. 4. API-Mote with CC2420 Wireless transceiver

Fig. 5. Packet with Source - 0xdead and Destination - 0xbeef and containinganother packet inside it

Fig. 6. Packet with Source - 0xdeaf and Destination - 0xcafe which revealsitself when the inject is successful

II. TYPES OF ATTACKS

A. Packet-in-Packet using SFD - A7

Our basic packet-in-packet injection is accomplished bywriting a valid packet including the physical header as thepayload of another packet. If we repeatedly transmit thismessage, then some percentage of the time the receiver willsee the inner packet instead of the outer one. We now discusshow such an injection occurs.

When the physical header of the packet in Fig. 5 is man-gled, the receiver will hear the beginning of the packet as noiseuntil the physical preamble \x00\x00\x00\x00\xa7\x1awe inject. Then, the inner packet is seen as a packet proper,instead of as part of a payload. The inner packet is shown inFig. 6. Notice that while we can see the physical header forthe inner packet in Fig. 5 it is stripped before it is passed upto the link layer where we can capture it.

802.15.4 requires 8 symbols of zero as the physical layerpreamble, and previous research fingerprinting chipsets foundthat some ZigBee firmware will begin receiving a messageafter only 1 symbol of zero. Thus, the length of the zero sledwe use is excessive for a successful packet-in-packet. The zerosled was used to pad the packet to a specific length, 90 bytes,to test if we see single symbols

Previous research indicated that 802.15.4 packets areshorter than environmental noise (caused by other users of2.6MHz bandwidth). If this were true, then interference wouldonly clobber the entire packet, clobber the end of the packet,or clobber the beginning of the packet. Only in the lastcase, when the physical header is destroyed but the physicalpayload is unscathed, does packet-in-packet succeed[2]. Wesaw, however, that in a number of cases, single bits would flipwithin the packet. If the length field in the physical headerchanges value, this allows another manner for the inner packetto escape. We see the effect of such a flip in Fig. 7 where thelength 90 packet in Fig. 5 becomes a length 106 packet. Weknow that the symbols \x1a didn’t flip because we receivedthe packet, and we see that the first symbols in the packetdidn’t flip.

Fig. 7. a 106 bytes long dead beef packet containing an inner packet

B. Chip Rotation - B0

Each layer 2 symbol is not translated into 4 bits in theair. Instead, each symbol is translated to a string of 32“bits”, called chips, and broadcast over the air. This encodingallows for some amount of error correcting. When the receiverreceives 32 chips, it matches to the closest symbol by hammingdistance. The distance between any two non-identical symbolsis between 12 and 20, so this system compensates for somenoise.

Rewriting the chips for each symbol from Fig. 8 in hexnotation yields Fig. 9. This notation makes it easier to seethat the chip encoding comprise two rotating rings. We calledthis B0 attack because after chip rotation of A7 we end upwith B0 as our SFD. This inject is specially useful to avoidany WIDS(Wireless Intrusion Detection Systems) in place forpacket in packet attacks.

C. Length

The Physical header also contains the length of the Packet.For a successful attack we change the length in such a mannerthat if bits in checksum get flipped the inner packet is readinstead. The attack has a very small probability when comparedto A7 and B0 attacks and hence is ideal in a scenario wherelong monitoring is possible and WIDS has been successfullydeployed to stop A7 and B0 attacks(much harder in the latercase).

III. EXPERIMENTS AND RESULTS

A. A7

We run our experiments on two channels, 12 and 15. Onchannel 12, we have minimal noise, a broadcast about everysecond. Channel 15 hosts several ZigBee devices communicat-ing with each other, creating a lot more noise about 10 packetsper second.

On both channels, taking a 20 minute sample capturesabout 1000 packets sent from our transmitter and about 10released inner packets. This 1% success rate is lower than a5% success rate reported in prior research[2]; we believe thatsuch variation is attributable to environmental noise.

We see comparable success rates on both quiet and noisychannels. Furthermore, we can occasionally receive packetssent on other channels. These two data suggest that althoughoff-channel signals won’t usually be recognized by a receiver,they can still interfere with the signal. We suspect that thecumulative noise across all channels affects the patterns ofinterference on any given channel. Experiments in a morecontrolled environment are needed to confirm this idea.

Another possible explanation for the discrepancy is thatsuccessful injection depends on the length of the packet; asthe packet length increases, the probability that the physicalpayload experiences corruption increases with respect to theprobability of corruption of the physical header.

Here are some of the results we got for an attack onChannel 12 which was less noisy channel compared to 15. Weran the test for 20 minutes and achieved a success rate of 1%.The same attack on Channel 15 which had a lot of interferenceand ran for 20 minutes, achieved a success rate of 1% too. We

Fig. 8. Chips described by 802.15.4 architecture

Fig. 9. Chip Values calculated in Hex format

expected it to do much better but it fairly had the same successrate. This could possibly mean that the interference is spreadacross all channels while the transceiver only pick a particularchannel to read. Fig. 10 shows some of the results on the twochannels.

B. B0

The packets for this attack are depicted in Fig. 12 andFig. 13.The results for this inject was measured on Channel16 which might not be very busy but being next to Channel 15lot of packets were getting malformed and interference was abit high which is interesting. We were able to get 17 attacks

Fig. 10. A7 attack from left to right listening for 20min on Ch12 and 20minon Ch15

possible during the time period of 2 hours.More measurementson Channel 15 were taken for 20 minutes. Some of the resultsare depicted in the Fig. 11. This shows that the results areapproximately the same on different channels and time periodslike the A7 attack. The advantage though of using this attackis that it can avoid a Wireless Intrusion Detection System ifimplemented for such kinds of attack.

Fig. 11. B0 Injection clockwise from top left listening for 2hours on Ch16, 35 minutes on Ch15, 20 min on Ch15 and 20 min on Ch15 minutes onchannel 15

C. Length

The tests for length were ran for periods of 8 hour and twoconsecutive 4 hours time. We were able to successfully inject2 packets during the period of 8 hours. The length injection isvery rare to succeed and requires a lot of luck to flip the rightnumber of bits but where both A7 and B0 injects are protectedby WIDS this could be one possible way to inject the packetand was an exploration not done before.

Fig. 12. Packet with Source - 0xdead and Destination - 0xbeef and containinganother packet inside it

Fig. 13. Packet with Source - 0xdeaf and Destination - 0xcafe after the injectis successful

D. Firewalking

We were able to successfully perform Firewalking attacksand were able to inject packets to subsequent receivers in themesh network. Consider a device ZigBee Device A which isnot allowed to talk to ZigBee Device C but it can interact witha ZigBee Device B which infact can talk to ZigBee Device C(Acting like a firewall between A and C). If there is a PIPattack the packet inside the packet might reveal itself with thePHY header from B to C and payload intended to send fromA to C. The device B will have no problem sending it to Cbecause it will process it as legible packet. This is depictedin the Fig. ??. The payload might consist of something likeinitiating a link from C to A and thus enabling them tocommunicate directly instead of B sitting in between them.

Fig. 14. An example of Firewalk

The Table below shows the average number of packets thatdid turn up into attacks.

Total Packet-in-packet

sent

Number ofsuccessful

attacks

Percentage

A7 2211 12 0.54%B0 11086 39 0.35

Length 200000 4 0

IV. FUTURE WORK

A. FSK Ghosting

Ghosting means to be able to send inverted chips receivedby the receiver on an adjacent channel. This requires somelevel of radio engineering and be able to identify what adjacentchannel would mean. The Q-FSK because of its four statesmight be able to Ghost at the the 4th channel etc.

Fig. 15. Inverted Bits on a different Channel in Ghosting

B. 802.15.4 in 802.11

The appeal of packet-in-packet is remote packet injection,or the ability to inject layer 1 packets from layer 71. Weimagine a scenario where we send an email containing avalid 802.15.4 packet. Then, a wireless router near the targetuser and 802.15.4 radio sends its 802.11 signal to the targetuser’s laptop with the 802.15.4 packet in the application layerpayload. The target radio doesn’t know anything about 802.11;it only hears noise until the 802.15.4 packet, which it parses.

This scenario is extremely simplistic; accomplishing theinjection requires overcoming several challenges. We list thechallenges we have discovered in order of difficulty2:

• 802.11 and 802.15.4 encode symbols differently:802.11 translates a symbol into 4 bits while 802.15.4translates a symbol into 32 chips

• 802.11 and 802.15.4 have different transfer rates:802.11 is much faster than 802.15.4; if it transmits ‘atfull speed’ the signal will be unintelligible to 802.15.4receivers

• 802.11 and 802.15.4 have different modulationschemes: 802.11 uses (scheme), and 802.15.4 uses(scheme), thus we will have to find a way to simulate(scheme) with (scheme); here, the faster transfer rateof 802.11 should actually help us

• 802.11 transmitters and receivers use a synchronizedscrambler/descrambler to avoid sending long stringsof 0 or 1: we will need to compensate for the trans-formation the scrambler will perform

After all this, the embedded packet will look nothing like802.15.4 to the 802.11 radios. This is expected, because thegoal is only that they appear valid to 802.15.4 receivers.

C. Building Application Layer stack in Scapy for ZigBee

This will help ZigBee radio engineers and developers to beable to tap the potential of Open Source libraries like KillerBeeand thus use scapy to craft and inject packets much more easily.For our experiments we used only L1 and L2 for almost mostof our experiments.

1Encryption kills this2Note that all of these challenges must be overcome simultaneously to

achieve a working injection.

V. CONCLUSION

Packet-in-Packet attacks have recently gained some ground.These experiments show how we can use ZigBee for a packetin packet attack using different kind of techniques. We believetechniques like this can be applied to other Wireless techniquesbut different approach might be required. For WiFi packetsneed to be scrambled in a correct way as all WiFi radio requirescrambling. For Bluetooth channel hopping should be consid-ered etc. For Wired connection which have SFD(Start FrameDelimiter) and EFD(End Frame Delimiter) it is important tobe able to bypass it. Sometime just a little wiggle of the wireworks[1, 2, 3]. Applications for these kind of injections includetalking on covert channels, bypass hurdles or building IDSsystems which can protect from these kinds of attacks. In theend we think a lot more areas can be explored.

ACKNOWLEDGMENT

The authors would like to thank Xia Zhou for laying thefoundation for this research through her course offering. Wewould also like to thank Sergey Bratus and Travis Goodspeedfor their valuable input and builing upon their work.

REFERENCES

[1] Travis Goodspeed, Sergey Bratus, Ricky Melgares, Re-becca Shapiro, and Ryan Speers. Packets in packets: Orsonwelles’ in-band signaling attacks for modern radios. InProceedings of the 5th USENIX Conference on OffensiveTechnologies, WOOT’11, pages 7–7, Berkeley, CA, USA,2011. USENIX Association.

[2] Travis Goodspeed and Sergey Bratus. Demistiphy802.15.4.

[3] Ira Ray Jenkins, Rebecca Shapiro, Sergey Bratus, RyanSpeers, and Travis Goodspeed. Fingerprinting IEEE802.15.4 Devices with Commodity Radios. Technical Re-port TR2014-746, Dartmouth College, Computer Science,Hanover, NH, March 2014.

[4] ZigBee Specification. Zigbee alliance. 558, 2006.[5] IEEE standard for local and metropolitan area networks–

Part 15.4: Low-Rate wireless personal area networks (LR-WPANs). Technical report, 2011.

[6] Texas Instruments. Cc2420: 2.4 ghz ieee 802.15. 4/zigbee-ready rf transceiver. Available at Available at http://www.ti. com/lit/gpn/cc2420, page 53, 2006.