Here is the abstract, to give you a brief overview of our work:
“Here we present methods for injecting raw frames at Layer 1 from within upper-layer protocols by abuse of in-band signaling mechanisms common to most digital radio protocols. This packet piggy-backing technique allows attackers to hide malicious packets inside packets that are permitted on the network. When these carefully crafted Packets-in-Packets (PIPs) traverse a wireless network, a bit error in the outer frame will cause the inner frame to be interpreted instead. This allows an attacker to evade firewalls, intrusion detection/prevention systems, user-land networking restrictions, and other such defenses. As packets are constructed using interior fields of higher networking layers, the attacker only needs the authority to send cleartext data over the air, even if it is wrapped within several networking layers. This paper includes tested examples of raw frame injection for IEEE 802.15.4 and 2-FSK radios. Additionally, implementation complications are described for 802.11 and a variety of other modern radios. Finally, we present suggestions for how this technique might be extended from wireless radio protocols to Ethernet and other wired links.”
This work stems from some of my research with 802.15.4 security, and specifically some of the tools I produced (Scapy dot15d4, KillerBee extensions, Tmote GoodFET firmware, etc) were used in testing this theory and creating and verifying the results in the paper.
I look forward to discussing this paper more with interested parties, and if anyone wants to discuss it, please contact me.
UPDATE: Video of Travis presenting our paper at USENIX WOOT.