The concept of physical layer conditions in which a packet is re-evaluated in transit leading to a packet-in-packet attack has been shown in multiple protocols in the past. However, applying this logic to the Ethernet protocol was only considered a theoretical capability. In this talk, we explore various ways in which this attack can become both practical and powerful. Using this attack, we show how an attacker can bypass Firewall and NAT solutions, even when targeting networks directly from the Internet. Combining this attack with fringe use-cases we discovered in the IPv6 implementations in Windows and Linux, we show how an attacker can use this attack to establish a man-in-the-middle position on the Internet traffic of a certain organization, through which he can eavesdrop on corporate communications, or carry out additional attacks.
Our talk will demonstrate that the set of circumstances in which an Ethernet packet-in-packet condition can occur are much wider than previously considered. We will detail the physical parameters of Ethernet cables in which the likelihood of a bit-flip is rather high, and in which this attack can occur within a few minutes. In addition, we will explore the various ways in which interference can be induced in a wide array of Ethernet cable types using certain radio attacks, leading to a remote Ethernet packet-in-packet attack occurring within minutes.
Lastly, we will detail various techniques in which this attack may be triggered from the Internet, in either 1-click attacks that require a user inside the network to click on a certain link, or certain 0-click attacks that work without any user interaction. Once the packet-in-packet attack occurs, the attacker can take-over devices using previously discovered vulnerabilities, or establish a MiTM position on an organization's Internet traffic.