Remotely Exploiting the Digital Radio PHY Layer Without Owning a Radio

Presented at ToorCon San Diego 13 (2011), Oct. 9, 2011, 6 p.m. (20 minutes)

With the correct understanding of how signaling works in the 802.15.4 PHY layer, and in similar signaling schemes in other common digital radio protocols, remote attackers can cause crafted frames to be injected into an unencrypted digital radio link. This can be done by merely controlling the payloads of protocol layers above the link layer, with perfectly legal payloads. In other words, the attacker need not own any radio at all, as long as he can predict how his payload is transmitted over the air. This works even when the targeted unencrypted RF hop is fully contained inside a Faraday cage.


  • Sergey Bratus
    Sergey Bratus is a Research Assistant Professor at Dartmouth College. He is trying to convince fellow academics that hacker research has developed into a distinct discipline of practical security as a science that addresses fundamental questions about what computers can and cannot do that the mainstream academia somehow overlooked.
  • Travis Goodspeed