Automatic Wireless Protocol Reverse Engineering


Johannes Pohl and Andreas Noack, University of Applied Sciences Stralsund


Internet of Things manufacturers often implement their own wireless protocols in order to save licensing fees. Deviating from standard, however, sometimes paves the way for critical attacks such as stolen cars or house breaks without physical traces. For a security analysis of such proprietary protocols, researchers use Software Defined Radios and dedicated demodulation tools. But when reverse engineering is necessary, researchers are left alone and need to find protocol fields manually in a time-consuming and tedious process.

We contribute a framework designed for field inference of wireless protocols. In contrast to previous research, our algorithm operates on the physical layer and, moreover, takes wireless specifics such as Received Signal Strength Indicators into account. Furthermore, the algorithm is robust against errors that are common in wireless communication. Our contribution not only performs a bootstrap of completely unknown protocols but also considers prior knowledge such as participant addresses or known field positions in order to increase accuracy. An implementation is published as part of the open source software Universal Radio Hacker and is a first step towards a default security analysis for proprietary wireless protocols similar like a port-scan is for traditional security.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {238586,
author = {Johannes Pohl and Andreas Noack},
title = {Automatic Wireless Protocol Reverse Engineering},
booktitle = {13th USENIX Workshop on Offensive Technologies (WOOT 19)},
year = {2019},
address = {Santa Clara, CA},
url = {},
publisher = {USENIX Association},
month = aug