Automatic Wireless Protocol Reverse Engineering

Internet of Things manufacturers often implement their own wireless protocols in order to save licensing fees. Deviating from standard, however, sometimes paves the way for critical attacks such as stolen cars or house breaks without physical traces. For a security analysis of such proprietary protocols, researchers use Software Defined Radios and dedicated demodulation tools. But when reverse engineering is necessary, researchers are left alone and need to find protocol fields manually in a time-consuming and tedious process.

We contribute a framework designed for field inference of wireless protocols. In contrast to previous research, our algorithm operates on the physical layer and, moreover, takes wireless specifics such as Received Signal Strength Indicators into account. Furthermore, the algorithm is robust against errors that are common in wireless communication. Our contribution not only performs a bootstrap of completely unknown protocols but also considers prior knowledge such as participant addresses or known field positions in order to increase accuracy. An implementation is published as part of the open source software Universal Radio Hacker and is a first step towards a default security analysis for proprietary wireless protocols similar like a port-scan is for traditional security.