Presentation Title Building a Promiscuous nRF24L01+ Packet Sniffer
Similar to Bluetooth, the protocols of the Nordic VLSI nRF24L01+ chip are designed such that the MAC address of a network participant doubles as a SYNC field, making promiscuous sniffing difficult both by configuration and by hardware. This lecture presents a nifty technique for promiscuously sniffing such radios by (1) limiting the MAC address to 2 bytes, (2) disabling checksums, (3) setting the MAC to be the same as the preamble, and (4) sorting received noise for valid MAC addresses which may later be sniffed explicitly.
Having a promiscuous sniffer opens up a whole new world of low-power wireless hardware for reverse engineering and exploiting. Better still, the chip does not implement cryptography, so many devices broadcast as clear text.
Specific examples of compatible hardware include wireless keyboards, ANT+ and Nike+ sports equipment, active RFID tags, and a classroom response system. All sample exploits are implemented on the Next Hope conference badge running GoodFET firmware, with a total hardware cost of 10 Euro.
About Travis Goodspeed
Travis Goodspeed is a neighborly reverse engineer from Tennessee. He was party to the first emergency knitting machine purchase in Dutch history. He is the maintainer of the GoodFET project, which feature creep has blessed with the ability to do everything from JTAG programming to radio packet sniffing, key extraction, and reflexive jamming.