The Nexmon firmware analysis and modification framework: Empowering researchers to enhance Wi-Fi devices

Schulz, Matthias; Wegemer, Daniel; Hollick, Matthias

doi:10.1016/j.comcom.2018.05.015

Cited by 30 publications

(27 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the following, we describe how binary and dynamic runtime analysis in tandem can result in full disclosure of the workings of a complex wireless network protocol. Previous exemplary works have reverse engineered the Skype protocol [26], Broadcom Wi-Fi chip firmware [28], and the Fitbit ecosystem [13].…”

Section: Methodsmentioning

confidence: 99%

One Billion Apples' Secret Sauce

Stute

Kreitschmann

Hollick

2018

Proceedings of the 24th Annual International Conference on Mobile Computing and Networking

Self Cite

View full text Add to dashboard Cite

Apple Wireless Direct Link (AWDL) is a proprietary and undocumented IEEE 802.11-based ad hoc protocol. Apple first introduced AWDL around 2014 and has since integrated it into its entire product line, including iPhone and Mac. While we have found that AWDL drives popular applications such as AirPlay and AirDrop on more than one billion end-user devices, neither the protocol itself nor potential security and Wi-Fi coexistence issues have been studied. In this paper, we present the operation of the protocol as the result of binary and runtime analysis. In short, each AWDL node announces a sequence of Availability Windows (AWs) indicating its readiness to communicate with other AWDL nodes. An elected master node synchronizes these sequences. Outside the AWs, nodes can tune their Wi-Fi radio to a different channel to communicate with an access point, or could turn it off to save energy. Based on our analysis, we conduct experiments to study the master election process, synchronization accuracy, channel hopping dynamics, and achievable throughput. We conduct a preliminary security assessment and publish an open source Wireshark dissector for AWDL to nourish future work.

show abstract

Section: Methodsmentioning

confidence: 99%

One Billion Apples' Secret Sauce

Stute

Kreitschmann

Hollick

2018

Proceedings of the 24th Annual International Conference on Mobile Computing and Networking

Self Cite

View full text Add to dashboard Cite

show abstract

“…Therefore, use of RTS/CTS is unnecessary. With the long preamble in a data frame [40], both RSSI and CSI can be extracted from the APs at a satisfactory sampling rate. In contrast to inactive phones where only RSSI is available from CTS, the localization accuracy can be even higher by combining both RSSI and CSI as fingerprints.…”

Section: Active Phone Localizationmentioning

confidence: 99%

Passive Indoor Localization with WiFi Fingerprints

Hoang¹,

Yuen²,

Ren³

et al. 2021

Preprint

View full text Add to dashboard Cite

This paper proposes passive WiFi indoor localization. Instead of using WiFi signals received by mobile devices as fingerprints, we use signals received by routers to locate the mobile carrier. Consequently, software installation on the mobile device is not required. To resolve the data insufficiency problem, flow control signals such as request to send (RTS) and clear to send (CTS) are utilized. In our model, received signal strength indicator (RSSI) and channel state information (CSI) are used as fingerprints for several algorithms, including deterministic, probabilistic and neural networks localization algorithms. We further investigated localization algorithms performance through extensive on-site experiments with various models of phones at hundreds of testing locations. We demonstrate that our passive scheme achieves an average localization error of ∼0.8 m when the phone is actively transmitting data frames and ∼1.5 m when it is not transmitting data frames.

show abstract

“…Device Adaptation: To exercise direct control over the data sent from the hardware to the driver, an analyst can adapt the firmware of real devices to include such capabilities. This can be done by reverse engineering the firmware and reflashing a modified one [64], or by using custom hardware that supports reprogramming of devices [1]. However, these frameworks are typically tailored to specific devices, and given the heterogeneity of peripheral devices, their applicability is limited.…”

Section: Analyzing Hardware-os Interactionmentioning

confidence: 99%

“…However, these frameworks are typically tailored to specific devices, and given the heterogeneity of peripheral devices, their applicability is limited. For example, Nexmon only works for some Broadcom Wi-Fi devices [64], and Facedancer11, a custom Universal Serial Bus (USB) device, can only analyze USB device drivers [1].…”

Section: Analyzing Hardware-os Interactionmentioning

confidence: 99%

PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Song¹,

Hetzelt²,

Das³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The OS kernel is an attractive target for remote attackers. If compromised, the kernel gives adversaries full system access, including the ability to install rootkits, extract sensitive information, and perform other malicious actions, all while evading detection. Most of the kernel's attack surface is situated along the system call boundary. Ongoing kernel protection efforts have focused primarily on securing this boundary; several capable analysis and fuzzing frameworks have been developed for this purpose.

show abstract

The Nexmon firmware analysis and modification framework: Empowering researchers to enhance Wi-Fi devices

Cited by 30 publications

References 2 publications

One Billion Apples' Secret Sauce

One Billion Apples' Secret Sauce

Passive Indoor Localization with WiFi Fingerprints

PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Contact Info

Product

Resources

About