[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] WiFi flu: viral router attack could hit whole cities
By Joel Hruska
January 02, 2008
Historically, the vast majority of trojans, worms, and viruses have
targeted the (Windows) PC. Attack and propagation methods may have grown
more sophisticated, but the PC has remained the focus of most malware.
According to a paper written by a team of researchers at Indiana
University, however, this could change in the future. According to the
team's research (PDF) , an attack that specifically targets wireless
routers and spreads between them at any point where coverage overlaps
could quickly and easily propagate throughout an entire city.
Until recently, such an attack vector was considered unlikely. Wireless
routers are inherently less secure than their wired counterparts, but
the development of WPA encryption has increased (theoretical) wireless
security significantly. More practically, wireless routers weren't
deployed in sufficient numbers and didn't overlap their areas of
coverage enough to present a significant propagation risk.
As the density and scale of wireless coverage has expanded, however, the
chance that a router-focused viral attack could cause significant damage
has increased. The IU team's goal was to map existing real-world
wireless networks in various urban locations. Once this was done, the
researchers simulated how quickly an infection would spread across the
various networks tested and what general steps could be taken to prevent
such attacks or reduce their severity.
Modeled locations included Chicago, Boston, New York City, the San
Fransisco Bay area, Seattle, and both northern and southern Indiana. The
data gathered from each area was then used to map the growth of a
hypothetical viral infection. The team's infection model took the
security states of the routers in each modeled area into account.
Routers were grouped by their use of encryption (WEP/WPA/none), whether
or not the default password had been changed, and how easy the new
password was to crack.
Although the areas modeled differed considerably in size, composition,
and geography, all of them demonstrated a sharp initial infection rate
as the virus spread across non-encrypted routers. Routers using WEP
encryption are infected in the second, slow-growth phasethe paper
estimates that the use of WEP slows the infection rate, but does not
stop it. For the purposes of the study, WPA-enabled routers with strong
password protection are considered impregnable. By the time the
infection phases had run their course, 10-55 percent of the routers in
the measured area were controlled by malware.
Interestingly, the modeled router infection patterns resembled a
biological equivalent. Router infections are slowed or stopped
completely by geographical barriers such as rivers, for instance.
Isolated areas with a limited chain of wireless connections leading back
to the point of infection could remain entirely untouched if one router
along the chain uses WPA.
Such findings speak to the importance of strong security measures. Even
if a minority of routers in any given area are using WPA, strategic
positioning of such routers can prevent malware from escaping what
becomes an effectively isolated area.
Fortunately, there are already two practical (and simple) ways to reduce
the chance of infection, should such an attack surface. The IU
researchers recommend that wireless node operators change from the
default password to a strong alternative. Additionally, WPA-compliant
hardware should be used whenever possible. WEP has too many flaws to be
considered an effective security solution, but the team does note that
even WEP's flawed encryption is better than no encryption at all.
To date, there have been no known attempts to attack a wireless network
in this manner, but the increasing ubiquity of wireless connectivity
makes such attacks almost inevitable. Given the relative ease with which
the team's recommended security measures can be implemented, it makes
far more sense to deal with such issues now than it does to ignore them.
Visit InfoSec News