[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] WiFi flu: viral router attack could hit whole cities


By Joel Hruska 
Ars Technica
January 02, 2008

Historically, the vast majority of trojans, worms, and viruses have 
targeted the (Windows) PC. Attack and propagation methods may have grown 
more sophisticated, but the PC has remained the focus of most malware. 
According to a paper written by a team of researchers at Indiana 
University, however, this could change in the future. According to the 
team's research (PDF) [1], an attack that specifically targets wireless 
routers and spreads between them at any point where coverage overlaps 
could quickly and easily propagate throughout an entire city.

Until recently, such an attack vector was considered unlikely. Wireless 
routers are inherently less secure than their wired counterparts, but 
the development of WPA encryption has increased (theoretical) wireless 
security significantly. More practically, wireless routers weren't 
deployed in sufficient numbers and didn't overlap their areas of 
coverage enough to present a significant propagation risk.

As the density and scale of wireless coverage has expanded, however, the 
chance that a router-focused viral attack could cause significant damage 
has increased. The IU team's goal was to map existing real-world 
wireless networks in various urban locations. Once this was done, the 
researchers simulated how quickly an infection would spread across the 
various networks tested and what general steps could be taken to prevent 
such attacks or reduce their severity.

Modeled locations included Chicago, Boston, New York City, the San 
Fransisco Bay area, Seattle, and both northern and southern Indiana. The 
data gathered from each area was then used to map the growth of a 
hypothetical viral infection. The team's infection model took the 
security states of the routers in each modeled area into account. 
Routers were grouped by their use of encryption (WEP/WPA/none), whether 
or not the default password had been changed, and how easy the new 
password was to crack.

Although the areas modeled differed considerably in size, composition, 
and geography, all of them demonstrated a sharp initial infection rate 
as the virus spread across non-encrypted routers. Routers using WEP 
encryption are infected in the second, slow-growth phasethe paper 
estimates that the use of WEP slows the infection rate, but does not 
stop it. For the purposes of the study, WPA-enabled routers with strong 
password protection are considered impregnable. By the time the 
infection phases had run their course, 10-55 percent of the routers in 
the measured area were controlled by malware.

Interestingly, the modeled router infection patterns resembled a 
biological equivalent. Router infections are slowed or stopped 
completely by geographical barriers such as rivers, for instance. 
Isolated areas with a limited chain of wireless connections leading back 
to the point of infection could remain entirely untouched if one router 
along the chain uses WPA.

Such findings speak to the importance of strong security measures. Even 
if a minority of routers in any given area are using WPA, strategic 
positioning of such routers can prevent malware from escaping what 
becomes an effectively isolated area.

Fortunately, there are already two practical (and simple) ways to reduce 
the chance of infection, should such an attack surface. The IU 
researchers recommend that wireless node operators change from the 
default password to a strong alternative. Additionally, WPA-compliant 
hardware should be used whenever possible. WEP has too many flaws to be 
considered an effective security solution, but the team does note that 
even WEP's flawed encryption is better than no encryption at all.

To date, there have been no known attempts to attack a wireless network 
in this manner, but the increasing ubiquity of wireless connectivity 
makes such attacks almost inevitable. Given the relative ease with which 
the team's recommended security measures can be implemented, it makes 
far more sense to deal with such issues now than it does to ignore them.

[1] http://arxiv.org/PS_cache/arxiv/pdf/0706/0706.3146v1.pdf

Visit InfoSec News