Wi-Fi 'virus' could be used to attack wireless access points, researchers discover

Malware could spread silently from AP to AP

Dense concentrations of Wi-Fi access points and routers in large cities could be attacked by malware able to spread silently from node to node, researchers at the University of Liverpool have shown for the first time.

In the experiment conducted by Jonny Milliken, Valerio Selis and Professor Alan Marshall, a specially-crafted virus called 'Chameleon' was pitted against a range of common access points with poorly-secured management interfaces (i.e. using default passwords). Once access had been achieved, Chameleon then attempted to take control of the device by re-flashing its firmware with a replacement, open source OpenWrt.

Attackers gaining control in this way would be able to monitor traffic for credentials or other data but the team's real discovery was that Chameleon would also be able to spread and infect other routers in its neighbourhood in a manner similar to an "airborne virus."

Having proved the concept in the lab, the team modelled the attack against the sort of Wi-Fi density found in two cities, Belfast and London, finding that even using an infection rate of five to ten percent, Chameleon would be able to infect several thousand access points within a few months.

Although this sounds like a small number and a long timescale, in a large city each one of these access points could be serving anything from a handful to many thousands of people, so attackers would have gained access to potentially large amounts of valuable data.

Most striking of all, because many access points are left untouched and unmanaged, the attack would be hard to detect. Access points using encryption would offer a small challenge to the extent that re-flashing them would destroy the embedded key. This would need to be captured first.

The team doesn't reveal which brands or classes of access point or router were vulnerable to Chameleon but were in no doubt that the re-flashing attack would work in the real world.

"In some cases it will work, in some cases it will fail; some are resilient against it, some are not," Professor Alan Marshall told Techworld.

"It was assumed that it wasn't possible to develop a virus that could attack WiFi networks but we demonstrated that this is possible and that it can spread quickly. We are now able to use the data generated from this study to develop a new technique to identify when an attack is likely," said Marshall.

"Whilst many APs are sufficiently encrypted and password protected, the virus simply moved on to find those which weren't strongly protected including open access WiFi points common in locations such as coffee shops and airports."

According to Marshall, the solution is to embed intrusion prevention technology into access points, something he was pursuing through Queen's University Belfast spin-out, Traffic Observation and Management.

The research highlights the unprotected state of router/access point technology, which rely on correctly-configured encryption and management to keep out attackers. But there is growing evidence that even without direct wireless attacks, these devices are riddled with vulnerabilities.

Only days ago, a study by security firm Tripwire found most of the top 50 best-selling home routers had software flaws that would allow a remote attacker to gain control of the device even if it was secured.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile &ampNetworkingsecurityUniversity of Liverpoowireless

More about Tripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place