Dense concentrations of Wi-Fi access points and routers in large cities could be attacked by malware able to spread silently from node to node, researchers at the University of Liverpool have shown for the first time.
In the experiment conducted by Jonny Milliken, Valerio Selis and Professor Alan Marshall, a specially-crafted virus called 'Chameleon' was pitted against a range of common access points with poorly-secured management interfaces (i.e. using default passwords). Once access had been achieved, Chameleon then attempted to take control of the device by re-flashing its firmware with a replacement, open source OpenWrt.
Attackers gaining control in this way would be able to monitor traffic for credentials or other data but the team's real discovery was that Chameleon would also be able to spread and infect other routers in its neighbourhood in a manner similar to an "airborne virus."
Having proved the concept in the lab, the team modelled the attack against the sort of Wi-Fi density found in two cities, Belfast and London, finding that even using an infection rate of five to ten percent, Chameleon would be able to infect several thousand access points within a few months.
Although this sounds like a small number and a long timescale, in a large city each one of these access points could be serving anything from a handful to many thousands of people, so attackers would have gained access to potentially large amounts of valuable data.
Most striking of all, because many access points are left untouched and unmanaged, the attack would be hard to detect. Access points using encryption would offer a small challenge to the extent that re-flashing them would destroy the embedded key. This would need to be captured first.
The team doesn't reveal which brands or classes of access point or router were vulnerable to Chameleon but were in no doubt that the re-flashing attack would work in the real world.
"In some cases it will work, in some cases it will fail; some are resilient against it, some are not," Professor Alan Marshall told Techworld.
"It was assumed that it wasn't possible to develop a virus that could attack WiFi networks but we demonstrated that this is possible and that it can spread quickly. We are now able to use the data generated from this study to develop a new technique to identify when an attack is likely," said Marshall.
"Whilst many APs are sufficiently encrypted and password protected, the virus simply moved on to find those which weren't strongly protected including open access WiFi points common in locations such as coffee shops and airports."
According to Marshall, the solution is to embed intrusion prevention technology into access points, something he was pursuing through Queen's University Belfast spin-out, Traffic Observation and Management.
The research highlights the unprotected state of router/access point technology, which rely on correctly-configured encryption and management to keep out attackers. But there is growing evidence that even without direct wireless attacks, these devices are riddled with vulnerabilities.
Only days ago, a study by security firm Tripwire found most of the top 50 best-selling home routers had software flaws that would allow a remote attacker to gain control of the device even if it was secured.