Slashdot Mirror
Researchers Say Wi-Fi Virus Outbreak Possible
alphadogg writes with a link to a NetworkWorld article about a troubling security scenario. Indiana University IT researchers are now saying that a WiFi attack intended to piggyback across unsecured access points could do serious damage in a city like Chicago or New York. By essentially brute-forcing the passwords on insecure routers, a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone. "Although the researchers did not develop any attack code that would be used to carry out this infection, they believe it would be possible to write code that guessed default passwords by first entering the default administrative passwords that shipped with the router, and then by trying a list of one million commonly used passwords, one after the other. They believe that 36% of passwords can be guessed using this technique."
Ha! They'll never guess my router admin password, which is '5l@$hd0t.!st.ps0t!'
My blog
36% seems like a severe lowball estimate, to me. I wouldn't be at all surprised if 1/3 of WAP's still have the manufacturer's default admin login.
Unpleasantries.
Why brute force your way through when simply typing "admin" works far more often than it should?
This guy's the limit!
Holy crap! Maybe we should deal with existing security problems before we start with the imaginary ones.
Let us not become the evil that we deplore.
How many routers have enough firmware memory to hold a dictionary like that?
How many router models and hardware revisions would the worm need to support to make this effective? It would take a great deal of resources to produce custom firmware for that many devices and hardware revisions, especially considering that people have been trying to produce custom firmware for specific devices for a long time without any success at all.
On another note, configuring the router for administrative access only via ethernet would completely stop the problem.
Dan East
Better known as 318230.
Solution: Use any of the 64 percent of the pwds
This is retarded, someones trolling for hits here. Even if a worm could guess guess wep/wpa keys in oder to "piggyback" to another unsecure AP it would still have to either:
A) exploit a computer inside the network to have it scan for more APs.
B) somehow crack the firmware on every brand of router it hits and have it do it.
If you have a remote exploit for XP (which is what you would need), why would you bother writing some stupid wi-fi hopping worm.
I can also say that a Wi-Fi Virus Outbreak is Possible. I am not a researchers, I better reconsider a career in the research buisness, it sounds suitable to me.
Even though a lot of people are idiots and leave the password at the default, there are still at least 3 or 4 different types of hardware (think Belkin, D-Link, NetGear, etc., and all the different models they each have available) that are in common use. This means that to be fully effective, a virus would need to contain several different firmware images of itself, and would have to store it all in the limited space available in the flash memory of the infected unit.
Of course, you could choose to infect one or two types of common consumer wireless router, but I think that would greatly limit the probability of a full-bore chain reaction spreading across the greater metropolitan area.
It should be illegal to say that freedom of speech should be limited.
I'm not so familiar with Belkin, Netgear and all no-name wireless routers out there, but the newer (last year or two) Linksys WRT54G routers don't allow administrative access over the WLAN by default. You simply get an access denied page when attempting to access it. I'm kind of surprised that linksys doesn't just deny wireless connections to the administrator pages.
Unfortunately, that means that I can no longer log in to those routers with default passwords and open up ports for myself when I'm on some stranger's network and it requires me to plug in when I need to make changes on my own networks.
Of course, you should disable access to the administrator pages over the WLAN (or restrict it to a maintenance port if your router has one), change your administrator password (and username, if possible) and make sure you've got strong encryption with a strong password/key.
When I was living in manhattan (2004-2005), there were over 20 visible wireless access points from my apartment. Running kismet and walking from the front to the back of my apartment with my powerbook, I could pick up closer to 30 networks and about 3/4 of them were password protected; mostly with WEP. Nowadays, living in brooklyn, I can pick up around 15 wireless networks and all but 2 are password protected and most are using WPA or WPA2.
...spike
Ewwwwww, coconut...
I attended a talk that Steve Meyer (one of the presenters of the paper) gave at Purdue as part of the CERIAS Security Seminar Series. Link to the video is here. It's definitely worth a watch.
Procrastination sucks.
So are they saying once a router is compromised, it utilizes its resources to attack outer Wifi routers in range? "Hey you were my friendly network neighbor, and now you want to control ME?" I say we form a coalition of routers who want to remain under their own control and enforce it with high-strength, nearly non-brute force-able passwords. What a novel idea.
I have a Linksys WRT54GL flashed with DD-WRT firmware. I use a MAC filter that only allows computers I SPECIFICALLY tell it to, I have disabled administrative access to the router wirelessly and changed the default login AND password, and I password protect my wireless access on top of all that. It took me about an hour (if I recall correctly) to set the router up, including flashing the DD-WRT firmware on it. But once it is done, I don't have to bother changing any more settings, aside from rotating the admin password and updated the MAC filter as needed.
Just my take on it.
Speedy thing goes in; speedy thing comes out.
http://sourceforge.net/project/screenshots.php?group_id=41019
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
Church of Wifi has a hacked firmware-based worm that runs around and replaces firmware on APs, and then looks for other AP's to attack, and propagates itself. :)
The key to this kind of attack, is that it could be potentially undetectable - how do you know if the linksys firmware was replaced or slightly modified or not?
Another great use, would be to drop TOR endpoints on every single box infected
Why not make the password something like a printed number on the router itself? I know it's encoded in firmware, especially with the factory reset button, but it's not too hard to say read the ID and print up corresponding stickers. They already do it for the MAC address information.
a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone.
/. will post stories that have actual content, instead of meaningless noise.
Great to know that it might be impossible to introduce a worm-like firmware agent into any networks in New York City.
It is also possible that one day
"X may Y" is semantically equivalent to "X may not Y", and the only kinds of statements that can be negated without changing their meaning are meaningless ones. In contrast, "There is a 0.1% chance that X will Y" is meaningful.
Sveasoft has firmware for most of the ARM/Linux based routers, which covers all the common Linksys/Netgear models. All you'd need to do is make a hacked version of each one and put them on a server (or botnet).
Then all a worm would need to is gain access to the router, and then notify the server that it has been cracked. The server takes it from there... it would connect to the router, identify its model number from the status page, and upload the appropriate firmware.
With a little ingenuity it would not be hard to do this in a way that is transparent to the user - i.e. most users have a plain vanilla setup and it would be easy enough to snarf the configuration and apply that to the new upgrade too.
Not to distract from the interesting nature of the article but people really should do
some related work background research:
http://www.usenix.org/events/sec07/tech/akritidis.html
These guys showed this (and other privacy related attacks) last year at Usenix Security.
a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone.
"Although the researchers did not develop any attack code
"Scenario?" With a "worm-like software agent?" Wake me up when (a) such a firmware worm is written or (b) when someone from the security community can be a little more specific as to how such a worm could work. I remain skeptical.
After all, they've been telling us about Linux and Mac viruses for years, but I have yet to hear of anyone actually getting infected by one.
in other words, WOLF!!!!!!
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
This has gone far enough. We need our laws changed so that anyone engineering such a brutal virus should be PUT TO DEATH by Federal authorities!! Just think of the impact these attacks are having on our economy!? And, how scared it must make some people?
Other than possibly create a few more zombies (and I am sure there are easier ways to do that) who cares?
Folks with real and/or sensitive data will have a password, and likely even more security.
Those that don't likely have little to offer any hacker or anybody else. A hacker may desire your cycles for zombified attacks, and the RIAA might like to look at your MP3 list. Maybe someone might go through the trouble of trying to data mine for identity theft, but again there are much easier ways to accomplish this goal.
If someone wants to brute force my password a million times, be my guest, you will probably find it not worth the time.
Those that don't change their default passwords, well, ye get what ye deserve. Call it a stupid tax.
Similar work has already been published at Usenix Security. http://www.usenix.org/events/sec07/tech/akritidis.html
Full paper is available at one of the authors' website. http://s3g.i2r.a-star.edu.sg/papers/metrowifi-usenixsec07.pdf
Sooo.... This virus is vaporware?
There is a very simple (and very old) technique to stop someone from trying a million passwords in any reasonable timeframe ... just add a delay every time an incorrect password is entered (resetting the delay to zero if the correct password is entered to prevent this becoming a denial of service). If wireless routers used this, then the worm would only spread to devices whose password was in the first few dozen of the dictionary attack list.
If you disable SSID broadcasting and enable a trusted only MAC list and deny all other MAC addresses are you pretty much secured from brute force scan attacks? The attacker would have the program scanning for SSIDs. The scanner would not see it. I set my networks up so you have to manually add the SSID. I don't have encryption enabled though. I just make sure that when I go to websites like my banking site or email I use the SSL address. I also use long passwords with capitals, lowercase, numbers, and symbols. One of the networks I manage I do the same as I mentioned before plus I disable DHCP on the router and set everything static.
Should I do anything extra?
hahaha I thought there was an actual ATTACK, not just a warning that our networks are vulnerable... but GEEZ this article is A BAD IDEA, why would you want to give people ideas?? That's all we need!! I bet someone is already engineering an attack as we speak!
Why not take out the default setup page from the router installation and force user to enter admin password before they could use their routers. Thus takeing out the above security issue from the picture ;)
Agree that some will just enter dumb passwords, none the less something would be better then "admin" or "default".
-R12297
Oh great, so they get access to the machine. Just as if it was plugged into a DSL/cable modem line. AND???
Cracking the password and getting network access isn't the same as getting past the firewalls, installing yourself on the machine and getting something to run you. Someone is fear mongering, or has failed to think this through.
Seven puppies were harmed during the making of this post.
Just think of the positive effects. If you had software beeing able to spread from access point to access point automatically, you could easily build up a meshed network of routers. Those routers would then build a gigantic network which you can use to communicate without the FBI listening into it. You could simply install that software, reconfigure your router and patch the hole.
The problem is that for that you'd need a monoculture of routers. It might work with Windows PC at one time in the future, but even there it's hard.
I haven't thought this all the way through to it's logical conclusions, but it seems to me that the most benefit to blackhats these days is in getting CPU cycles to cause damage and steal information from more valuable or data rich systems...
Is there really that much benefit to expending effort to hack the SOHO WAP router, when most of the machines behind it are more likely the problem, since if the user has not re-config'ed their router then likely their machines aren't secured either?
For just purely evil fun it might be worth the effort to flash corrupted firmware to hundreds of thousands of WAP's out there...leaving a $100 monetary nuisance to many households out there that have to replace them.
What happens with this virus spreads itself around, and then takes over a automated weapons manufacturing plant? I'll tell you what happens. It becomes SELF-AWARE. That's what happens. The next thing you know, we'll have governors showing up naked in deserted places and then beating up biker guys for their clothes. We have to stop this NOW!, before someone gets the bright idea of making a TV series about it.
Aaaah!!! We're to late. Run for the hills!!
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
From where I am sitting right now I can see 13 wireless networks. Of those six (46%) are unsecured and five (38%) have what I believe to default names (linksys, default, DLinkVWR, DLinkWBR, NETGEAR). That doesn't include hidden points. Its too lazy to Google the default passwords and check if the access points are changed but I'd doubt it.
There is a reason peer review is so popular. This doesn't appear to have made the cut (probably submitted to a conference and then denied). This has been posted on other sites, and generally laughed at -- since it isn't peer reviewed!!! Just because someone has some letters after their name, doesn't mean they know what they are talking about. It is VERY important to ignore stuff like this that hasn't been peer-review - especially when it is done by professors! The whole thing is conjecture anyways, so without peer-review it has NO value. The whole premise of the paper is that all routers are as similar as all PCs. This is ABSOLUTELY not the case. Since all routers tend to use FLASH for storage - you need to write ALL or MOST of the flash at once (since fs images are used). This means to transfer between hosts, you need a complete image to send to the next host. So, since there are very little resources on each device, it can only store it's own infected image. Now if it needs to infect a different type of router, something in the adhoc mesh network needs to be sourcing this image. It's really funny that crap research can be posted as if it has ANY factual value whatsoever... They made assumptions that it was exactly like a biological virus, and SURPRISE, it acted like a biological virus. What might be good research is if someone made a proof-of-concept virus like this, with upgrade images for say the most popular 100 or so models of routers (remember, there are different hardware revisions). That might cover half of the market. So in a really dense network, it might spread a little!
#!/bin/bash /g"
# arguement is device brand
curl -s http://www.phenoelit.de/dpl/dpl.html |
grep -i $1 | sed "s/]*>/
Is a script I use to get default passwords. I used to regularly reset to default because I was constantly playing with the settings of multiple devices.
.
I don't have any practical experience with this, but theoretically, I think a virus could be created that would infect windows computers and enable internet sharing off the wireless card. It would look at the name of the existing wireless connection and then call the shared connection '+1'. Then when zombied laptops go to coffee shops, etc. they become an additional wireless access point named 'coffee shop2'. Others mistakenly connect to the internet through this spoofed access point and all their outgoing packets are captured and sent to the botnet owner.
This virii could propogate through the normal infection vectors, but it could also create a 'login' requirment that asks users of the spoofed network connection to install a 'security key' for the connection to work 'securely'. You guessed it, TROJAN.
Seth
$5 / month hosted VPS on linux = awesome!
Why does media have anything to do with password security? Password security is so layer 6. Unless you mean physically going up and reseting the password. Which even the best Cisco routers and switches are open to. You dont even need to brute force attack the password. I would be more afraid of the encryption being cracked with wifi. Something everybody that uses wifi knows about. Heck when wifi first was available they figured that out.
This is no different than a bunch of tin foiled idiots saying it's possible that sometime this year an evil force will rain down herpes on all of us unless we submit to the new god McButtNutt.
The only possible good this article did is to get the ignorant (I mean that nicely, not derogatorily) to be motivated to become educated.
Other posters have put pieces out that show how stupid this idea really is. In order of importance:
1) It requires actual access to the routers administration interface. This is, for the most part, HTTP and cannot be accomplished by telnet, etc. Sometimes that cannot happen over the WLAN at all. There are devices that ship that way by default. The WLAN is NOT to be confused with the WAN either. You may be able to access it over the internet, but not from a wireless AP client of the AP itself running on the router. I do know there are PLENTY of standalone AP's that allow administrative access from a wireless AP client. Many times I have accessed an AP from the other side of a wireless bridge and modified some of its settings. Standalone APs are RARE. They almost don't even sell them anymore in retail outlets. You have to special order them or get them on the internet. Considering how rarely they are used, and by who they are used, I would say standalone APs are generally configured by more sophisticated people that configure them better.
2) Assuming, that there was a device that allowed administrative access to it through the WLAN by default, it would still require the password. Sure there are plenty of unprotected routers on default settings. Not a problem. However, just how close are these unprotected nodes to each other? Do they really form a contiguous wireless chain? 36% being brute forced, is not the same as a default password. That percentage is even less according to that statistic. It would take a fair amount of time to brute force a wireless router. If it took you 48 hours to brute force a SINGLE node to use it to extend your reach and brute force other nodes, it would take a unreasonable amount of time to compromise 20,000 networks. I think they would have Wireless-Z 802.11ZZZZAE by that time. I have been at many clients, family, and friends houses and helped them with their routers and/or experienced what wireless APs were in service in RANGE. From my own experience, it is actually below 50% unprotected routers. Meaning, less than 50% of the locations had unprotected routers in the first place. Where I live right now, there are about 15 APs in range and NONE of them are unprotected. That would lead me to believe that a contiguous coverage "bubble" may not actually exist in the FIRST PLACE.
3) Assuming a wealth of customized attack firmwares available, it would still disrupt service. Statistically, SOMEONE is going to notice. They may not understand what is going on, but they very well could do the ol' power cycle trick. That would most likely brick the device and thereby solve the problem. New router, or RMA'd router with newer firmware that may have stronger security settings by default. Maybe not a strong point, but a valid observation. A single person would probably not connect the dots and conclude a conspiracy, but just something to consider. The need for a large amount of customized attack firmwares is very important though, more on that later.
4) Assuming that you did indeed compromise a network of 20,000 wireless routers forming one hugely connected contigious bubble of coverage in a city. What NOW? Internet Access? You already had that. They were unprotected. Run a whole P2P network using all of that bandwidth to receive or send more porn? How? You would need compromised machines on each one of those networks since the router itself cannot store any amount of data. Compromise the machines on those networks for some nefarious purpose? Great. A whole other futile project. You can get machines bot netted or otherwise controlled in different methods far easier than that. Maybe I am lacking in vision,