Slashdot Mirror
Researchers Say Wi-Fi Virus Outbreak Possible
alphadogg writes with a link to a NetworkWorld article about a troubling security scenario. Indiana University IT researchers are now saying that a WiFi attack intended to piggyback across unsecured access points could do serious damage in a city like Chicago or New York. By essentially brute-forcing the passwords on insecure routers, a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone. "Although the researchers did not develop any attack code that would be used to carry out this infection, they believe it would be possible to write code that guessed default passwords by first entering the default administrative passwords that shipped with the router, and then by trying a list of one million commonly used passwords, one after the other. They believe that 36% of passwords can be guessed using this technique."
Ha! They'll never guess my router admin password, which is '5l@$hd0t.!st.ps0t!'
My blog
36% seems like a severe lowball estimate, to me. I wouldn't be at all surprised if 1/3 of WAP's still have the manufacturer's default admin login.
Unpleasantries.
Why brute force your way through when simply typing "admin" works far more often than it should?
This guy's the limit!
Holy crap! Maybe we should deal with existing security problems before we start with the imaginary ones.
Let us not become the evil that we deplore.
How many router models and hardware revisions would the worm need to support to make this effective? It would take a great deal of resources to produce custom firmware for that many devices and hardware revisions, especially considering that people have been trying to produce custom firmware for specific devices for a long time without any success at all.
On another note, configuring the router for administrative access only via ethernet would completely stop the problem.
Dan East
Better known as 318230.
Solution: Use any of the 64 percent of the pwds
Even though a lot of people are idiots and leave the password at the default, there are still at least 3 or 4 different types of hardware (think Belkin, D-Link, NetGear, etc., and all the different models they each have available) that are in common use. This means that to be fully effective, a virus would need to contain several different firmware images of itself, and would have to store it all in the limited space available in the flash memory of the infected unit.
Of course, you could choose to infect one or two types of common consumer wireless router, but I think that would greatly limit the probability of a full-bore chain reaction spreading across the greater metropolitan area.
It should be illegal to say that freedom of speech should be limited.
I'm not so familiar with Belkin, Netgear and all no-name wireless routers out there, but the newer (last year or two) Linksys WRT54G routers don't allow administrative access over the WLAN by default. You simply get an access denied page when attempting to access it. I'm kind of surprised that linksys doesn't just deny wireless connections to the administrator pages.
Unfortunately, that means that I can no longer log in to those routers with default passwords and open up ports for myself when I'm on some stranger's network and it requires me to plug in when I need to make changes on my own networks.
Of course, you should disable access to the administrator pages over the WLAN (or restrict it to a maintenance port if your router has one), change your administrator password (and username, if possible) and make sure you've got strong encryption with a strong password/key.
When I was living in manhattan (2004-2005), there were over 20 visible wireless access points from my apartment. Running kismet and walking from the front to the back of my apartment with my powerbook, I could pick up closer to 30 networks and about 3/4 of them were password protected; mostly with WEP. Nowadays, living in brooklyn, I can pick up around 15 wireless networks and all but 2 are password protected and most are using WPA or WPA2.
...spike
Ewwwwww, coconut...
I attended a talk that Steve Meyer (one of the presenters of the paper) gave at Purdue as part of the CERIAS Security Seminar Series. Link to the video is here. It's definitely worth a watch.
Procrastination sucks.
So are they saying once a router is compromised, it utilizes its resources to attack outer Wifi routers in range? "Hey you were my friendly network neighbor, and now you want to control ME?" I say we form a coalition of routers who want to remain under their own control and enforce it with high-strength, nearly non-brute force-able passwords. What a novel idea.
They don't need to hold the dictionary. Anything that doesn't fit can be downloaded on demand. Most access points have access to the Internet, and residential access points are almost always outside of any firewall (they're usually the firewall themselves).
Wrong!
You only need one computer to begin the process.
It can be done. To avoid it, you should change your admin interface password and use WEP/WPA (prefereably WPA)
I have a Linksys WRT54GL flashed with DD-WRT firmware. I use a MAC filter that only allows computers I SPECIFICALLY tell it to, I have disabled administrative access to the router wirelessly and changed the default login AND password, and I password protect my wireless access on top of all that. It took me about an hour (if I recall correctly) to set the router up, including flashing the DD-WRT firmware on it. But once it is done, I don't have to bother changing any more settings, aside from rotating the admin password and updated the MAC filter as needed.
Just my take on it.
Speedy thing goes in; speedy thing comes out.
http://sourceforge.net/project/screenshots.php?group_id=41019
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
Church of Wifi has a hacked firmware-based worm that runs around and replaces firmware on APs, and then looks for other AP's to attack, and propagates itself. :)
The key to this kind of attack, is that it could be potentially undetectable - how do you know if the linksys firmware was replaced or slightly modified or not?
Another great use, would be to drop TOR endpoints on every single box infected
Why not make the password something like a printed number on the router itself? I know it's encoded in firmware, especially with the factory reset button, but it's not too hard to say read the ID and print up corresponding stickers. They already do it for the MAC address information.
Sveasoft has firmware for most of the ARM/Linux based routers, which covers all the common Linksys/Netgear models. All you'd need to do is make a hacked version of each one and put them on a server (or botnet).
Then all a worm would need to is gain access to the router, and then notify the server that it has been cracked. The server takes it from there... it would connect to the router, identify its model number from the status page, and upload the appropriate firmware.
With a little ingenuity it would not be hard to do this in a way that is transparent to the user - i.e. most users have a plain vanilla setup and it would be easy enough to snarf the configuration and apply that to the new upgrade too.
a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone.
"Although the researchers did not develop any attack code
"Scenario?" With a "worm-like software agent?" Wake me up when (a) such a firmware worm is written or (b) when someone from the security community can be a little more specific as to how such a worm could work. I remain skeptical.
After all, they've been telling us about Linux and Mac viruses for years, but I have yet to hear of anyone actually getting infected by one.
in other words, WOLF!!!!!!
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Yeah it could be done in theory but it's highly impractical/improbable.
Let's not get our panties in a bunch.
According to the "5 best hacks of 2007" article of a few days ago, it's getting hard to find an open AP these days and
even if you find one, most manufacturers are now shipping APs with admin access disabled on the WAN interface by default.
Then again, the same article said that running a packet sniffer on a open AP and grabbing cookies ("sidejacking") was one of the top 5 hacks. If our security professionals only figured this out in 2007, we've already been pwned.
Other than possibly create a few more zombies (and I am sure there are easier ways to do that) who cares?
Folks with real and/or sensitive data will have a password, and likely even more security.
Those that don't likely have little to offer any hacker or anybody else. A hacker may desire your cycles for zombified attacks, and the RIAA might like to look at your MP3 list. Maybe someone might go through the trouble of trying to data mine for identity theft, but again there are much easier ways to accomplish this goal.
If someone wants to brute force my password a million times, be my guest, you will probably find it not worth the time.
Those that don't change their default passwords, well, ye get what ye deserve. Call it a stupid tax.
Similar work has already been published at Usenix Security. http://www.usenix.org/events/sec07/tech/akritidis.html
Full paper is available at one of the authors' website. http://s3g.i2r.a-star.edu.sg/papers/metrowifi-usenixsec07.pdf
There is a very simple (and very old) technique to stop someone from trying a million passwords in any reasonable timeframe ... just add a delay every time an incorrect password is entered (resetting the delay to zero if the correct password is entered to prevent this becoming a denial of service). If wireless routers used this, then the worm would only spread to devices whose password was in the first few dozen of the dictionary attack list.
Well, you could have it download the firmware image from the Internet (IRC or p2p) according to the device you are attacking. The worm itself would be just a little "hack" in the firmware image. And you don't have to bother with all brands and models: start with the most popular ones (Linksys' W54GL, and the like). Some of those already have open source versions of their firmware, meaning you don't really have to reverse-engineer everything.
My point is: it is not impossible. Wifi router will meet all the requisites in most cases: rewritable firmware, open-sourced os/firmware, unsecured APs, default password in administrative interfaces, a quite capable processing unit and an wifi antenna. Diversity may slow things a little but, although I lack data, I believe that the domestic and soho wifi router market (the best target - least security-minded) is dominated by few models.
If this hasn't been done yet (at least not that we knew), maybe the would-be-attackers haven't found a suitable, big, with lots of routers within range of each other. It could be already happening in a "silent" mode somewhere. It only becomes detectable if you use the full capacity of processor power and wifi output of the router, hindering the legitimate connections.
If you disable SSID broadcasting and enable a trusted only MAC list and deny all other MAC addresses are you pretty much secured from brute force scan attacks? The attacker would have the program scanning for SSIDs. The scanner would not see it. I set my networks up so you have to manually add the SSID. I don't have encryption enabled though. I just make sure that when I go to websites like my banking site or email I use the SSL address. I also use long passwords with capitals, lowercase, numbers, and symbols. One of the networks I manage I do the same as I mentioned before plus I disable DHCP on the router and set everything static.
Should I do anything extra?
Oh great, so they get access to the machine. Just as if it was plugged into a DSL/cable modem line. AND???
Cracking the password and getting network access isn't the same as getting past the firewalls, installing yourself on the machine and getting something to run you. Someone is fear mongering, or has failed to think this through.
Seven puppies were harmed during the making of this post.
Bingo. Add to your "should do" list; "Disable admin access over wireless and WAN making it only available from directly connected Ethernet LAN".
Just think of the positive effects. If you had software beeing able to spread from access point to access point automatically, you could easily build up a meshed network of routers. Those routers would then build a gigantic network which you can use to communicate without the FBI listening into it. You could simply install that software, reconfigure your router and patch the hole.
The problem is that for that you'd need a monoculture of routers. It might work with Windows PC at one time in the future, but even there it's hard.
I haven't thought this all the way through to it's logical conclusions, but it seems to me that the most benefit to blackhats these days is in getting CPU cycles to cause damage and steal information from more valuable or data rich systems...
Is there really that much benefit to expending effort to hack the SOHO WAP router, when most of the machines behind it are more likely the problem, since if the user has not re-config'ed their router then likely their machines aren't secured either?
For just purely evil fun it might be worth the effort to flash corrupted firmware to hundreds of thousands of WAP's out there...leaving a $100 monetary nuisance to many households out there that have to replace them.
Impractical ? In the 2-3 minutes I've spent reading this article and comments, I probably could have done this to my own router. It's actually pretty easy for any techie to pull off, considering how many modern routers run some sort of embedded Linux system. The firmware isn't some exotic Fortran behemoth like in the good old days, the 21st century is all about commodity hardware and software, cheep cheep!
Anyone with some basic knowledge in developing scrapers/spiders could figure it out in half a day, all it takes is a shell script running on the router.
Be afraid!
-Billco, Fnarg.com
What happens with this virus spreads itself around, and then takes over a automated weapons manufacturing plant? I'll tell you what happens. It becomes SELF-AWARE. That's what happens. The next thing you know, we'll have governors showing up naked in deserted places and then beating up biker guys for their clothes. We have to stop this NOW!, before someone gets the bright idea of making a TV series about it.
Aaaah!!! We're to late. Run for the hills!!
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
From where I am sitting right now I can see 13 wireless networks. Of those six (46%) are unsecured and five (38%) have what I believe to default names (linksys, default, DLinkVWR, DLinkWBR, NETGEAR). That doesn't include hidden points. Its too lazy to Google the default passwords and check if the access points are changed but I'd doubt it.
There is a reason peer review is so popular. This doesn't appear to have made the cut (probably submitted to a conference and then denied). This has been posted on other sites, and generally laughed at -- since it isn't peer reviewed!!! Just because someone has some letters after their name, doesn't mean they know what they are talking about. It is VERY important to ignore stuff like this that hasn't been peer-review - especially when it is done by professors! The whole thing is conjecture anyways, so without peer-review it has NO value. The whole premise of the paper is that all routers are as similar as all PCs. This is ABSOLUTELY not the case. Since all routers tend to use FLASH for storage - you need to write ALL or MOST of the flash at once (since fs images are used). This means to transfer between hosts, you need a complete image to send to the next host. So, since there are very little resources on each device, it can only store it's own infected image. Now if it needs to infect a different type of router, something in the adhoc mesh network needs to be sourcing this image. It's really funny that crap research can be posted as if it has ANY factual value whatsoever... They made assumptions that it was exactly like a biological virus, and SURPRISE, it acted like a biological virus. What might be good research is if someone made a proof-of-concept virus like this, with upgrade images for say the most popular 100 or so models of routers (remember, there are different hardware revisions). That might cover half of the market. So in a really dense network, it might spread a little!
#!/bin/bash /g"
# arguement is device brand
curl -s http://www.phenoelit.de/dpl/dpl.html |
grep -i $1 | sed "s/]*>/
Is a script I use to get default passwords. I used to regularly reset to default because I was constantly playing with the settings of multiple devices.
.
OMG, Skynet!
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
That's a good point. For the password guessing, the first three password combos could be the following: admin/blank admin/admin blank/admin Just Google "default passwords" sometime, and start picking sites. The majority of default passwords for consumer-grade networking gear can be cracked by using any of the above three combinations. Throw in a method for cracking WEP, and you've got everything you need.
Ah, I forgot to use linebreaks and the preview button. /. really needs an edit feature.
I don't have any practical experience with this, but theoretically, I think a virus could be created that would infect windows computers and enable internet sharing off the wireless card. It would look at the name of the existing wireless connection and then call the shared connection '+1'. Then when zombied laptops go to coffee shops, etc. they become an additional wireless access point named 'coffee shop2'. Others mistakenly connect to the internet through this spoofed access point and all their outgoing packets are captured and sent to the botnet owner.
This virii could propogate through the normal infection vectors, but it could also create a 'login' requirment that asks users of the spoofed network connection to install a 'security key' for the connection to work 'securely'. You guessed it, TROJAN.
Seth
$5 / month hosted VPS on linux = awesome!
Why does media have anything to do with password security? Password security is so layer 6. Unless you mean physically going up and reseting the password. Which even the best Cisco routers and switches are open to. You dont even need to brute force attack the password. I would be more afraid of the encryption being cracked with wifi. Something everybody that uses wifi knows about. Heck when wifi first was available they figured that out.
This is no different than a bunch of tin foiled idiots saying it's possible that sometime this year an evil force will rain down herpes on all of us unless we submit to the new god McButtNutt.
The only possible good this article did is to get the ignorant (I mean that nicely, not derogatorily) to be motivated to become educated.
Other posters have put pieces out that show how stupid this idea really is. In order of importance:
1) It requires actual access to the routers administration interface. This is, for the most part, HTTP and cannot be accomplished by telnet, etc. Sometimes that cannot happen over the WLAN at all. There are devices that ship that way by default. The WLAN is NOT to be confused with the WAN either. You may be able to access it over the internet, but not from a wireless AP client of the AP itself running on the router. I do know there are PLENTY of standalone AP's that allow administrative access from a wireless AP client. Many times I have accessed an AP from the other side of a wireless bridge and modified some of its settings. Standalone APs are RARE. They almost don't even sell them anymore in retail outlets. You have to special order them or get them on the internet. Considering how rarely they are used, and by who they are used, I would say standalone APs are generally configured by more sophisticated people that configure them better.
2) Assuming, that there was a device that allowed administrative access to it through the WLAN by default, it would still require the password. Sure there are plenty of unprotected routers on default settings. Not a problem. However, just how close are these unprotected nodes to each other? Do they really form a contiguous wireless chain? 36% being brute forced, is not the same as a default password. That percentage is even less according to that statistic. It would take a fair amount of time to brute force a wireless router. If it took you 48 hours to brute force a SINGLE node to use it to extend your reach and brute force other nodes, it would take a unreasonable amount of time to compromise 20,000 networks. I think they would have Wireless-Z 802.11ZZZZAE by that time. I have been at many clients, family, and friends houses and helped them with their routers and/or experienced what wireless APs were in service in RANGE. From my own experience, it is actually below 50% unprotected routers. Meaning, less than 50% of the locations had unprotected routers in the first place. Where I live right now, there are about 15 APs in range and NONE of them are unprotected. That would lead me to believe that a contiguous coverage "bubble" may not actually exist in the FIRST PLACE.
3) Assuming a wealth of customized attack firmwares available, it would still disrupt service. Statistically, SOMEONE is going to notice. They may not understand what is going on, but they very well could do the ol' power cycle trick. That would most likely brick the device and thereby solve the problem. New router, or RMA'd router with newer firmware that may have stronger security settings by default. Maybe not a strong point, but a valid observation. A single person would probably not connect the dots and conclude a conspiracy, but just something to consider. The need for a large amount of customized attack firmwares is very important though, more on that later.
4) Assuming that you did indeed compromise a network of 20,000 wireless routers forming one hugely connected contigious bubble of coverage in a city. What NOW? Internet Access? You already had that. They were unprotected. Run a whole P2P network using all of that bandwidth to receive or send more porn? How? You would need compromised machines on each one of those networks since the router itself cannot store any amount of data. Compromise the machines on those networks for some nefarious purpose? Great. A whole other futile project. You can get machines bot netted or otherwise controlled in different methods far easier than that. Maybe I am lacking in vision,
Modern attacks are getting multi-faceted; witness Storm. Attacking a router would be only one step in a complex attack.
After a computer or router gets access to another router, there are two options available, and one or both can be implemented:
1. Download an appropriate image from a server to put on the attacked router.
2. Adjust the router settings to give DMZ access to the computers in the WLAN. If the router does not report IPs or names of computers within the WLAN, then a scan could be done, one computer at a time, changing the DMZ from one IP to the next. May be slow, but who's waiting?
If it cannot flash the firmware, then option 2 is still available.
Once it has inside access to the WLAN, it can sniff the WLAN for passwords, etc., which would let it infect one of the computers. This would basically be halfway an inside job. It probably doesn't really matter if a router is infected or a computer is infected; either can do the dirty work desired by botnets.
Once a hard-wired computer is infected, it can then re-flash the router. The best protection against this would be to have a hardware switch, or, as someone else suggested (which is better, since it still allows remote management), use a number on the bottom of the device as a password.
If a model of router is discovered that the worm does not recognize, it can send the data (webpage or telnet screen) back to headquarters for someone to look at and research and find out how to manipulate. Thus, the worm would be able to attack more models of router as time goes by. A firmware flash is unlikely for most routers, but as long as the computers inside the WLAN can be infected, it doesn't really matter. However, if a router AND computer are infected, then if the user fixes one, the other can reinfect. Ditto for infecting multiple computers inside a WLAN.