Slashdot Mirror
Researchers Say Wi-Fi Virus Outbreak Possible
alphadogg writes with a link to a NetworkWorld article about a troubling security scenario. Indiana University IT researchers are now saying that a WiFi attack intended to piggyback across unsecured access points could do serious damage in a city like Chicago or New York. By essentially brute-forcing the passwords on insecure routers, a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone. "Although the researchers did not develop any attack code that would be used to carry out this infection, they believe it would be possible to write code that guessed default passwords by first entering the default administrative passwords that shipped with the router, and then by trying a list of one million commonly used passwords, one after the other. They believe that 36% of passwords can be guessed using this technique."
Ha! They'll never guess my router admin password, which is '5l@$hd0t.!st.ps0t!'
My blog
36% seems like a severe lowball estimate, to me. I wouldn't be at all surprised if 1/3 of WAP's still have the manufacturer's default admin login.
1/3 is 33 1/3%. How is that severly off of the 36% estimate?
Speedy thing goes in; speedy thing comes out.
Holy crap! Maybe we should deal with existing security problems before we start with the imaginary ones.
Let us not become the evil that we deplore.
How many router models and hardware revisions would the worm need to support to make this effective? It would take a great deal of resources to produce custom firmware for that many devices and hardware revisions, especially considering that people have been trying to produce custom firmware for specific devices for a long time without any success at all.
On another note, configuring the router for administrative access only via ethernet would completely stop the problem.
Dan East
Better known as 318230.
Solution: Use any of the 64 percent of the pwds
I think grandparent is saying that he thinks that more than an additional 3% could be guessed from the list of a million commonly-used passwords. He could be right.
My blog
I'm not so familiar with Belkin, Netgear and all no-name wireless routers out there, but the newer (last year or two) Linksys WRT54G routers don't allow administrative access over the WLAN by default. You simply get an access denied page when attempting to access it. I'm kind of surprised that linksys doesn't just deny wireless connections to the administrator pages.
Unfortunately, that means that I can no longer log in to those routers with default passwords and open up ports for myself when I'm on some stranger's network and it requires me to plug in when I need to make changes on my own networks.
Of course, you should disable access to the administrator pages over the WLAN (or restrict it to a maintenance port if your router has one), change your administrator password (and username, if possible) and make sure you've got strong encryption with a strong password/key.
When I was living in manhattan (2004-2005), there were over 20 visible wireless access points from my apartment. Running kismet and walking from the front to the back of my apartment with my powerbook, I could pick up closer to 30 networks and about 3/4 of them were password protected; mostly with WEP. Nowadays, living in brooklyn, I can pick up around 15 wireless networks and all but 2 are password protected and most are using WPA or WPA2.
...spike
Ewwwwww, coconut...
I attended a talk that Steve Meyer (one of the presenters of the paper) gave at Purdue as part of the CERIAS Security Seminar Series. Link to the video is here. It's definitely worth a watch.
Procrastination sucks.
They don't need to hold the dictionary. Anything that doesn't fit can be downloaded on demand. Most access points have access to the Internet, and residential access points are almost always outside of any firewall (they're usually the firewall themselves).
I have a Linksys WRT54GL flashed with DD-WRT firmware. I use a MAC filter that only allows computers I SPECIFICALLY tell it to, I have disabled administrative access to the router wirelessly and changed the default login AND password, and I password protect my wireless access on top of all that. It took me about an hour (if I recall correctly) to set the router up, including flashing the DD-WRT firmware on it. But once it is done, I don't have to bother changing any more settings, aside from rotating the admin password and updated the MAC filter as needed.
Just my take on it.
Speedy thing goes in; speedy thing comes out.
http://sourceforge.net/project/screenshots.php?group_id=41019
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
Church of Wifi has a hacked firmware-based worm that runs around and replaces firmware on APs, and then looks for other AP's to attack, and propagates itself. :)
The key to this kind of attack, is that it could be potentially undetectable - how do you know if the linksys firmware was replaced or slightly modified or not?
Another great use, would be to drop TOR endpoints on every single box infected
Skynet couldn't be far behind...
Sveasoft has firmware for most of the ARM/Linux based routers, which covers all the common Linksys/Netgear models. All you'd need to do is make a hacked version of each one and put them on a server (or botnet).
Then all a worm would need to is gain access to the router, and then notify the server that it has been cracked. The server takes it from there... it would connect to the router, identify its model number from the status page, and upload the appropriate firmware.
With a little ingenuity it would not be hard to do this in a way that is transparent to the user - i.e. most users have a plain vanilla setup and it would be easy enough to snarf the configuration and apply that to the new upgrade too.
Similar work has already been published at Usenix Security. http://www.usenix.org/events/sec07/tech/akritidis.html
Full paper is available at one of the authors' website. http://s3g.i2r.a-star.edu.sg/papers/metrowifi-usenixsec07.pdf
I'm not sure if your post is serious as these questions have been answered many times in slashdot. Hiding your ESSID, not using DHCP and using MAC address filtering are insufficient in adding security as they are all part of any exchange between the router and wireless connections. The MAC address of existing machines can be found and copied in seconds. The ESSID and IP address can be found very easily as well. Hacking WEP encryption is also trivial. As a security measure, all these are completely pointless, and do not add anything in terms of security. Hiding your ESSID does decrease your wireless performance. The only security measure that has any real effect in protecting your wireless network from people who really want to get in is using secure encryption. (WPA, etc.)
I am a viral sig. Please copy me and help me spread. Thank you.
The trick with wireless security is to segment it into independant layers.
First, the router providing the wireless AP access should not be the same router firewalling your LAN from the rest of the Internet. This keeps "management" ports that might accidently be open from being Internet accessible. This is hard sometimes. One router I have has two connections to my little LAN, one from one of its machine ports, and one from its "internet" port. This allows it to check for firmware upgrades and whatnot, letting it think its connected to the Net.
Second, if WEP is all you got [1], put the wireless AP on its own network segment, and have the only way in via a hardened machine with a PPTP/L2TP port and a good username and secure password, secure password being preferably over 30 characters. Then, when (not if) someone does bag the wireless key and hops on the network, they will not obtain much in the way of access. If you can't firewall off your WEP AP, nor are able to replace it, consider making it a daily or weekly item in your schedule to change the WEP key.
I personally avoid the fluff of not broadcasting the SSID, but I do use MAC address protection because its another lock on the front door, and once set up, it really takes little administrative work.
[1]: Only use WEP as a *last resort*. Any router made since 2006 (from what I know) *has* to support WPA-PSK and WPA2-PSK (because WPA and WPA2 are part of the 802.11i spec), so if you can, buy a replacement access point from a CompUSA closeout or something similar and use that. Use a decent (12+ chars) for the router's admin account, and have KeePass generate a 63 character WPA/WPA2 key. I personally generate a 63 char key from KeePass, paste it into the router's config. Then, I copy the key's text into a file on a USB flash disk, carry that to all the machines which use the wireless AP, and paste it in their configs. I have my router set to only allow WPA2 and deny WPA, as all my wireless devices understand AES, but other people may need both WPA and WPA2 available.
Of course, just to be safe, consider changing the WPA/WPA2 key every so often (I've heard monthly to six months.)
What happens with this virus spreads itself around, and then takes over a automated weapons manufacturing plant? I'll tell you what happens. It becomes SELF-AWARE. That's what happens. The next thing you know, we'll have governors showing up naked in deserted places and then beating up biker guys for their clothes. We have to stop this NOW!, before someone gets the bright idea of making a TV series about it.
Aaaah!!! We're to late. Run for the hills!!
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba