Scientists Demonstrate Virus That Spreads Across Wi-Fi Access Points

← Back to Stories (view on slashdot.org)

Scientists Demonstrate Virus That Spreads Across Wi-Fi Access Points

Posted by Soulskill on Tuesday February 25, 2014 @03:07PM from the proof-of-concept dept.

An anonymous reader writes "Researchers at the University of Liverpool have shown for the first time that WiFi networks can be infected with a virus that can move through densely populated areas as efficiently as the common cold spreads between humans. The team designed and simulated an attack by a virus, called 'Chameleon,' that not only could spread quickly between homes and businesses, but avoided detection and identified the points at which WiFi access is least protected by encryption and passwords. The research appears in EURASIP Journal on Information Security." The technical details are explained in the journal article.

50 of 68 comments (clear)

Min score:

Reason:

Sort:

Keyword; simulated by complete+loony · 2014-02-25 15:18 · Score: 3, Insightful

Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.

--
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
1. Re:Keyword; simulated by khasim · 2014-02-25 15:30 · Score: 3, Informative
  
  My problems with TFA are:
  1. Are they being paid by the word because they're throwing massive amounts of bullshit into it.
  2.
  
  A new form of compromised AP attack has been demonstrated and analysed in [4], called the 'Chameleon' attack, perpetrated by the Chameleon virus.
  That would be a "worm". Not a "virus". And a worm that attacks WiFi routers is NOT new.
2. Re:Keyword; simulated by noh8rz10 · 2014-02-25 16:05 · Score: 1
  
  can somebody clarify once and for all the difference between a worm and a virus? some concrete examples would be helpful too.
3. Re:Keyword; simulated by khasim · 2014-02-25 16:20 · Score: 5, Informative
  
  Worms hop from system to system without the need for any human interaction. They exploit vulnerabilities in services listening on ports. Worms need a network.
  A virus infects other files with copies of itself. But an uninfected machine still needs someone to run one of those files on the uninfected machine to infect the uninfected machine.
  Viruses are a lot less common now. Mostly you see trojans and worms and "blended" threats that are a mix of trojans and worms.
4. Re:Keyword; simulated by gIobaljustin · 2014-02-25 16:33 · Score: 1
  
  That might be the case, but it might also not be the case.
  
  --
  Thank you Dave Raggett
5. Re:Keyword; simulated by FireFury03 · 2014-02-25 23:46 · Score: 2
  
  Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.
  Doesn't need to do that: crack the wifi key and you now have access to the whole network. From there you can install on *any* insecure device on the network - be it the AP itself, a Windows workstation, a NAS, smart TV, printer, whatever. If the device in question has its own wireless NIC (which is frequently the case if you've infected something like a laptop or smartphone) then you can find another wifi network, crack that, install on any device you find therein, rinse and repeat. Especially good for devices like laptops and phones which physically move around so can probably infect geographically separated networks (think: home user bringing their infected phone into work - the phone doesn't need to already be authorised to log into the office wifi network for it to sit there all day, every day, cracking the damned thing!).
  
  --
  http://blog.nexusuk.org
6. Re:Keyword; simulated by BitZtream · 2014-02-26 01:02 · Score: 1
  
  You're using your own personal definition of virus unlike the rest of the world.
  A worm generally causes no damage and just likes to spread. Virii generally cause damage and spread.
  For the most part however, they are the same thing and its really a matter of malicious intent that makes the difference.
  For instance, the sendmail worm (which you probably aren't old enough to even know about) had the effect of a virus simply because it was so prolific and spread so quickly thanks to the backdoor built into sendmail. It broke many mail systems, because it spread onto itself as well as new hosts, and it was wicked fast about it (for the time) so it overloaded mail servers to a non-functional state.
  Still a worm though, because that overload was a bug, not a feature.
  Had the overload been intentional, it would have been a virus.
  PLENTY of Viruses over the years moved from machine to machine without any human interaction at all. Its like you've been in your own little world the last 20 years.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
7. Re:Keyword; simulated by BitZtream · 2014-02-26 01:03 · Score: 1
  
  I should have added:
  When everything became networked, viruses no longer required human interaction and sneaker net to be prolific.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
8. Re:Keyword; simulated by doas777 · 2014-02-26 02:10 · Score: 2
  
  Good distinctions, but a point of clarification. Worms are self contained and target Systems (OSs, embedded devices of particular make, etc). They contain all the code necessary to spread from system to system using whatever media they are designed for. Viruses target applications with communciations capabilities. A spam virus for instance generally targets an email client for instance. the virus requires the vulnerable application to transmit itself from vulnerable system to vulnerable system however; that code is not contained in the virus. Viruses do not require human interaction as a rule (some do, some don't). Automatic application updates and hardened code on the few types of applications capable of supporting a virus, have largely made them extinct. Trojans DO require human intervention, but are the most flexible. Worms and Viruses are peer-to-peer only, whereas Trojans are client-server. For instance Drive By Download attacks from malicious web sites are now the infection-vector of choice these days, because it requires as little human interaction as possible. The malware described here, would be a worm, because it is spreading of its own accord, and does not target a specific communications application.
9. Re:Keyword; simulated by Zero__Kelvin · 2014-02-26 03:16 · Score: 3, Insightful
  
  "You're using your own personal definition of virus unlike the rest of the world."
  Oh, the irony. You just randomly made up your own definitions after accusing the (much more correct) OP of the same.
  
  "A worm generally causes no damage and just likes to spread."
  There is no stipulation regarding payload or lack therof for a worm. What makes it a worm rather than a virus is that it is an independant, stand alone program or file that doesn't attach itself to a host program or other file.
  
  " Virii generally cause damage and spread."
  Again, no payload stipulation is appropriate. What makes it a virus is that it attaches to a host program or other file and spreads by attaching to other host programs or files.
  
  "Still a worm though, because that overload was a bug, not a feature."
  Again, no. The RTM Worm was a worm because it did not attach to other programs; it was an independant program. Payload has absolutely nothing to do with it. The trouble it caused could have been quite intentional and that wouldn't change a thing. It was a worm regardless of the payload or lack therof.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
10. Re:Keyword; simulated by Anonymous Coward · 2014-02-26 03:19 · Score: 1
  
  No. You shouldn't have. You should have gone off and learned the subject matter you are trying to tech before trying to "teach" your misinformation to others.
A Wifi Virus?! by Anonymous Coward · 2014-02-25 15:19 · Score: 3, Funny

We shall call it...the Flappy Bird Flu.
You're welcome.
PostScript Virus by Greyfox · 2014-02-25 15:28 · Score: 5, Funny

I wanted to do something like that on network-attached postscript printers a few years back, but didn't have an easy way to open a network socket in PostScript. My virus would have moved from printer to printer and done nothing else except replace every instance of the word "Strategic" with the word "Satanic" on printed documents.

--
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
1. Re:PostScript Virus by NapalmV · 2014-02-25 15:53 · Score: 2
  
  Muahahaha you have to see it in action on the Wikipedia "Cloud computing" page. Just a sample: In common usage, the term "my butt" is essentially a metaphor for the Internet.
2. Re:PostScript Virus by Samantha+Wright · 2014-02-25 16:55 · Score: 1
  
  In meteorology, a butt is a visible mass of liquid droplets or frozen crystals made of water or various chemicals suspended in the atmosphere above the surface of a planetary body.[1] These suspended particles are also known as aerosols and are studied in the butt physics branch of meteorology.
  I can see forever...
  
  --
  Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
3. Re:PostScript Virus by AmiMoJo · 2014-02-26 00:48 · Score: 2
  
  At college the admins used to spy on us regularly. We trolled them by creating files in DOS that had spaces in the name (alt-255) which they couldn't figure out how to open. Later we found that if you created a text file with a name like "hack.bat" that contained a few thousand 0x07 (bell) characters they would open it up and then immediately start hammering the keys as their editor tried to beep the speaker repeatedly for the next few days. Being DOS the only solution was to hit the hard reset button.
  You could have all sorts of fun with Netware too, like creating fake log-in screens in QuickBasic to capture admin passwords. Since the filesystem had no protection it was easy to insert such a fake screen into autoexec.bat, followed by a call to the real login screen so they would just assume they typed something wrong.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:PostScript Virus by BitZtream · 2014-02-26 01:05 · Score: 1
  
  Your college admins were using DOS and not some UNIX? Sounds fishy
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
5. Re:PostScript Virus by AmiMoJo · 2014-02-26 04:23 · Score: 1
  
  I should point out that "college" in the UK is post-school, age 16 to 18. Then we go on to university, where we did have a mix of Windows/Netware and various Unix machines.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:PostScript Virus by CSMoran · 2014-02-26 22:54 · Score: 1
  
  Being DOS the only solution was to hit the hard reset button.
  Meh, you just map the int 00 vector onto int 05 and you're ready to go. Press "Print Screen" anytime to divide by zero and terminate current process.
  
  --
  Every end has half a stick.
From mapping to .... by AHuxley · 2014-02-25 15:34 · Score: 2

In the past the news was just about listening, tracking and mapping
"aircraft are all fitted with sophisticated surveillance equipment. " ...The aircraft are able to identify suspects using 'voice-prints' ...
http://www.dailymail.co.uk/new...
Then the wifi mapping news e.g. "mapped the Wi-Fi fingerprint of nearly every major town in Yemen".
https://firstlook.org/theinter... (10 Feb 2014)
Expect more interest in any wifi network at a home, suburb and country based network level.

--
Domestic spying is now "Benign Information Gathering"
Attack replaces firmware .. by DTentilhao · 2014-02-25 15:43 · Score: 1

"This attack replaces the firmware of an existing AP and masquerades the outward facing credentials."

What mechanism does the attack us to keep the current configuration while replacing the firmware. Does the attack work by cracking WPA passwords. Would this attack work against the maximum length of sixty three character passwords.
1. Re: Attack replaces firmware .. by Anonymous Coward · 2014-02-25 16:00 · Score: 4, Informative
  
  The article states chameleon attacks weakly protected acess points. If it finds a hardened one, like WAP, it moves on. It is a worm, not a virus, but the authors couldn't compare it to human contageon that way. I count myself lucky I never cought a worm. Virus, yes.
Re:It hides from detection? by AHuxley · 2014-02-25 15:58 · Score: 3, Insightful

Would your average well coded antivirus behavioural detection software care a lot if your wifi rebooted a few times?
No new data into the 'protected' OS, no OS changes, packets flowing in, out, network seems the same ...

--
Domestic spying is now "Benign Information Gathering"
Back in 1990.. by swb · 2014-02-25 16:00 · Score: 2

..when I worked at a large University, we had a massive AppleTalk/EtherTalk network with a ton of zones, most of which had LaserJet printers.
A cow-orker in another department and I wanted to come up with software that would let us dump files to these printers and somehow masquerade our source info so nobody would know it was us.
Too bad this probably pre-dated Goatse.
1. Re:Back in 1990.. by Ol+Olsoc · 2014-02-25 17:02 · Score: 3, Funny
  
  A cow-orker in another department and I wanted to come up with software
  How exactly does one ork a cow?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
2. Re:Back in 1990.. by EvilIdler · 2014-02-25 18:16 · Score: 3, Funny
  
  One orker on each side.
3. Re:Back in 1990.. by antifoidulus · 2014-02-25 18:28 · Score: 2
  
  Like you've never been drunk and desperate enough to do it.
  
  --
  Monstar L
4. Re:Back in 1990.. by baKanale · 2014-02-26 06:44 · Score: 3, Funny
  
  Very carefully.
5. Re:Back in 1990.. by Badger+Nadgers · 2014-02-26 09:51 · Score: 1
  
  Tend to agree... Googled ORCA COW. first result: "How Does SeaWorld Masturbate their Stud Killer Whales? "
6. Re:Back in 1990.. by Ol+Olsoc · 2014-02-26 16:33 · Score: 1
  
  Like you've never been drunk and desperate enough to do it.
  We calls that stump breakin' them in this neck of the woods.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Re:seriously by AHuxley · 2014-02-25 16:06 · Score: 2

A simulation to help understand that from one site e.g. an embassy you could create a private redundant 24/7 wifi network deep into a city to an area of interest.
Counter surveillance efforts would see everyday random wifi use... missing the bust of a key logger days, weeks, months later.

--
Domestic spying is now "Benign Information Gathering"
Wondering how it really works by wvmarle · 2014-02-25 16:10 · Score: 2

Yes I read TFA, not the technical report though. Too technical for me.
It says the virus works by replacing the firmware of wifi routers. That sounds to me like they're tricking the router into accepting an over-the-air update. Which I suppose is limited to 1) a specific make and type of router and 2) knowing the OTA password for that router (or using a default that's not changed). So that sounds plausible for certain specific networks, not where there is a large number of different routers with different firmware and different passwords (or other security vulnerabilities).
What is not explained at all though is how the thing jumps from router to router, and I can't really think of a way this may happen. These things normally do not communicate wiht one another, and devices normally communicate to only one router at the time. Can anyone with deeper understanding explain this?
1. Re:Wondering how it really works by khasim · 2014-02-25 16:48 · Score: 1
  
  Can anyone with deeper understanding explain this?
  Stop being so modest. You've already hit the important issues.
  But if I may add to your post. Getting ACCESS over-the-air to do any of that requires 1 of 3 situations:
  1. A "back door" installed by the vendor. That is an account (username/password) that is, SUPPOSEDLY, only known by the vendor. That gives root access. This varies from vendor to vendor and product to product. So anything based upon this would only be able to hit WiFi routers A, B & C from vendor X. Not a real risk.
  2. A vulnerability in a running service that can be exploited to get root access. Again, this varies from vendor to vendor and product to product. So anything based upon this would only be able to hit WiFi routers A, B & C from vendor X. Not a real risk.
  3. The victim changing what is usually a DEFAULT setting NOT to allow over-the-air root access. And then using a password that is crackable in less than X years. This seems to be what the paper is describing.
  And then a LOT of WiFi routers within communication range of each other, all with scenario #3 (although different passwords). So that one cracked WiFi router can run a process (remember, hacked firmware) to find the password of another such router.
  So, yeah, you had it right.
  I'd say that there isn't really any way that this could work anywhere except in a lab. As a very badly designed "experiment".
2. Re:Wondering how it really works by wvmarle · 2014-02-25 17:05 · Score: 1
  
  The one part that I still don't get though is the actual spreading, as normally those wifi routers do not talk to one another, at all. Or is this part of what the firmware does; instead of being an access point making it act like a device, so it can connect to another access point?
3. Re:Wondering how it really works by khasim · 2014-02-25 17:24 · Score: 1
  
  Or is this part of what the firmware does; instead of being an access point making it act like a device, so it can connect to another access point?
  That's the way I'm reading it. The hacked firmware does BOTH. It still acts as a WiFi router so it isn't discovered.
  But it ALSO acts as a client to connect to another WiFi router.
  And it runs a new process to crack the password to that router's Over-the-Air root access.
  And some means of uploading the hacked firmware to the newly cracked router.
4. Re:Wondering how it really works by jargonburn · 2014-02-25 17:46 · Score: 1
  
  You are correct that the routers don't "talk" to each other by default. Some routers do offer a "wireless bridge" feature or similar that lets it connect to another access point for the purpose of sharing a network.
  However, this is purely a software contrivance. The only difference between a router that can connect to another router's WiFi and one that can't, is that one of them has been programmed to be able to behave like a client.
  
  Since the infection we're discussing is built on the idea of modifying a rouer's firmware (operating system), there's no reason it couldn't add that function.
  
  When I first considered it, such an attack seemed like nonsense; seriously? Relying on vendor back-doors to gain root access? Exploit vulnerable services offered by various routers? Build the majority of the infected network by relying on default username/password combinations (although, that part I actually already could accept)?
  Seemed far-fetched.
  However, it's not that this infection needs to contain a crazy amount of code for pulling this off...it could probably rely on the assistance of remote C&C servers from which it could retrieve pre-patched compatible firmware that matched the router it was taking control of. It would allow it to download updated password lists and possibly collaborate in brute-force attacks on problematic vendor equipment. Heck, these access points could be the new zombie apocalypse! Now, it's not your computer that's spamming internet servers in DDoS attacks...IT'S YOUR WHOLE GODDAMN NETWORK. LOL.
5. Re:Wondering how it really works by wvmarle · 2014-02-25 18:02 · Score: 1
  
  I'd say that there isn't really any way that this could work anywhere except in a lab. As a very badly designed "experiment".
  A city it won't work, too many different wifi routers, too many software versions. Unless a certain make and model would be so dominating that you'd always have one nearby. Netgear and LinkSys may have such penetration, I see those names all over the place.
  However it may work better within a large company as there they often use a single type of device, to keep maintenance easier. Those are also likely to be at the same patch level, contain the same backdoors and other vulnerabilities, and may even have the same (even if non-default) password. That may just work. Add to that initial remote infection over the Internet and the scenario becomes rather plausible.
  Not easy, but considering we also had Stuxnet, it is definitely plausible.
Pure BS. Nothing to see here by markgamache · 2014-02-25 16:15 · Score: 5, Funny

This is not science or IT security, it is pure PR crackpot FUD conjecture. The "Chameleon" virus doesn't exist. Please read my paper on my fake bluetooth virus. Bluetooth is MUCH more pervasive than Wifi. More cell phones than Wifi, more cars, and about the same number of computers. In my model, they all get infected and your wireless speakers, phones and computers play "It's a Small World" 24/7 until we all go crazy. It ends a lot like 28 Days later.
Re:seriously by markgamache · 2014-02-25 16:21 · Score: 2

No, they proved they can invent made up scary data. I think this is actually stolen straight from Schneier's site. It's pure movie plot silliness. https://www.schneier.com/blog/...
a lot of commonalities, db of exploits easy by raymorris · 2014-02-25 17:03 · Score: 1

Not that you're wrong, but I think you may be carrying it to far. Most APsand routers use one of two operating systems. The firmware on various models of Linksys routers , for example, is extremely similar and not that different from many Netgear models. So it's entirely likely that a single exploit works on about 25% of the units in a given city. In fact, we KNOW of several exploits that each work on 25% - the factory default passwords, telnetenable, etc. If the malware package looked for four or five different exploits, it could very well be effective against half of the APs in the city.
good explanation. no message within by raymorris · 2014-02-25 17:05 · Score: 1

As the subject says, there's no message here. Just a thumbs up to khasim's post.
Re:More sensationalism to keep their jobs probably by Buck+Feta · 2014-02-25 17:13 · Score: 1

Or, you know, use WPA2.

--
I am Audience.
Re:More sensationalism to keep their jobs probably by skids · 2014-02-25 17:18 · Score: 1

Require a jumper to be installed for any firmware writes to even be possible
Consumer equipment is designed with "plug and play" as its overriding objective. This won't fly because companies want to sell to people barely capable of plugging all the right cables into all the right holes. We're doomed to live with the proliferation of insecure living room equipment until such a point as paying attention to security is taught in kindergarten.

--
Someone had to do it.
Re:It hides from detection? by wvmarle · 2014-02-25 18:08 · Score: 1

Have it ping a specific site, telling that site "Hi, I'm totally fine!" which is a code word for "pwned!"
Just make sure it is using normal communications channels and your regular AV software, that doesn't know this specific signature yet, won't be able to detect it.
And in the "production" version you have it do something else entirely of course.
Re:seriously by wvmarle · 2014-02-25 18:10 · Score: 1

From TFA I understand that not only did they ran a computer simulation, they actually wrote the worm and ran it in a controlled environment, observing it spreading between access points.
"MadLibs: Buzzword Bingo Edition"! by rts008 · 2014-02-25 19:09 · Score: 1

That would cause a complete meltdown in the DOD if that ever made it inside the Pentagon.
It is very difficult to type while ROFLCoptering in a puddle of spewed Mountain Dew!

--
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Re:They called it what now? by SpzToid · 2014-02-25 22:46 · Score: 1

That whoosh generated a sonic boom or something.

--
You can't be ahead of the curve, if you're stuck in a loop.
Almost as bad as a Sandra Bullock movie by EmagGeek · 2014-02-26 00:09 · Score: 1

Just tell me this - does it make a screen go all blocky and distorted as it slowly takes over your computer?
Boring by RuckRuckuss · 2014-02-26 02:58 · Score: 1

Yea, I did the same thing with verizon actiontec routers. They are just silly unix machines peeps. I noticed that the linux wireless driver they were using could be put in RF mode and was capable of injection attacks to surrouding networks and cracking the neighbooring APs. They made it much easier than that though from a viral standpoint because they issued their routers with WEP keys calculated based on their mac address. Hacking the propriatary rmt file format to load my modified roms took a bit to figure out (cuzz no lamers like the posters of this article ever posted some original stuff like that hah). Anywho. Lame been done before - enjoy the publicity girls
Misleading title is misleading by EMG+at+MU · 2014-02-26 04:27 · Score: 1

The first sentence of the abstract:

"This paper analyses and proposes a novel detection strategy for the 'Chameleon’ WiFi AP-AP virus."
The virus uses the AP's web interface to trigger a firmware upgrade, and then provides a malicious firmware that contains code that spreads the virus. If this is the first time someone did that I'm going to kick myself for not going into security research. Given the plethora of open source AP firmware that already supports many commodity APs it should be trivial to do something like this. All you need is a sufficiently dense collection of APs that are compatible with your malicious firmware. We all already know that a poorly secured AP is a great attack vector, even without malicious firmware you can redirect all of the client's traffic through your own routers and you have your self a classic man in the middle.

The main point of this research is to show that they developed better detection methods that don't compromise any of the AP's client's expectation of privacy.