Schneier on Security

A blog covering security and security technology.

« Difficult-to-Pronounce Things are Judged to Be More Risky | Main | HIPAA Accountability in Stimulus Bill »

February 18, 2009

Computer Virus Epidemiology

"WiFi networks and malware epidemiology," by Hao Hu, Steven Myers, Vittoria Colizza, and Alessandro Vespignani.

Abstract
In densely populated urban areas WiFi routers form a tightly interconnected proximity network that can be exploited as a substrate for the spreading of malware able to launch massive fraudulent attacks. In this article, we consider several scenarios for the deployment of malware that spreads over the wireless channel of major urban areas in the US. We develop an epidemiological model that takes into consideration prevalent security flaws on these routers. The spread of such a contagion is simulated on real-world data for georeferenced wireless routers. We uncover a major weakness of WiFi networks in that most of the simulated scenarios show tens of thousands of routers infected in as little as 2 weeks, with the majority of the infections occurring in the first 24–48 h. We indicate possible containment and prevention measures and provide computational estimates for the rate of encrypted routers that would stop the spreading of the epidemics by placing the system below the percolation threshold.

Honestly, I'm not sure I understood most of the article. And I don't think that their model is all that great. But I like to see these sorts of methods applied to malware and infection rates.

EDITED TO ADD (3/13): Earlier -- but free -- version of the paper.

Posted on February 18, 2009 at 5:53 AM • 10 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Calum • February 18, 2009 6:20 AM

I'm kinda with Bruce on this one. Are they talking about malware running on the router itself? In which case, I can kind of understand you might have a problem. On the other hand, it's one easily dealt with by not running a monoculture.

Josh O. • February 18, 2009 6:36 AM

I don't think multi-culture is a panacea though. It just makes the most successful worms the ones that are able to exploit multiple platforms at once. If some one waited and got a hand full of exploits on many different systems, and took the time to make their worm portable to multiple platforms, I think we would be in trouble. Adding router exploits to the list is even more potent, since that is many home network's first line of defense.

Routers are probably less likely to be patched, and the options for running a different OS on any particular brand of router is very limited to the average joe.

Nicholas Weaver • February 18, 2009 7:29 AM

Is there a copy not behind a paywall?

And I'm reminded of this Usenix Security paper from a year or two ago:
http://www.usenix.org/events/sec07/tech/...

Douglas Leeder • February 18, 2009 7:54 AM

I've found a copy not behind a paywall:
http://arxiv.org/abs/0706.3146

Different titles, but same authors and abstract.

waitwhatwhoa • February 18, 2009 8:58 AM

see also: http://sysnet.ucsd.edu/~cfleizac/publications/... which applies a similar methodology to the propagation of worms through cell phone networks via the phones' address books.

PiP • February 18, 2009 12:01 PM

In a real-world environment this type of attack is currently very low-risk; re-flashing the firmware on a typical router is a difficult process that usually takes multiple attempts, hardware resets, and often ends in failure. If a skilled and deliberate firmware upgrade has such a low success rate, I doubt that any malware will be able to successfully spread through it. Compare it to a disease that kills its victim before it has a chance to spread to other hosts.

Davi Ottenheimer • February 18, 2009 12:06 PM

"I like to see these sorts of methods applied"

Reads like a movie plot to me -- snakes on your router.

aaron • February 18, 2009 1:11 PM

i would definitely see that movie

Mike W • February 18, 2009 4:55 PM

There are a few flaws in the analysis, including:
1) Not all WiFi routers run the same or similar firmware or OS, so spreading the virus involves adapting to different hardware/firmware.
2) WPA doesn't make the router immune; a poorly chosen common password using WPA-PSK is vulnerable to this attack.
3) It's doubtful that most (or even many) routers will have the capability to do the computations associated with cracking WEP. Even if they did, the necessary time to succeed would likely be much longer than 24-48 hours.

This was a good effort, but mostly undone by a very casual analysis of the underlying technologies associated with wireless technologies. A more likely scenario is an infection of mobile phones enabled by those annoying bluetooth earphones ("snakes on your blackberry")

Mike W

laptop asus • May 26, 2010 4:47 AM

In a real-world environment this type of attack is currently very low-risk; re-flashing the firmware on a typical router is a difficult process that usually takes multiple attempts,

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D