Wi-Fi Virus

Researchers have demonstrated the first airborne Wi-Fi computer virus. The paper, by Jonny Milliken, Valerio Selis, and Alan Marshall, is "Detection and analysis of the Chameleon WiFi access point virus," EURASIP Journal on Information Security.

Abstract: This paper analyses and proposes a novel detection strategy for the 'Chameleon' WiFi AP-AP virus. Previous research has considered virus construction, likely virus behaviour and propagation methods. The research here describes development of an objective measure of virus success, the impact of product susceptibility, the acceleration of infection and the growth of the physical area covered by the virus. An important conclusion of this investigation is that the connectivity between devices in the victim population is a more significant influence on virus propagation than any other factor. The work then proposes and experimentally verifies the application of a detection method for the virus. This method utilises layer 2 management frame information which can detect the attack while maintaining user privacy and user confidentiality, a key requirement in many security solutions.

Posted on March 6, 2014 at 5:44 AM • 14 Comments

Comments

TIMMarch 6, 2014 6:18 AM

Is it most likely, that there are backdoors (as discovered in AVM, Linksys, Cisco,...) in all public wifi-routers and such a virus could be used in cyberware (drones over the enemy territory to implant trojans/viruses in networks or just to take the infrastructure offline)?

43jknf3kjnfMarch 6, 2014 7:54 AM

TRANSLATION: Malicious FW ROM that likely uses browser or protocol exploits or patches downloaded binaries on the fly(which given how HTTP and FTP work I doubt is the case).

I'm assuming this isn't just a logger firmware since it's in the news. Else boring and ignore my translation..

TIMMarch 6, 2014 8:31 AM

@ uh, Mike

If you suggest to put the wifi-ap into a faraday cage, then have fun with trying to connect :)

Or was there another intention I am not aware of?

Rick AuricchioMarch 6, 2014 11:36 AM

@6535: "I wonder how quickly the NSA guys will be buying this virus kit."

No, no, you've got it backwards. The NSA is selling the kit overseas. How else can the US government justify all of the so-called cyberwarfare expenditures?

Brandioch ConnerMarch 6, 2014 12:37 PM

I saw this on Slashdot the other day. A few things from that article...

The virus has been designed and practically demonstrated in a laboratory setting.
Okay. A laboratory proof-of-concept then.

Except ...

This information was then used to inform an infection model to test the application of the virus in two urban environments: Belfast, Northern Ireland and London, England, with data extracted from Wigle.net.
Real world? Or not? A bit ambiguous there.
APs are considered to be connectable if their separation lies within a certain radius, varied between 10 and 50 m in the model. The model initiates the virus by infecting an AP at random to act as a seed and then calculates how many days would be required to either infect or blacklist all APs in the area.
So it is a simulation of a "virus" attack that has never been seen outside of a laboratory.

And it seems that the method of attack used (admin access over WiFi) is not that common since it is disabled by default on most WiFi routers.

So I wouldn't be too worried about this. I'd be more concerned about the regular WiFi attacks using backdoors or worms exploiting vulnerabilities in default services.

NobodySpecialMarch 6, 2014 4:51 PM

@Brandioch - they demonstrated the attack on kit in the laboratory. Hopefully Kit in the laboratory works the same as kit in the field - otherwise electrical safety testing is a bit of a waste of time.

They modelled the spread of a virus mathemtically - this is generally a better approach than infecting a bunch of machines then sending out questonaires to ask people if they are infected

BuckMarch 6, 2014 5:53 PM

@Milford

Hilarious! :-D

Both that bug/feature from Microsoft & this little gem at the bottom of the techdirt article:

"Eventually, it should die out as Windows XP machines finally go extinct, but for now, enjoy (but don't bother connecting) the 'Free Public WiFi' found in so many airports..." (Emphasis Buck's)
(Posted: October 11th, 2010 @ 9:49AM)
Must've missed that one a few years ago... Thanks for the reminder! ;-) Never ceases to amaze me - the potential for widespread consequences from simple computational errors; even without the addition of malicious intent!

Brandioch ConnerMarch 6, 2014 5:57 PM

@NobodySpecial

Hopefully Kit in the laboratory works the same as kit in the field - otherwise electrical safety testing is a bit of a waste of time.
So if any experiment ever performed had an error then every experiment ever performed is invalid?

:)

They modelled the spread of a virus mathemtically - this is generally a better approach than infecting a bunch of machines then sending out questonaires to ask people if they are infected
The problem is that it allows their assumptions to dictate the results.

I have 3 different WiFi routers on-hand here and every one of them have admin/root access disabled over WiFi by default. That's real-world.

ThomasMarch 6, 2014 8:00 PM

@Brandioch Conner

I have 3 different WiFi routers on-hand here and every one of them have admin/root access disabled over WiFi by default. That's real-world.

You must be using a better class of WiFi router...

I've dealt with a bunch here, supplied by the local Telcos, and none of them had the ability to disable admin over WiFi.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.