Forgot your password?
typodupeerror
Security Wireless Networking Networking

Scientists Demonstrate Virus That Spreads Across Wi-Fi Access Points 68

Posted by Soulskill
from the proof-of-concept dept.
An anonymous reader writes "Researchers at the University of Liverpool have shown for the first time that WiFi networks can be infected with a virus that can move through densely populated areas as efficiently as the common cold spreads between humans. The team designed and simulated an attack by a virus, called 'Chameleon,' that not only could spread quickly between homes and businesses, but avoided detection and identified the points at which WiFi access is least protected by encryption and passwords. The research appears in EURASIP Journal on Information Security." The technical details are explained in the journal article.
This discussion has been archived. No new comments can be posted.

Scientists Demonstrate Virus That Spreads Across Wi-Fi Access Points

Comments Filter:
  • Scientists rabid
    Spreading viri like fur
    Are a damaging habit
    Against which suds can ensure
    Burma Shave
  • Keyword; simulated (Score:4, Insightful)

    by complete loony (663508) <Jeremy.Lakeman@gma i l . c om> on Tuesday February 25, 2014 @10:18PM (#46342097)
    Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.
    • by khasim (1285) <brandioch.conner@gmail.com> on Tuesday February 25, 2014 @10:30PM (#46342183)

      My problems with TFA are:

      1. Are they being paid by the word because they're throwing massive amounts of bullshit into it.

      2.

      A new form of compromised AP attack has been demonstrated and analysed in [4], called the 'Chameleon' attack, perpetrated by the Chameleon virus.

      That would be a "worm". Not a "virus". And a worm that attacks WiFi routers is NOT new.

      • by noh8rz10 (2716597)

        can somebody clarify once and for all the difference between a worm and a virus? some concrete examples would be helpful too.

        • by khasim (1285) <brandioch.conner@gmail.com> on Tuesday February 25, 2014 @11:20PM (#46342437)

          Worms hop from system to system without the need for any human interaction. They exploit vulnerabilities in services listening on ports. Worms need a network.

          A virus infects other files with copies of itself. But an uninfected machine still needs someone to run one of those files on the uninfected machine to infect the uninfected machine.

          Viruses are a lot less common now. Mostly you see trojans and worms and "blended" threats that are a mix of trojans and worms.

          • That might be the case, but it might also not be the case.

          • As the subject says, there's no message here. Just a thumbs up to khasim's post.

          • by BitZtream (692029)

            You're using your own personal definition of virus unlike the rest of the world.

            A worm generally causes no damage and just likes to spread. Virii generally cause damage and spread.

            For the most part however, they are the same thing and its really a matter of malicious intent that makes the difference.

            For instance, the sendmail worm (which you probably aren't old enough to even know about) had the effect of a virus simply because it was so prolific and spread so quickly thanks to the backdoor built into send

            • by BitZtream (692029)

              I should have added:

              When everything became networked, viruses no longer required human interaction and sneaker net to be prolific.

              • by Anonymous Coward
                No. You shouldn't have. You should have gone off and learned the subject matter you are trying to tech before trying to "teach" your misinformation to others.
            • by Zero__Kelvin (151819) on Wednesday February 26, 2014 @10:16AM (#46345777) Homepage

              "You're using your own personal definition of virus unlike the rest of the world."

              Oh, the irony. You just randomly made up your own definitions after accusing the (much more correct) OP of the same.

              "A worm generally causes no damage and just likes to spread."

              There is no stipulation regarding payload or lack therof for a worm. What makes it a worm rather than a virus is that it is an independant, stand alone program or file that doesn't attach itself to a host program or other file.

              " Virii generally cause damage and spread."

              Again, no payload stipulation is appropriate. What makes it a virus is that it attaches to a host program or other file and spreads by attaching to other host programs or files.

              "Still a worm though, because that overload was a bug, not a feature."

              Again, no. The RTM Worm was a worm because it did not attach to other programs; it was an independant program. Payload has absolutely nothing to do with it. The trouble it caused could have been quite intentional and that wouldn't change a thing. It was a worm regardless of the payload or lack therof.

          • by doas777 (1138627)
            Good distinctions, but a point of clarification. Worms are self contained and target Systems (OSs, embedded devices of particular make, etc). They contain all the code necessary to spread from system to system using whatever media they are designed for. Viruses target applications with communciations capabilities. A spam virus for instance generally targets an email client for instance. the virus requires the vulnerable application to transmit itself from vulnerable system to vulnerable system however;
    • Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.

      Doesn't need to do that: crack the wifi key and you now have access to the whole network. From there you can install on *any* insecure device on the network - be it the AP itself, a Windows workstation, a NAS, smart TV, printer, whatever. If the device in question has its own wireless NIC (which is frequently the case if you've infected something like a laptop or smartphone) then you can find another wifi network, crack that, install on any device you find therein, rinse and repeat. Especially good for d

  • by Anonymous Coward on Tuesday February 25, 2014 @10:19PM (#46342101)

    We shall call it...the Flappy Bird Flu.

    You're welcome.

  • by Greyfox (87712) on Tuesday February 25, 2014 @10:28PM (#46342161) Homepage Journal
    I wanted to do something like that on network-attached postscript printers a few years back, but didn't have an easy way to open a network socket in PostScript. My virus would have moved from printer to printer and done nothing else except replace every instance of the word "Strategic" with the word "Satanic" on printed documents.
    • ..when I worked at a large University, we had a massive AppleTalk/EtherTalk network with a ton of zones, most of which had LaserJet printers.

      A cow-orker in another department and I wanted to come up with software that would let us dump files to these printers and somehow masquerade our source info so nobody would know it was us.

      Too bad this probably pre-dated Goatse.

    • That would cause a complete meltdown in the DOD if that ever made it inside the Pentagon.

      It is very difficult to type while ROFLCoptering in a puddle of spewed Mountain Dew!

    • by AmiMoJo (196126) *

      At college the admins used to spy on us regularly. We trolled them by creating files in DOS that had spaces in the name (alt-255) which they couldn't figure out how to open. Later we found that if you created a text file with a name like "hack.bat" that contained a few thousand 0x07 (bell) characters they would open it up and then immediately start hammering the keys as their editor tried to beep the speaker repeatedly for the next few days. Being DOS the only solution was to hit the hard reset button.

      You c

      • by BitZtream (692029)

        Your college admins were using DOS and not some UNIX? Sounds fishy

        • by AmiMoJo (196126) *

          I should point out that "college" in the UK is post-school, age 16 to 18. Then we go on to university, where we did have a mix of Windows/Netware and various Unix machines.

      • by CSMoran (1577071)

        Being DOS the only solution was to hit the hard reset button.

        Meh, you just map the int 00 vector onto int 05 and you're ready to go. Press "Print Screen" anytime to divide by zero and terminate current process.

  • by AHuxley (892839) on Tuesday February 25, 2014 @10:34PM (#46342199) Homepage Journal
    In the past the news was just about listening, tracking and mapping
    "aircraft are all fitted with sophisticated surveillance equipment. " ...The aircraft are able to identify suspects using 'voice-prints' ...
    http://www.dailymail.co.uk/new... [dailymail.co.uk]
    Then the wifi mapping news e.g. "mapped the Wi-Fi fingerprint of nearly every major town in Yemen".
    https://firstlook.org/theinter... [firstlook.org] (10 Feb 2014)
    Expect more interest in any wifi network at a home, suburb and country based network level.
  • "This attack replaces the firmware of an existing AP and masquerades the outward facing credentials."

    What mechanism does the attack us to keep the current configuration while replacing the firmware. Does the attack work by cracking WPA passwords. Would this attack work against the maximum length of sixty three character passwords.
    • by Anonymous Coward on Tuesday February 25, 2014 @11:00PM (#46342335)

      The article states chameleon attacks weakly protected acess points. If it finds a hardened one, like WAP, it moves on. It is a worm, not a virus, but the authors couldn't compare it to human contageon that way. I count myself lucky I never cought a worm. Virus, yes.

  • by wvmarle (1070040) on Tuesday February 25, 2014 @11:10PM (#46342383)

    Yes I read TFA, not the technical report though. Too technical for me.

    It says the virus works by replacing the firmware of wifi routers. That sounds to me like they're tricking the router into accepting an over-the-air update. Which I suppose is limited to 1) a specific make and type of router and 2) knowing the OTA password for that router (or using a default that's not changed). So that sounds plausible for certain specific networks, not where there is a large number of different routers with different firmware and different passwords (or other security vulnerabilities).

    What is not explained at all though is how the thing jumps from router to router, and I can't really think of a way this may happen. These things normally do not communicate wiht one another, and devices normally communicate to only one router at the time. Can anyone with deeper understanding explain this?

    • by khasim (1285)

      Can anyone with deeper understanding explain this?

      Stop being so modest. You've already hit the important issues.

      But if I may add to your post. Getting ACCESS over-the-air to do any of that requires 1 of 3 situations:

      1. A "back door" installed by the vendor. That is an account (username/password) that is, SUPPOSEDLY, only known by the vendor. That gives root access. This varies from vendor to vendor and product to product. So anything based upon this would only be able to hit WiFi routers A, B & C from v

      • Not that you're wrong, but I think you may be carrying it to far. Most APsand routers use one of two operating systems. The firmware on various models of Linksys routers , for example, is extremely similar and not that different from many Netgear models. So it's entirely likely that a single exploit works on about 25% of the units in a given city. In fact, we KNOW of several exploits that each work on 25% - the factory default passwords, telnetenable, etc. If the malware package looked for four or fiv

      • by wvmarle (1070040)

        The one part that I still don't get though is the actual spreading, as normally those wifi routers do not talk to one another, at all. Or is this part of what the firmware does; instead of being an access point making it act like a device, so it can connect to another access point?

        • by khasim (1285)

          Or is this part of what the firmware does; instead of being an access point making it act like a device, so it can connect to another access point?

          That's the way I'm reading it. The hacked firmware does BOTH. It still acts as a WiFi router so it isn't discovered.

          But it ALSO acts as a client to connect to another WiFi router.

          And it runs a new process to crack the password to that router's Over-the-Air root access.

          And some means of uploading the hacked firmware to the newly cracked router.

        • You are correct that the routers don't "talk" to each other by default. Some routers do offer a "wireless bridge" feature or similar that lets it connect to another access point for the purpose of sharing a network.
          However, this is purely a software contrivance. The only difference between a router that can connect to another router's WiFi and one that can't, is that one of them has been programmed to be able to behave like a client.

          Since the infection we're discussing is built on the idea of modifying
      • by wvmarle (1070040)

        I'd say that there isn't really any way that this could work anywhere except in a lab. As a very badly designed "experiment".

        A city it won't work, too many different wifi routers, too many software versions. Unless a certain make and model would be so dominating that you'd always have one nearby. Netgear and LinkSys may have such penetration, I see those names all over the place.

        However it may work better within a large company as there they often use a single type of device, to keep maintenance easier. Those are also likely to be at the same patch level, contain the same backdoors and other vulnerabilities, and may even have the

  • by markgamache (2811197) on Tuesday February 25, 2014 @11:15PM (#46342411)
    This is not science or IT security, it is pure PR crackpot FUD conjecture. The "Chameleon" virus doesn't exist. Please read my paper on my fake bluetooth virus. Bluetooth is MUCH more pervasive than Wifi. More cell phones than Wifi, more cars, and about the same number of computers. In my model, they all get infected and your wireless speakers, phones and computers play "It's a Small World" 24/7 until we all go crazy. It ends a lot like 28 Days later.
  • Just tell me this - does it make a screen go all blocky and distorted as it slowly takes over your computer?

  • Yea, I did the same thing with verizon actiontec routers. They are just silly unix machines peeps. I noticed that the linux wireless driver they were using could be put in RF mode and was capable of injection attacks to surrouding networks and cracking the neighbooring APs. They made it much easier than that though from a viral standpoint because they issued their routers with WEP keys calculated based on their mac address. Hacking the propriatary rmt file format to load my modified roms took a bit to figur
  • The first sentence of the abstract:

    "This paper analyses and proposes a novel detection strategy for the 'Chameleon’ WiFi AP-AP virus."

    The virus uses the AP's web interface to trigger a firmware upgrade, and then provides a malicious firmware that contains code that spreads the virus. If this is the first time someone did that I'm going to kick myself for not going into security research. Given the plethora of open source AP firmware that already supports many commodity APs it should be trivial to do something like this. All you need is a sufficiently dense collection of APs that are compatible with you

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...