Scientists Demonstrate Virus That Spreads Across Wi-Fi Access Points

An anonymous reader writes "Researchers at the University of Liverpool have shown for the first time that WiFi networks can be infected with a virus that can move through densely populated areas as efficiently as the common cold spreads between humans. The team designed and simulated an attack by a virus, called 'Chameleon,' that not only could spread quickly between homes and businesses, but avoided detection and identified the points at which WiFi access is least protected by encryption and passwords. The research appears in EURASIP Journal on Information Security." The technical details are explained in the journal article.

Scientists Rabid

[smittyoneeach]

Scientists rabid
Spreading viri like fur
Are a damaging habit
Against which suds can ensure
Burma Shave

Keyword; simulated

[complete loony]

Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.

Re:Keyword; simulated

[khasim]

My problems with TFA are:

1. Are they being paid by the word because they're throwing massive amounts of bullshit into it.

2.

A new form of compromised AP attack has been demonstrated and analysed in [4], called the 'Chameleon' attack, perpetrated by the Chameleon virus.

That would be a "worm". Not a "virus". And a worm that attacks WiFi routers is NOT new.

Re:

[noh8rz10]

can somebody clarify once and for all the difference between a worm and a virus? some concrete examples would be helpful too.

Re:Keyword; simulated

[khasim]

Worms hop from system to system without the need for any human interaction. They exploit vulnerabilities in services listening on ports. Worms need a network.

A virus infects other files with copies of itself. But an uninfected machine still needs someone to run one of those files on the uninfected machine to infect the uninfected machine.

Viruses are a lot less common now. Mostly you see trojans and worms and "blended" threats that are a mix of trojans and worms.

Re:

[gIobaljustin]

That might be the case, but it might also not be the case.

good explanation. no message within

[raymorris]

As the subject says, there's no message here. Just a thumbs up to khasim's post.

Re:

[BitZtream]

You're using your own personal definition of virus unlike the rest of the world.

A worm generally causes no damage and just likes to spread. Virii generally cause damage and spread.

For the most part however, they are the same thing and its really a matter of malicious intent that makes the difference.

For instance, the sendmail worm (which you probably aren't old enough to even know about) had the effect of a virus simply because it was so prolific and spread so quickly thanks to the backdoor built into send

Re:

[BitZtream]

I should have added:

When everything became networked, viruses no longer required human interaction and sneaker net to be prolific.

Re:

[Anonymous Coward]

No. You shouldn't have. You should have gone off and learned the subject matter you are trying to tech before trying to "teach" your misinformation to others.

Re:Keyword; simulated

[Zero__Kelvin]

"You're using your own personal definition of virus unlike the rest of the world."

Oh, the irony. You just randomly made up your own definitions after accusing the (much more correct) OP of the same.

"A worm generally causes no damage and just likes to spread."

There is no stipulation regarding payload or lack therof for a worm. What makes it a worm rather than a virus is that it is an independant, stand alone program or file that doesn't attach itself to a host program or other file.

" Virii generally cause damage and spread."

Again, no payload stipulation is appropriate. What makes it a virus is that it attaches to a host program or other file and spreads by attaching to other host programs or files.

"Still a worm though, because that overload was a bug, not a feature."

Again, no. The RTM Worm was a worm because it did not attach to other programs; it was an independant program. Payload has absolutely nothing to do with it. The trouble it caused could have been quite intentional and that wouldn't change a thing. It was a worm regardless of the payload or lack therof.

Re:

[doas777]

Good distinctions, but a point of clarification. Worms are self contained and target Systems (OSs, embedded devices of particular make, etc). They contain all the code necessary to spread from system to system using whatever media they are designed for. Viruses target applications with communciations capabilities. A spam virus for instance generally targets an email client for instance. the virus requires the vulnerable application to transmit itself from vulnerable system to vulnerable system however;

Re:

[FireFury03]

Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.

Doesn't need to do that: crack the wifi key and you now have access to the whole network. From there you can install on *any* insecure device on the network - be it the AP itself, a Windows workstation, a NAS, smart TV, printer, whatever. If the device in question has its own wireless NIC (which is frequently the case if you've infected something like a laptop or smartphone) then you can find another wifi network, crack that, install on any device you find therein, rinse and repeat. Especially good for d

A Wifi Virus?!

[Anonymous Coward]

We shall call it...the Flappy Bird Flu.

You're welcome.

Re:

[SpzToid]

That whoosh generated a sonic boom or something.

PostScript Virus

[Greyfox]

I wanted to do something like that on network-attached postscript printers a few years back, but didn't have an easy way to open a network socket in PostScript. My virus would have moved from printer to printer and done nothing else except replace every instance of the word "Strategic" with the word "Satanic" on printed documents.

Re:

[NapalmV]

Muahahaha you have to see it in action on the Wikipedia "Cloud computing" page. Just a sample: In common usage, the term "my butt" is essentially a metaphor for the Internet.

Re:

[Samantha Wright]

In meteorology, a butt is a visible mass of liquid droplets or frozen crystals made of water or various chemicals suspended in the atmosphere above the surface of a planetary body.[1] These suspended particles are also known as aerosols and are studied in the butt physics branch of meteorology.

I can see forever...

Back in 1990..

[swb]

..when I worked at a large University, we had a massive AppleTalk/EtherTalk network with a ton of zones, most of which had LaserJet printers.

A cow-orker in another department and I wanted to come up with software that would let us dump files to these printers and somehow masquerade our source info so nobody would know it was us.

Too bad this probably pre-dated Goatse.

Re:Back in 1990..

[Ol Olsoc]

A cow-orker in another department and I wanted to come up with software

How exactly does one ork a cow?

Re:Back in 1990..

[EvilIdler]

One orker on each side.

Re:

[antifoidulus]

Like you've never been drunk and desperate enough to do it.

Re:

[Ol Olsoc]

Like you've never been drunk and desperate enough to do it.

We calls that stump breakin' them in this neck of the woods.

Re:Back in 1990..

[baKanale]

Very carefully.

Re:

[Badger Nadgers]

Tend to agree... Googled ORCA COW. first result: "How Does SeaWorld Masturbate their Stud Killer Whales? "

"MadLibs: Buzzword Bingo Edition"!

[rts008]

That would cause a complete meltdown in the DOD if that ever made it inside the Pentagon.

It is very difficult to type while ROFLCoptering in a puddle of spewed Mountain Dew!

Re:

[AmiMoJo]

At college the admins used to spy on us regularly. We trolled them by creating files in DOS that had spaces in the name (alt-255) which they couldn't figure out how to open. Later we found that if you created a text file with a name like "hack.bat" that contained a few thousand 0x07 (bell) characters they would open it up and then immediately start hammering the keys as their editor tried to beep the speaker repeatedly for the next few days. Being DOS the only solution was to hit the hard reset button.

You c

Re:

[BitZtream]

Your college admins were using DOS and not some UNIX? Sounds fishy

Re:

[AmiMoJo]

I should point out that "college" in the UK is post-school, age 16 to 18. Then we go on to university, where we did have a mix of Windows/Netware and various Unix machines.

Re:

[CSMoran]

Being DOS the only solution was to hit the hard reset button.

Meh, you just map the int 00 vector onto int 05 and you're ready to go. Press "Print Screen" anytime to divide by zero and terminate current process.

From mapping to ....

[AHuxley]

In the past the news was just about listening, tracking and mapping
"aircraft are all fitted with sophisticated surveillance equipment. " ...The aircraft are able to identify suspects using 'voice-prints' ...
http://www.dailymail.co.uk/new... [dailymail.co.uk]
Then the wifi mapping news e.g. "mapped the Wi-Fi fingerprint of nearly every major town in Yemen".
https://firstlook.org/theinter... [firstlook.org] (10 Feb 2014)
Expect more interest in any wifi network at a home, suburb and country based network level.

Attack replaces firmware ..

[DTentilhao]

"This attack replaces the firmware of an existing AP and masquerades the outward facing credentials."

What mechanism does the attack us to keep the current configuration while replacing the firmware. Does the attack work by cracking WPA passwords. Would this attack work against the maximum length of sixty three character passwords.

Re: Attack replaces firmware ..

[Anonymous Coward]

The article states chameleon attacks weakly protected acess points. If it finds a hardened one, like WAP, it moves on. It is a worm, not a virus, but the authors couldn't compare it to human contageon that way. I count myself lucky I never cought a worm. Virus, yes.

Re:It hides from detection?

[AHuxley]

Would your average well coded antivirus behavioural detection software care a lot if your wifi rebooted a few times?
No new data into the 'protected' OS, no OS changes, packets flowing in, out, network seems the same ...

Re:

[wvmarle]

Have it ping a specific site, telling that site "Hi, I'm totally fine!" which is a code word for "pwned!"

Just make sure it is using normal communications channels and your regular AV software, that doesn't know this specific signature yet, won't be able to detect it.

And in the "production" version you have it do something else entirely of course.

Re:

[AHuxley]

A simulation to help understand that from one site e.g. an embassy you could create a private redundant 24/7 wifi network deep into a city to an area of interest.
Counter surveillance efforts would see everyday random wifi use... missing the bust of a key logger days, weeks, months later.

Re:

[markgamache]

No, they proved they can invent made up scary data. I think this is actually stolen straight from Schneier's site. It's pure movie plot silliness. https://www.schneier.com/blog/... [schneier.com]

Re:

[wvmarle]

From TFA I understand that not only did they ran a computer simulation, they actually wrote the worm and ran it in a controlled environment, observing it spreading between access points.

Wondering how it really works

[wvmarle]

Yes I read TFA, not the technical report though. Too technical for me.

It says the virus works by replacing the firmware of wifi routers. That sounds to me like they're tricking the router into accepting an over-the-air update. Which I suppose is limited to 1) a specific make and type of router and 2) knowing the OTA password for that router (or using a default that's not changed). So that sounds plausible for certain specific networks, not where there is a large number of different routers with different firmware and different passwords (or other security vulnerabilities).

What is not explained at all though is how the thing jumps from router to router, and I can't really think of a way this may happen. These things normally do not communicate wiht one another, and devices normally communicate to only one router at the time. Can anyone with deeper understanding explain this?

Re:

[khasim]

Can anyone with deeper understanding explain this?

Stop being so modest. You've already hit the important issues.

But if I may add to your post. Getting ACCESS over-the-air to do any of that requires 1 of 3 situations:

1. A "back door" installed by the vendor. That is an account (username/password) that is, SUPPOSEDLY, only known by the vendor. That gives root access. This varies from vendor to vendor and product to product. So anything based upon this would only be able to hit WiFi routers A, B & C from v

a lot of commonalities, db of exploits easy

[raymorris]

Not that you're wrong, but I think you may be carrying it to far. Most APsand routers use one of two operating systems. The firmware on various models of Linksys routers , for example, is extremely similar and not that different from many Netgear models. So it's entirely likely that a single exploit works on about 25% of the units in a given city. In fact, we KNOW of several exploits that each work on 25% - the factory default passwords, telnetenable, etc. If the malware package looked for four or fiv

Re:

[wvmarle]

The one part that I still don't get though is the actual spreading, as normally those wifi routers do not talk to one another, at all. Or is this part of what the firmware does; instead of being an access point making it act like a device, so it can connect to another access point?

Re:

[khasim]

Or is this part of what the firmware does; instead of being an access point making it act like a device, so it can connect to another access point?

That's the way I'm reading it. The hacked firmware does BOTH. It still acts as a WiFi router so it isn't discovered.

But it ALSO acts as a client to connect to another WiFi router.

And it runs a new process to crack the password to that router's Over-the-Air root access.

And some means of uploading the hacked firmware to the newly cracked router.

Re:

[jargonburn]

You are correct that the routers don't "talk" to each other by default. Some routers do offer a "wireless bridge" feature or similar that lets it connect to another access point for the purpose of sharing a network.
However, this is purely a software contrivance. The only difference between a router that can connect to another router's WiFi and one that can't, is that one of them has been programmed to be able to behave like a client.

Since the infection we're discussing is built on the idea of modifying

Re:

[wvmarle]

I'd say that there isn't really any way that this could work anywhere except in a lab. As a very badly designed "experiment".

A city it won't work, too many different wifi routers, too many software versions. Unless a certain make and model would be so dominating that you'd always have one nearby. Netgear and LinkSys may have such penetration, I see those names all over the place.

However it may work better within a large company as there they often use a single type of device, to keep maintenance easier. Those are also likely to be at the same patch level, contain the same backdoors and other vulnerabilities, and may even have the

Pure BS. Nothing to see here

[markgamache]

This is not science or IT security, it is pure PR crackpot FUD conjecture. The "Chameleon" virus doesn't exist. Please read my paper on my fake bluetooth virus. Bluetooth is MUCH more pervasive than Wifi. More cell phones than Wifi, more cars, and about the same number of computers. In my model, they all get infected and your wireless speakers, phones and computers play "It's a Small World" 24/7 until we all go crazy. It ends a lot like 28 Days later.

Re:

[Buck Feta]

Or, you know, use WPA2.

Re:

[skids]

Require a jumper to be installed for any firmware writes to even be possible

Consumer equipment is designed with "plug and play" as its overriding objective. This won't fly because companies want to sell to people barely capable of plugging all the right cables into all the right holes. We're doomed to live with the proliferation of insecure living room equipment until such a point as paying attention to security is taught in kindergarten.

Almost as bad as a Sandra Bullock movie

[EmagGeek]

Just tell me this - does it make a screen go all blocky and distorted as it slowly takes over your computer?

Boring

[Ruck Ruckuss]

Yea, I did the same thing with verizon actiontec routers. They are just silly unix machines peeps. I noticed that the linux wireless driver they were using could be put in RF mode and was capable of injection attacks to surrouding networks and cracking the neighbooring APs. They made it much easier than that though from a viral standpoint because they issued their routers with WEP keys calculated based on their mac address. Hacking the propriatary rmt file format to load my modified roms took a bit to figur

Misleading title is misleading

[EMG at MU]

The first sentence of the abstract:

"This paper analyses and proposes a novel detection strategy for the 'Chameleon’ WiFi AP-AP virus."

The virus uses the AP's web interface to trigger a firmware upgrade, and then provides a malicious firmware that contains code that spreads the virus. If this is the first time someone did that I'm going to kick myself for not going into security research. Given the plethora of open source AP firmware that already supports many commodity APs it should be trivial to do something like this. All you need is a sufficiently dense collection of APs that are compatible with you