http://arstechnica.com/news.ars/post/20080102-wireless-router-security-flaws-could-fuel-viral-outbreak.html By Joel Hruska Ars Technica January 02, 2008 Historically, the vast majority of trojans, worms, and viruses have targeted the (Windows) PC. Attack and propagation methods may have grown more sophisticated, but the PC has remained the focus of most malware. According to a paper written by a team of researchers at Indiana University, however, this could change in the future. According to the team's research (PDF) [1], an attack that specifically targets wireless routers and spreads between them at any point where coverage overlaps could quickly and easily propagate throughout an entire city. Until recently, such an attack vector was considered unlikely. Wireless routers are inherently less secure than their wired counterparts, but the development of WPA encryption has increased (theoretical) wireless security significantly. More practically, wireless routers weren't deployed in sufficient numbers and didn't overlap their areas of coverage enough to present a significant propagation risk. As the density and scale of wireless coverage has expanded, however, the chance that a router-focused viral attack could cause significant damage has increased. The IU team's goal was to map existing real-world wireless networks in various urban locations. Once this was done, the researchers simulated how quickly an infection would spread across the various networks tested and what general steps could be taken to prevent such attacks or reduce their severity. Modeled locations included Chicago, Boston, New York City, the San Fransisco Bay area, Seattle, and both northern and southern Indiana. The data gathered from each area was then used to map the growth of a hypothetical viral infection. The team's infection model took the security states of the routers in each modeled area into account. Routers were grouped by their use of encryption (WEP/WPA/none), whether or not the default password had been changed, and how easy the new password was to crack. Although the areas modeled differed considerably in size, composition, and geography, all of them demonstrated a sharp initial infection rate as the virus spread across non-encrypted routers. Routers using WEP encryption are infected in the second, slow-growth phasethe paper estimates that the use of WEP slows the infection rate, but does not stop it. For the purposes of the study, WPA-enabled routers with strong password protection are considered impregnable. By the time the infection phases had run their course, 10-55 percent of the routers in the measured area were controlled by malware. Interestingly, the modeled router infection patterns resembled a biological equivalent. Router infections are slowed or stopped completely by geographical barriers such as rivers, for instance. Isolated areas with a limited chain of wireless connections leading back to the point of infection could remain entirely untouched if one router along the chain uses WPA. Such findings speak to the importance of strong security measures. Even if a minority of routers in any given area are using WPA, strategic positioning of such routers can prevent malware from escaping what becomes an effectively isolated area. Fortunately, there are already two practical (and simple) ways to reduce the chance of infection, should such an attack surface. The IU researchers recommend that wireless node operators change from the default password to a strong alternative. Additionally, WPA-compliant hardware should be used whenever possible. WEP has too many flaws to be considered an effective security solution, but the team does note that even WEP's flawed encryption is better than no encryption at all. To date, there have been no known attempts to attack a wireless network in this manner, but the increasing ubiquity of wireless connectivity makes such attacks almost inevitable. Given the relative ease with which the team's recommended security measures can be implemented, it makes far more sense to deal with such issues now than it does to ignore them. [1] http://arxiv.org/PS_cache/arxiv/pdf/0706/0706.3146v1.pdf __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Thu Jan 03 2008 - 22:43:46 PST