The Latest Viral Threat?

I was reading a research paper some students from Indiana University had done this summer on what they called WiFi Epidemiology which made some interesting points.

First, they pointed out that the WiFi infrastructure around us is approaching a critical mass, where in some places, WiFi hotspots overlap to a degree sufficient to allow intercommunication.

Second, they suggested that malware and virus writers may soon begin to target WiFi routers, as the WiFi infrastructure has several very attractive characteristics, like carrying all that potentially information laden net traffic.

Third, the propose that the WiFi mesh around us is to varying degrees infectable depending on encryption type, and password strength.

Reading through their paper, it becomes obvious that everything they say is true, and there is definately a case to be made for a WiFi router based virus/worm/malware.

But as I read the Ars Technica comments, I came to the conclustion that in this case, they’ve definately underestimated the possibilities.

Rather than their simple router to router infection path, which can be affected by such things as proximity, and natural boundaries, consider, if you will, a mixed mode attack.

I envision a virus/worm that spreads from PC to PC, and as it spreads, looks for access credentials to local network segment connected routers.

Quite a simple task, really.

If the network address is a 192.168.x.x address, check your DHCP configuration information.

If there is locally cached credentials to access the router, use them, and from the configuration information, determine the router brand and model.

Download malicious payload and reflash the router (probably best done out-of-normal use hours) and Bob’s your uncle, the router is now able to capture “interesting traffic” and forward such intercepts to some location on the web.

The thing is, with deep packet inspection, the router can watch for email traffic, and automatically attach the virus, helping to spread it to others on the network.

Once the initial router infection is completed, the original virus can delete itself, leaving no trace that it was ever even on the computer.

This goes further than the original WiFi attack that was proposed in the paper, and I think is more compromising.

While such an attack would be costly in time to initially create, the value of the target traffic (banking information, gambling, health, and other financial information) is such that an organized team working for capitalistic rather than hacker-cred goals would find plenty of potential gain to drive them.

The attack could is made even easier by those network vendors who use OSS tools as a part of their router software, as the source code is available, to allow a significant leg up, compared to reverse engineering a monolithic block of proprietary code.

The flood of financial and personal data that would be able to be intercepted from homes, coffee shops, small offices, you name it, would be massive.

Because the infection lives on the network gateway, sniffing the network for signs of an infection would for the most part, be useless.

The time is ripe for stronger home network security measures, and network appliance (routers) vendors need to start looking at ways to better fend off this threat.