Researchers Say Wi-Fi Virus Outbreak Possible

alphadogg writes with a link to a NetworkWorld article about a troubling security scenario. Indiana University IT researchers are now saying that a WiFi attack intended to piggyback across unsecured access points could do serious damage in a city like Chicago or New York. By essentially brute-forcing the passwords on insecure routers, a worm-like firmware agent could be introduced to an estimated 20,000 networks in New York City alone. "Although the researchers did not develop any attack code that would be used to carry out this infection, they believe it would be possible to write code that guessed default passwords by first entering the default administrative passwords that shipped with the router, and then by trying a list of one million commonly used passwords, one after the other. They believe that 36% of passwords can be guessed using this technique."

They'll never get me!

[morgan_greywolf (835522)]

Ha! They'll never guess my router admin password, which is '5l@$hd0t.!st.ps0t!'

Re:

[somersault (912633)]

I see your new USB 'big F5' button working out well since the one on your keyboard died?

Back on topic I wonder what this new breed of virus will be called, if indeed it worked.. Weasles? WAIDs? Winfluenza? Actally Winfluenza could work on so many levels :)

Re:

[morgan_greywolf (835522)]

WiThrax? WiVi? I hear Sony is actually pushing for Wiinfluenza for some reason.

Re:

[noidentity (188756)]

Back on topic I wonder what this new breed of virus will be called, if indeed it worked.. Weasles? WAIDs? Winfluenza?

It's called "linksys" and it's everywhere alreaedy!

Re:

[sm62704 (957197)]

Ha! They'll never guess my router admin password, which is '5l@$hd0t.!st.ps0t!'

Ah, the classics never die, do they? My wifi password is... oh wait I don't have wifi

Only 36%?

[Odin_Tiger (585113)]

36% seems like a severe lowball estimate, to me. I wouldn't be at all surprised if 1/3 of WAP's still have the manufacturer's default admin login.

Re:

[j.sanchez1 (1030764)]

36% seems like a severe lowball estimate, to me. I wouldn't be at all surprised if 1/3 of WAP's still have the manufacturer's default admin login.

1/3 is 33 1/3%. How is that severly off of the 36% estimate?

Re:

[morgan_greywolf (835522)]

I think grandparent is saying that he thinks that more than an additional 3% could be guessed from the list of a million commonly-used passwords. He could be right.

Re:

[MobileTatsu-NJG (946591)]

"1/3 is 33 1/3%. How is that severly off of the 36% estimate?"

I think he means that if 33% alone are default passwords, with another huge chunk (maybe 10% - 15%?) being among the common million.

On a more shocking note: Have you noticed that 40% of Slashdot posts made during the work week are done on Mondays and Fridays? :)

Re:

[peragrin (659227)]

>>On a more shocking note: Have you noticed that 40% of Slashdot posts made during the work week are done on Mondays and Fridays? :)

90% of the posts I make are during work. i visit three to four times a day. Of course I rarely respond in the same day. when i check my email account in the morning I read the responses to what I said and reply back. That way i don't get into stupid flame wars, or I can shut up when i put my foot on the keyboard.

Re:

[mhall119 (1035984)]

The article cites 36% as default + dictionary. GP says a full 33.3% are probably default alone, with the implication that a dictionary attack would get more than 2.7% more, so therefore a combined 36% is "lowball".

why brute force?

[gEvil (beta) (945888)]

Why brute force your way through when simply typing "admin" works far more often than it should?

troubling security scenario?

[Facetious (710885)]

Holy crap! Maybe we should deal with existing security problems before we start with the imaginary ones.

Re:

[stewbacca (1033764)]

Well we were fighting the "existing security problems" of the Russians when the Gulf War kicked off. Perhaps had we been working on "imaginary" problems like Iraq and Saddam Hussein in 1990, we wouldn't be in this 18-year cycle of off-and-on War with Iraq?

Re:

[pilgrim23 (716938)]

Oh no! Imaginary problems are best dealt with by imaginary solutions, You hold a Press Conference and weave imagery to the media. Then they write it up. imagining they have it right. Face it, they lack the imagination on their own. Imagine that...

- I craftily set my D-Link SSID to "Linksys"

Re:

[networkBoy (774728)]

You know that's likely more secure than you would think.
The vast majority of the "hackers" out there likely simply try the default admin password (and assuming that the Dlink is different) would give up and move on.
-nB

Varying router models and revisions

[Dan East (318230)]

How many router models and hardware revisions would the worm need to support to make this effective? It would take a great deal of resources to produce custom firmware for that many devices and hardware revisions, especially considering that people have been trying to produce custom firmware for specific devices for a long time without any success at all.

On another note, configuring the router for administrative access only via ethernet would completely stop the problem.

Dan East

Re:

[$RANDOMLUSER (804576)]

On another note, configuring the router for administrative access only via ethernet would completely stop the problem.

Making any changes to the out-of-box condition would severely curtail the problem. Unfortunately, far too many are just that - out-of-box and plugged in.

Re:

[j.sanchez1 (1030764)]

Unfortunately, far too many are just that - out-of-box and plugged in.

I wonder if it is too much to expect that when the routers are first set up, the default password should expire on the first log-in and should require a different password. Are there any routers out there that do this? How come this isn't default behavior?

Re:

[schnikies79 (788746)]

How many people do you think buy a router, plug it in, then never login to it?

I'm betting most of these default name/password routers around have never been logged into even once by the owner.

Re:

[$RANDOMLUSER (804576)]

Yup. Too many people don't even know that their router has an administrative interface.

Re:

[Jim_Maryland (718224)]

Would covering the router ports with a note that indicates a required login to set it up be out of the question here? A little paper insert as part of the quick setup notes would go a long way to getting users to setup some basic configuration. A setup wizard at the minimum should require users to select a new password and allow them to walk through an informative configuration sequence.

Re:Varying router models and revisions

[David_W (35680)]

Would covering the router ports with a note that indicates a required login to set it up be out of the question here?

They are getting there. A Linksys I recently picked up had a label over the ports reminding you to RUN CD FIRST. I'm assuming their CD will do things like change passwords and turn on encryption (wouldn't know since I prefer to do that manually).

Re:

[kebes (861706)]

How many router models and hardware revisions would the worm need to support to make this effective?

Since wireless routers are (usually) connected to the Internet, the worm could "phone home" to some central repository in order to get the code it needs to attack different models. What I mean is that the virus wouldn't need to carry code for all makes/models. Instead, an infected access point would scan nearby access points (or computers) for open or crackable connections, and then access a central store for the exact methodology/code/virus needed to spread to those new access points. This also means that

Not that hard

[seanadams.com (463190)]

Sveasoft has firmware for most of the ARM/Linux based routers, which covers all the common Linksys/Netgear models. All you'd need to do is make a hacked version of each one and put them on a server (or botnet).

Then all a worm would need to is gain access to the router, and then notify the server that it has been cracked. The server takes it from there... it would connect to the router, identify its model number from the status page, and upload the appropriate firmware.

With a little ingenuity it would not be

Simple Solution

[dotpavan (829804)]

They believe that 36 percent of passwords can be guessed using this technique.

Solution: Use any of the 64 percent of the pwds

Not that likely...

[crymeph0 (682581)]

Even though a lot of people are idiots and leave the password at the default, there are still at least 3 or 4 different types of hardware (think Belkin, D-Link, NetGear, etc., and all the different models they each have available) that are in common use. This means that to be fully effective, a virus would need to contain several different firmware images of itself, and would have to store it all in the limited space available in the flash memory of the infected unit.

Of course, you could choose to infe

Re:

[zappepcs (820751)]

IANA Virus Writer, but if my program had access to the Internet as well as another AP, I'd just download the required image for the next infection on the fly?

Re:

[Deadstick (535032)]

Don't remember what the OEM firmware does, but with the DD-WRT firmware on my WRT54GL, you're not permitted to enable remote router access with the default password in effect.

rj

Really?

[MyDixieWrecked (548719)]

I'm not so familiar with Belkin, Netgear and all no-name wireless routers out there, but the newer (last year or two) Linksys WRT54G routers don't allow administrative access over the WLAN by default. You simply get an access denied page when attempting to access it. I'm kind of surprised that linksys doesn't just deny wireless connections to the administrator pages.

Unfortunately, that means that I can no longer log in to those routers with default passwords and open up ports for myself when I'm on some stranger's network and it requires me to plug in when I need to make changes on my own networks.

Of course, you should disable access to the administrator pages over the WLAN (or restrict it to a maintenance port if your router has one), change your administrator password (and username, if possible) and make sure you've got strong encryption with a strong password/key.

When I was living in manhattan (2004-2005), there were over 20 visible wireless access points from my apartment. Running kismet and walking from the front to the back of my apartment with my powerbook, I could pick up closer to 30 networks and about 3/4 of them were password protected; mostly with WEP. Nowadays, living in brooklyn, I can pick up around 15 wireless networks and all but 2 are password protected and most are using WPA or WPA2.

Re:

[peragrin (659227)]

WPA is the security choice as it is harder to crack but not impossible.

The trick is all you have to do is lock the front door. That prevents most random theives. though if your sharing music via P2P unlock your router. that way you can blame others.

Re:

[schnikies79 (788746)]

Even if that is true, if remote management is not enabled, it doesn't matter if you have the password.

I know it was that way on my linksys.

Re:

[geminidomino (614729)]

The problem with WPA is that certain manufacturers of certain non-computer wifi-devices decided not to support anything other than WEP...

Damn stupid if you ask me.

Re:

[Have Blue (616)]

Unfortunately, that means that I can no longer log in to those routers with default passwords and open up ports for myself when I'm on some stranger's network

Unfortunately? You were taking advantage of a security flaw that has now been fixed.

Video Presentation of Paper

[Afromelonhead (730368)]

I attended a talk that Steve Meyer (one of the presenters of the paper) gave at Purdue as part of the CERIAS Security Seminar Series. Link to the video is here [purdue.edu]. It's definitely worth a watch.

Common Sense Should Prevent This

[j.sanchez1 (1030764)]

I have a Linksys WRT54GL flashed with DD-WRT firmware. I use a MAC filter that only allows computers I SPECIFICALLY tell it to, I have disabled administrative access to the router wirelessly and changed the default login AND password, and I password protect my wireless access on top of all that. It took me about an hour (if I recall correctly) to set the router up, including flashing the DD-WRT firmware on it. But once it is done, I don't have to bother changing any more settings, aside from rotating the admin password and updated the MAC filter as needed.

Just my take on it.

Re:

[Henry V .009 (518000)]

As a side point, MAC address filtering is tremendously ineffective.

Re:

[j.sanchez1 (1030764)]

As a side point, MAC address filtering is tremendously ineffective.

Why is it ineffective? Is there some way to spoof a MAC Address? If so, how could someone get the MAC address of another computer they do not have physical access to?

Re:

[SirTalon42 (751509)]

Why is it ineffective? Is there some way to spoof a MAC Address?

Yes, lots of hardware (especially routers) set their MAC Address in software.

If so, how could someone get the MAC address of another computer they do not have physical access to?

MAC Addresses are constantly being broadcast, it'd be trivial to catch one.

Re:

[jargon82 (996613)]

Yes, it is possible to spoof a mac. Also, Mac addresses tend to be floating around in the air on wireless... alot ;) If you can associate with the access point, you (easily) can catch quite a few active MACs.

It's too difficult to use strong passwords

[gr8scot (1172435)]

http://sourceforge.net/project/screenshots.php?group_id=41019 [sourceforge.net]

Church of Wifi already did this

[CounterZer0 (199086)]

Church of Wifi has a hacked firmware-based worm that runs around and replaces firmware on APs, and then looks for other AP's to attack, and propagates itself.
The key to this kind of attack, is that it could be potentially undetectable - how do you know if the linksys firmware was replaced or slightly modified or not?
Another great use, would be to drop TOR endpoints on every single box infected :)

Default passwords are part of the problem

[_14k4 (5085)]

Why not make the password something like a printed number on the router itself? I know it's encoded in firmware, especially with the factory reset button, but it's not too hard to say read the ID and print up corresponding stickers. They already do it for the MAC address information.

It'll activate itself...

[Shotgun (30919)]

What happens with this virus spreads itself around, and then takes over a automated weapons manufacturing plant? I'll tell you what happens. It becomes SELF-AWARE. That's what happens. The next thing you know, we'll have governors showing up naked in deserted places and then beating up biker guys for their clothes. We have to stop this NOW!, before someone gets the bright idea of making a TV series about it.

Aaaah!!! We're to late. Run for the hills!!

Re:1 million passwords?

[crow (16139)]

They don't need to hold the dictionary. Anything that doesn't fit can be downloaded on demand. Most access points have access to the Internet, and residential access points are almost always outside of any firewall (they're usually the firewall themselves).

Re:

[fmobus (831767)]

Wrong!

You only need one computer to begin the process.

1. This computer would scan for open routers, associating to each open router it finds.
2. Then, it would try to access the administrative interface (usually done over http).
3. If there is one, try the admin interface's default password.
4. If it works (most of the times), attempt to overwrite the firmware
5. If it works, the new firmware would propagate the worm, serving as the "computer" on step 1

It can be done. To avoid it, you should change your admin inter

Re:

[SirTalon42 (751509)]

If it works (most of the times), attempt to overwrite the firmware

And here you hit his point A. The worm would have be incredibly complex to run on a wide variety of architectures and operating systems, and INCLUDE all those operating systems in the firmware image it uploads to the router...

Re:

[noidentity (188756)]

Skynet couldn't be far behind...

Re:

[nevurthls (1167963)]

I'm not sure if your post is serious as these questions have been answered many times in slashdot. Hiding your ESSID, not using DHCP and using MAC address filtering are insufficient in adding security as they are all part of any exchange between the router and wireless connections. The MAC address of existing machines can be found and copied in seconds. The ESSID and IP address can be found very easily as well. Hacking WEP encryption is also trivial. As a security measure, all these are completely pointle

Re:

[mlts (1038732)]

The trick with wireless security is to segment it into independant layers.

First, the router providing the wireless AP access should not be the same router firewalling your LAN from the rest of the Internet. This keeps "management" ports that might accidently be open from being Internet accessible. This is hard sometimes. One router I have has two connections to my little LAN, one from one of its machine ports, and one from its "internet" port. This allows it to check for firmware upgrades and whatnot, l