There's new proof that Wi-Fi is capable of propagating malware, and current antimalware is ineffective. Find out how to stop these attacks.
Three researchers from the University of Liverpool have created a digital malware code named Chameleon. The malware only attacks Wi-Fi Access Points (AP). It doesn't attack computers or mobile devices. Chameleon does this by transmitting the malcode wirelessly — something unheard of until now.
In their paper, Detection and analysis of the Chameleon Wi-Fi access point virus, the research team explained that once Chameleon gains a foothold on one AP, it then attempts to infect other Wi-Fi Access Points using the following steps:
- Locate nearby APs that are unencrypted (public Wi-Fi for example) and using default Admin settings.
- Save the targeted AP’s system settings.
- Replace the targeted AP’s firmware
- Configure the now infected AP with the saved setting.
It may seem like an inordinate amount of work to just infect Wi-Fi Access Points, but the effort gives the attackers a great deal. By focusing on the Wi-Fi portion of the network instead of computers and mobile devices, the malware is unlikely to be detected using current antimalware technology. Here’s why:
- Networking devices are not protected by onboard antimalware programs.
is not revealed by Intrusion Detection Systems.
- The number of infected devices cannot be determined using existing forensic method.
The research paper also alludes to the fact that nothing physically and electronically appears out of order: “This attack replaces the firmware of an existing AP and masquerades the outward facing credentials. Thus, all visible and physical attributes are copied and there is no significant change in traffic volume or location information.”
Man in the Middle attacks
The mention above about Intrusion Detection Systems not detecting Chameleon is especially important. Currently, attackers are having significant success using rogue APs and Man in the Middle attack techniques to steal sensitive information from people using public Wi-Fi networks.
Sophisticated users will immediately say the solution is using a VPN or proxy service, and that is a valid point. The problem being most people who use public Wi-Fi networks do not have access to, cannot afford, or are unfamiliar with those types of services.
Fortunately, responsible public Wi-Fi providers are installing Intrusion Detection Systems — the only effective system-wide defense — in an attempt to sniff out rogue APs and foil Man in the Middle attacks. However, it’s a safe bet that the bad guys are hard at work developing Chameleon-style malware.
Infection model and epidemiology
So, that is how Chameleon gets in place, remains undetected, and propagates. And as if that is not enough for one paper, the researchers also outlined the propagation metrics of Chameleon, in particular:
- The measure of virus success.
- The impact of product susceptibility.
- The rate of infection.
Wading through that portion of the report was daunting. Thankfully, one of the paper’s subtitles included the word epidemiology. It just so happens a friend of mine is a doctor. She saw the connection immediately. The researchers were comparing the propagation characteristics of Chameleon to those of a biological virus. For example, the paper mentions, “[T]he connectivity between devices (APs) in the victim population is the most significant influence on virus propagation.”
Sounds remarkably similar to what medical researchers consider a major influence on how well a biological virus propagates: “The spread of a virus is influenced by the number of people with whom an infected person comes in contact.”
How to detect Chameleon
Fortunately, the research team developed a way to detect Chameleon, explaining the details in the paper:
“The work then proposes and experimentally verifies the application of a detection method for the virus. This method utilizes layer-two management frame information which can detect the attack while maintaining user privacy and user confidentiality, a key requirement in many security solutions.”
Determining how to use Wi-Fi to propagate malware is a significant step. It allows Chameleon to avoid antimalware applications and Intrusion Detection Systems. Using Wi-Fi for malware propagation is also useful when one considers victim populations—apartment buildings, for example. Where each apartment probably has a Wi-Fi network, and walls seldom completely block RF signals.
The only for-sure option available right now is to stay away from unencrypted Wi-Fi networks, as Chameleon-style malware cannot compromise Wi-Fi network devices that are using wireless encryption.