Three researchers from the University of Liverpool have created a digital malware code named Chameleon. The
malware only attacks Wi-Fi Access Points (AP). It doesn’t attack computers or mobile devices.
Chameleon does this by transmitting the malcode wirelessly — something unheard of
until now.

In their paper, Detection and analysis of the Chameleon Wi-Fi access point virus, the research team explained that once Chameleon gains a foothold
on one AP, it then attempts to infect other Wi-Fi Access Points using the
following steps:

  1. Locate nearby APs that are
    unencrypted (public Wi-Fi for example) and using default Admin settings.
  2. Save the targeted AP’s system
    settings.
  3. Replace the targeted AP’s firmware
    with Chameleon.
  4. Configure the now infected AP
    with the saved setting.

It
may seem like an inordinate amount of work to just infect Wi-Fi Access Points,
but the effort gives the attackers a great deal. By focusing on the Wi-Fi portion
of the network instead of computers and mobile devices, the malware is unlikely
to be detected using current antimalware technology. Here’s why:

  • Networking
    devices are not protected by onboard antimalware programs.
  • Chameleon
    is not revealed by Intrusion Detection Systems.
  • The
    number of infected devices cannot be determined using existing forensic method.

The
research paper also alludes to the fact that nothing physically and
electronically appears out of order: “This attack replaces the firmware of an existing AP and masquerades the outward facing credentials. Thus, all
visible and physical attributes are copied and there is no significant change
in traffic volume or location information.”

Man in the Middle attacks

The
mention above about Intrusion Detection Systems not detecting Chameleon is
especially important. Currently, attackers are having significant success using
rogue APs and Man in the Middle attack techniques to steal
sensitive information from people using public Wi-Fi networks.

Sophisticated
users will immediately say the solution is using a VPN or proxy service, and
that is a valid point. The problem being most people who use public Wi-Fi
networks do not have access to, cannot afford, or are unfamiliar with those
types of services.

Fortunately,
responsible public Wi-Fi providers are installing Intrusion Detection Systems — the
only effective system-wide defense — in an attempt to sniff out rogue APs and
foil Man in the Middle attacks. However, it’s a safe bet that the bad guys are hard
at work developing Chameleon-style malware.

Infection model and epidemiology

So,
that is how Chameleon gets in place, remains undetected, and propagates. And as
if that is not enough for one paper, the researchers also outlined the propagation
metrics of Chameleon, in particular:

  • The
    measure of virus success.
  • The
    impact of product susceptibility.
  • The
    rate of infection.

Wading
through that portion of the report was daunting. Thankfully, one of the paper’s
subtitles included the word epidemiology. It just so happens a friend of mine
is a doctor. She saw the connection immediately. The researchers were comparing
the propagation characteristics of Chameleon to those of a biological virus.
For example, the paper mentions, “[T]he connectivity between devices (APs) in
the victim population is the most significant influence on virus propagation.”

Sounds
remarkably similar to what medical researchers consider a major influence on how well a biological virus propagates: “The spread of a
virus is influenced by the number of people with whom an infected person comes
in contact.”

How to
detect Chameleon

Fortunately, the research team developed a way to detect
Chameleon, explaining the details in the paper:

“The work then proposes and
experimentally verifies the application of a detection method for the virus.
This method utilizes layer-two management frame information which can detect
the attack while maintaining user privacy and user confidentiality, a key
requirement in many security solutions.”

Final thoughts

Determining
how to use Wi-Fi to propagate malware is a significant step. It allows
Chameleon to avoid antimalware applications and Intrusion Detection Systems. Using
Wi-Fi for malware propagation is also useful when one considers victim
populations—apartment buildings, for example. Where each apartment probably has a Wi-Fi network, and walls seldom
completely block RF signals.  

The
only for-sure option available right now is to stay away from unencrypted Wi-Fi
networks, as Chameleon-style malware cannot compromise Wi-Fi network devices
that are using wireless encryption.