First contagious WIFI virus

[xrad]

This is an interesting read........

"The team designed and simulated an attack by a virus, called "Chameleon," and found that not only could it spread quickly between homes and businesses, but it was able to avoid detection and identify the points at which WiFi access is least protected by encryption and passwords."

http://www.sciencedaily.com/releases/2014/02/140225112900.htm

[GuardMoony]

Worst nightmare?!

[digininja]

Cool research but it has been done before. Can't remember the details but it was research and only against a single vendor I think.

I also don't like the way they've described it

The propagation of the virus effectively constitutes an advanced rogue AP attack which is unique in that it occupies the exact location of the victim device.

this doesn't quite describe what they've done, to me this implies that they have placed a new AP in the same location rather than just infecting the existing one. I think just bad wording rather than anything else.

Most of the time the defence for this is just using strong keys on the AP and disabling WPS but you could have an instance where the low level drivers are vulnerable in which case just sending traffic to the AP could exploit it. This happened with madwifi-ng drivers years ago when Karma was becoming popular. Lots of people showed up at a conference with vulnerable machines and got popped.

[GuardMoony]

Most of the time the defence for this is just using strong keys on the AP and disabling WPS but you could have an instance where the low level drivers are vulnerable in which case just sending traffic to the AP could exploit it. This happened with madwifi-ng drivers years ago when Karma was becoming popular. Lots of people showed up at a conference with vulnerable machines and got popped.

That's OK for a business environment. But over here the 2 biggest ISP set there routers to have a standard open wifi network. Like Fon. In such a case a city wide infection would just take hours?

[digininja]

True, if there were a vuln in one of the firmwares that provided hotspots then that would be a good attack vector.

[digip]

That's OK for a business environment. But over here the 2 biggest ISP set there routers to have a standard open wifi network. Like Fon. In such a case a city wide infection would just take hours?

Yeah, Comcast offers free XFinity Wifi access all around my area to people who already have an account with them and not sure if they do it via peoples rented modems that have build in wifi, their cable boxes(which some now have wifi built in without them knowing, as well as cameras and microphones!) or have something setup in my town or with local businesses, like the McDonald's down the street I think uses XFinity to let you sign in for free wifi. You login to their portals using your main Comcast account though I think and need to already be a Comcast internet subscriber so I can see that being abused.

Wouldn't touch one with if you paid me though. I always wonder if any of them are rogue captive portal run on someones home network to capture logins and sniff Comcast accounts, but would be an easy target to spoof against unsuspecting users and attack their systems. VPN wouldn't even help in this case, since you can't get to or use your VPN service if you aren't logged onto the portal first for interet access, so VPN's wouldn't help save an end user in cases where they make you login with your account info for your ISP first, which you'd just be handing over your creds to the rogue AP if they're impersonating the captive portals well enough.

[GuardMoony]

Yup same kinda stuff over here. At least with the change to docsis 3 there modems now starting to use nat. Before that you got a direct internet ip adres. And could even find like printers of the neighbors and such on that network ;)