Test Virus Proves Wireless Routers are Vulnerable

'Chameleon' attacks access points, takes over WLAN
‘Chameleon’ attacks access points, takes over WLAN.

Researchers have demonstrated it’s possible to create a computer virus that can infect wireless access points rather than computers, and use wireless networks to spread through the air like a human epidemic, from access point to access point, anywhere WiFi zones overlap.

Wanting to test the possibility that a virus could attack wireless access points and use them to infect other computers on the same WLAN as well as other WLANs, Researchers at the University of Liverpool wrote and tested a virus dubbed “Chameleon” that replaces the firmware of an existing access point, takes it over, and uses its existing credentials to show itself as still functioning and secure to other devices on the network.

“When Chameleon attacked an AP it didn’t affect how it worked, but was able to collect and report the credentials of all other WiFi users who connected to it. The virus then sought out other WiFi APs that it could connect to and infect,” according to Alan Marshall, professor of network security at the university and senior author on the paper, which stemmed largely from thesis research done by lead author Jonny Milliken of Queen’s University in Belfast.

Since Chameleon is only present in the WiFi network, it escapes detection from most anti-virus programs.

Network-focused intrusion-detection systems should be able to pick it up, but usually rely on changes in credentials to identify a problem. When Chameleon hijacks a wireless router, it takes over the credentials as well, and presents itself as the same AP it was before it was infected by Chameleon, despite the dramatic nature of the attack and subsequent activity of a rogue access point on the network, according to a paper published in October on the EURASIP Journal on Information Security.

The virus also takes over the actual, physical access point it attacks, rather than using an “evil twin” rogue-AP attack in which the malicious machine impersonates one that has not been compromised.

When it infects an AP, Chameleon scans the area for other potential Aps it could attack, bypasses encryption security on the victim AP, bypasses the administrative interface, stores the AP’s system sewttings, replaces the firmware with a virus-loaded version, reloads the original system settings, and goes back on the air to propagate itself to the next victim WiFi network.

High levels of encryption or password protection can stop it from infecting one AP, but the virus continues to spread through open-access WiFi routers, devices with low-security embedded WiFi implementations, and apps with weak encryption, default or absent passwords.

The virus was able, in simulations used to test it, to spread far more quickly than viruses that attack computers or smartphones, saturating large parts of entire cities very quickly.

The more WLANs exist in a particular geographical area, the faster the virus can spread.

The best chance of identifying or blocking a similar virus in the wild would be through wireless IDS systems that monitor low-level (layer 2) network activity rather than using credential- or virus signatures to identify infections. Even layer 2 scans were unreliable in lab tests, however.

The virus itself doesn’t exist in the wild. It was created as a test of the concept and ran only in a lab, though it is very likely that a malicious version could be created and released in the wild.

“It was assumed that it wasn’t possible to develop a virus that could attack WiFi networks but we demonstrated that this is possible and that it can spread quickly. We are now able to use the data generated from this study to develop a new technique to identify when an attack is likely,” Marshall and Milliken wrote.


Image: shutterstock.com/Bruce Rolff