WiFi networks and malware epidemiology

Introduction Model Simulation

WiFi networks and malware epidemiology

Sistemi Complessi A.A. 2013/2014

Marco Di [email protected]

Marco Di Nicola WiFi networks and malware epidemiology 1 / 49


Contents

1 Introduction

2 Model

3 Simulation



Overview

Deployment of malware that spreads over the wireless channel of major urbanareas (in order to launch massive fraudulent attacks, es.: DDoS).

Target is a proximity network of WiFi routers.

They tend to be always on and connected to the internet.

There is no software aimed at specifically detecting or preventing theirinfection.

They may define an ad hoc communication network among themselves.

Objective: Epidemiological model that takes into consideration prevalent securityflaws on these routers.

Weak protection/encryption.

Lack of proper configuration (default and poor password selection).



Today’s statistics

Extracted from the public worldwide database of the Wireless Geographic LoggingEngine (WiGLE):

None

WEPWPA

WPA2

Unknown

Statistics over 130,122,845 WiFi networks.



Contents

1 Introduction

2 Model

3 Simulation



Scenario

Construction of a proximity network graph PN = (R, L).

R is a collection of routers’ geographic locations (expressed in latitude andlongitude) from WiGLE.

The set of wireless links L between routers is built as follows:� �∀i , j ∈ R do {

pi = position(i)pj = position(j)if (distance(pi , pj ) ≤ Rint) then

L = L ∪ {(i , j)}}� �Rint is the maximum interaction radius.

Dependent on power, radio waves frequency, surrounding environment:≈ 15− 100 m.

Here assumed constant and independent of the actual location of a givenrouter.



(A) Giant components for 4 different constant values of Rint

(B) Degree distribution for 4 values of Rint



Infection process

Infection of a susceptible router Rvictim occurs when the malware of an alreadyinfected router Rinfected is able to interface with its administrative interface overthe wireless channel.

Steps:

1 Rinfected bypasses the used cryptographic protocol and establishes acommunication channel with Rvictim.

2 Rinfected bypasses the administrative password and takes control over Rvictim’sconfiguration interface.

3 The attacker is now able to upload the worm’s code into the router’sfirmware.



Cryptographic protocols

WEP is completely broken: weakness of Initialization Vectors (24 bits space) ofthe RC4 stream-cipher used by the protocol.

Wait patiently for packets with the same vector to occur naturally inencrypted communication between a client and router.√

Only requires sniffing.× Might be very slow.

Create own traffic and manipulate it, making it far more likely to see suchIVs.√

Takes ≈ 1 min.× Attacker needs to be able to produce nonstandard 802.11 communication

frames.

First method is assumed to be used.

WPA(2) is assumed to be not vulnerable to attacks.



Administrative password

Large percentage of users do not change their password from the defaultestablished by the router manufacturer (assumption: same users who do notchange their routers SSID) → these passwords are easily obtainable.

For all the other routers:

25%: password guessed with a dictionary of 65,000 words.

11%: password guessed with a dictionary of approximately 1,000,000 words.

64%: password cannot be guessed.

No back-off mechanism exists on the routers, which prevents systematic dictionaryattacks.



Classes of individuals: SIR model

At any given instant, a router can belong to one of these classes:

Spass1/Spass2: password broken with smaller/larger dictionary attacks.

Rhidden: password cannot be bypassed (this condition is hidden to others, exceptfor the attackers).



Dynamics

Disease dynamics are applied to each router by considering the actual state of therouter and those of its neighbors.

Transitions among different classes will occur only if a router is attacked andcan be described as a reaction process:

Snopass + I → 2I

Transition rates expressed as the inverse of the average time τ (minutes)needed to complete the attack.

es.: β (rate ruling transition from Snopass to I ) = τ−1 (with τ = 5 minutes:average time needed to infect a non protected router).

Transition probabilities:

p1: chance that a password for a Spass1 router isn’t broken.

p2: chance that a password for a Spass2 router isn’t broken.



Transitions

No transitions between SWEP and Snopass : assuming that anyone who wentthrough the trouble of enabling encryption would also change the defaultpassword.



Contents

1 Introduction

2 Model

3 Simulation



Setup

Scenario: Chicago

Seeds: 5

Interaction radius (Rint): 45 m

Transition rates/probabilities:

β = 0.2 (τ ≈ 5 mins.: simulation step).β1 = 0.14 (τ1 ≈ 7 mins.: bypass password in the smaller dictionary).β2 = 0.007 (τ2 ≈ 2 hours: bypass password in the larger dictionary).βWEP = 0.001 (τWEP ≈ 16 hours: crack the WEP encryption).p1 = 0.75.p2 = 0.85.

Starting class of a router (Snoenc , SWEP , . . . ) is random, with probabilitydistribution based on WiGLE statistics.

Choice of target:

Any attacker will target the router among its neighbors with the lowest visiblesecurity settings.Simultaneous attacks aren’t allowed.



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Simulation



Attack rate on Chicago varying the number of seeds.



Attack rate on Chicago varying the interaction radius.



Results

Sharp rise of the epidemic within the first 12 hours, followed by a slower increase.

Nonencrypted routers are infected in a single time step.

Progressive infection of WEP routers (attack time scale is ≈ 1 order ofmagnitude longer than others).

Remark:

Encryption percentage and geometrical constraints imposed by the urban areageography have a large impact on the propagation process.



Clockwise: San Francisco, Boston, Chicago and New York scenarios.Marco Di Nicola WiFi networks and malware epidemiology 46 / 49


Attack rate as a function of encryption percentage in 4 different urban areas.



Conclusions

In preparation for the event of a massive and catastrophic malware invasion overthe WiFi channel connecting several routers in an urban area.......:

Get rid of those legacy products with WEP-only capabilities.

Pick some decent alphanumeric password for the administrative interface ofyour router.

Provide the subnetworks of the giant component with some WPA2 enabledrouters at key bottlenecks.



References I

Andrea Bittau, Mark Handley, and Joshua Lackey, The final nail in wep’scoffin, Security and Privacy, 2006 IEEE Symposium on, IEEE, 2006,pp. 15–pp.

Hao Hu, Steven Myers, Vittoria Colizza, and Alessandro Vespignani, Wifinetworks and malware epidemiology, Proceedings of the National Academy ofSciences 106 (2009), no. 5, 1318–1323.

Steven Myers and Sid Stamm, Practice & prevention of home-routermid-stream injection attacks, eCrime Researchers Summit, 2008, IEEE, 2008,pp. 1–14.

Donald Welch and Scott Lathrop, Wireless security threat taxonomy,Information Assurance Workshop, 2003. IEEE Systems, Man and CyberneticsSociety, IEEE, 2003, pp. 76–83.


Documents

WiFi networks and malware epidemiology