IMAGE: Hao Hu/Indiana University School of Informatics

Malware Takes Manhattan: A map of a simulated Wi-Fi worm attack on Manhattan shows that 42 percent of the city’s 36 807 known routers would be infected within the first 24 hours.

10 January 2008—Computer malware outbreaks today—viruses, worms, and Trojan horses that infect Internet-connected PCs—are global phenomena, attacking computers from Paris to Palo Alto as if there were no distance between them. But, computer-security specialists say, in the near future some malware epidemics could be more localized, jumping instead from one Wi-Fi–connected device or router to another.

A group of four computer scientists from Indiana University in Bloomington is examining the dangers of the still-hypothetical “Wi-Fi worm.” Given the wealth of personal data on most Wi-Fi–connected PCs—and the known holes in some Wi-Fi security protocols—today's widespread wireless Internet connections, they say, should be monitored for malware spread over the airwaves.

Their research, now under peer review at a leading computer journal, reveals that simulated malware epidemics in seven American cities infected thousands of wireless routers in each city within just the first 24 hours of the epidemic. In the group's New York City model, the simulated worm burrowed into 18 000 routers within two weeks.

Such an outbreak, says Steven Myers, assistant professor at Indiana University's School of Informatics and one of the researchers on the project, would hop router to router in densely populated areas such as Manhattan or downtown Chicago. To be effective, he added, a Wi-Fi worm wouldn't need to then jump to the PCs that link to the routers. Instead, like a parasite living off its host, an infected router could simply monitor the PCs' Internet connections and relay any nonencrypted traffic back to the worm's creators. They could then search the data streams for credit card information or other valuable data.

IMAGE: Hao Hu/Indiana University School of Informatics

Chicago Falls Ill: A Wi-Fi router infection in Chicago spreads quickly.

The likelihood of a Wi-Fi data-mining attack on a city comes down to a simple question of cost, says Myers. “The attackers have an underground economy where... they want to get the best payout for the least amount of work,” he says. In that case, he notes, old-fashioned viruses and e-mail phishing scams may be much cheaper and easier to pull off than a Wi-Fi attack. “Our point is to get people to take preventative measures before they have to deal with the problem.”

No antivirus software exists today for Wi-Fi routers, Myers says, nor would it be useful against a probable outbreak. A router runs on firmware—code embedded in the device—that only occasionally needs updating. A Wi-Fi worm could exploit the standard firmware update process and add its own malicious code that turns the router into a little spy. Once a worm has installed itself in a router's firmware, it could further be coded to counteract any attempts to uninstall it. Any bona fide Wi-Fi worms, says Myers, would likely be unremovable. The only solution then would be to buy a new router.

Instead, he says, users can take two simple steps that could stop a Wi-Fi epidemic cold: first, Wi-Fi access should be password protected wherever possible, using strong passwords that can't be cherry-picked out of dictionaries. This would prevent a neighbor's infected router from breaking into yours. Second, routers' wireless security settings—found in the standard Wi-Fi base-station setup software—should be either the Wi-Fi Protected Access (WPA) or WPA2 protocol, not Wired Equivalent Privacy (WEP). In 2001, researchers discovered holes in the then-prevalent WEP standard, revealing that WEP-protected Wi-Fi routers could be cracked in two days or less.

Security researcher Zulfikar Ramzan of Symantec says he was impressed by the Indiana group's research but is unconvinced that Wi-Fi worms would pose a real-world threat anytime soon. “Overall, less than 20 percent of the malicious-code samples Symantec sees actually exploit a technical vulnerability on a system,” he said via e-mail. “The remainder, more or less, exploit a human vulnerability. In other words, the attacker manages to convince the victim to compromise his own security without the attacker having to do so.”

But Jon Kleinberg, a computer scientist at Cornell University, says that the study reveals a new trend in computer security: malware epidemics, spread wirelessly, may soon look more like human viral outbreaks. Whereas traditional malware propagates across the Internet unrestrained by physical distance, Kleinberg says, “The [Wi-Fi] contagion leaps across short physical distances from one host to another.”