|WiFi epidemiology: paper review
||[Jan. 12th, 2008|02:43 am]
In the last week or two the paper WiFi Epidemiology: Can Your Neighbors' Router Make Yours Sick? has generated some press and discussion (although it was uploaded to the arXiv seven months ago.) As can be expected, there is much cluelessness going around. Having actually read the paper, I felt I should add my comments to the mix. Note that this is not intended as a technical peer review but is aimed at a slightly wider audience.
Update. The authors have emailed me their comments to this post, which I have posted as a comment.
The question under investigation is simple: wireless router density in many urban areas is high enough to form a large connected network spanning major areas of the city. How far and how fast could malware spread by attacking these routers? The authors address this question by considering actual wireless router location data from 7 urban areas, and conclude via simulation that a large number (tens of thousands) of routers can be infected within two weeks.
The firmware issue. It is important to note that the paper only considers the question of epidemiology, i.e, the spread of infection. It says nothing about the ease of creating a worm that targets routers. Nor is this the first work to suggest that router firmware might be an attackable environment for malware (pdf). As far as I know, such a thing has never been tried in practice and may well prove insurmountable:
As anyone who has tried to build a system knows, there is a huge gap between a system that works in simulation and one that works in the real world. Things are especially unpredictable when there is a self-replication aspect.
- The worm needs to overwrite the router flash over wireless. This is obviously very tricky.
- Executing the new firmware involves a reboot. The user may notice.
- The new admin interface needs to look identical, or else the user may notice.
- Finally, current router firmware is very diverse.
In spite of these caveats, I like the result of the paper. What it demonstrates is that if the engineering problem of creating self-replicating firmware can be solved, then the planar topology of the network is not an inherent constraint, which is a very useful thing to know. I think the attack scenario is something we need to protect against.
Modeling. Moving on, lets look at the modeling in the paper. Most of it is satisfactory. The data appears to be comprehensive and accurate. There are several parameters in the model. To me, the most important one is the radius of interaction, which is the maximum distance two routers can be for one two infect the other. Throughout their experiments, the authors use a fixed value of 45m. I don't like this, considering that the size of the connected component of the graph varies greatly depending on the radius (fig. 1B in the paper.) A model based on a variable radius would have been much more realistic.
The crypto parameters used, such as the percentage of routers that use encryption and the strength of user passwords are all informed by actual data, and I have no beef with them. The tri-state classification into susceptible, infected and recovered nodes appears to be a standard epidemiological model and generally makes sense.
Router mobility. There is one other aspect that I feel is insufficiently addressed. While treating the routers as static is largely accurate, the small percentage of routers that change location may significantly impact some aspects of the analysis. In the SF bay area, for instance, 10-20 wireless routers are listed for sale on craigslist everyday. Routers also move when their owners move.
Because of this factor, I don't believe the claim that geographic features like rivers stop the spread of infection, nor the conclusion that "a few WPA routers at key bottlenecks can make entire subnetworks of the giant component impenetrable to the malware."
In fact, wardriving has already been suggested as a way of attacking wireless router firmware; combining wardriving with self-replication would pretty much eliminate the topological bifurcation issue.
Summarizing, while the overall conclusion of the paper is interesting, important and believable, I feel the authors should tighten up the modeling and better explore the difficulties involved in actually creating the type of malware in question.
As a final note, some Gartner "analyst" has made some poorly informed statements about the paper:
It's like worrying about earthquakes when you are living in tornado alley ... too many WLAN access points with insufficient security, quite often all they do is allow internet access. [Attacking Wi-Fi routers] is no different than an attacker connecting to the internet, so this doesn't appear to be a new risk.That makes no sense: if an attacker controls the router, they can essentially control the machines that connect through it, such as by replacing downloaded executables with malicious ones.