IEEE spectrum article on Wifi Worms

Discussion:

Keith Lofstrom

2008-01-23 22:10:10 UTC

http://www.spectrum.ieee.org/jan08/5877

The article doesn't explain how it is possible to inject new firmware
into a wifi router without a hardwire link; the APs I know about
are normally managed over the user-side hardwired ethernet ports.

Keith
--
Keith Lofstrom keithl-cQ9U58XuirDQT0dZR+***@public.gmane.org Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs

--
The Personal Telco Project - http://www.personaltelco.net/
Donate to PTP: http://www.personaltelco.net/donate
Un/Subscribe: http://lists.personaltelco.net/mailman/listinfo/general/
Archives: http://news.gmane.org/gmane.network.wireless.portland.general/
Etiquette: http://www.personaltelco.net/index.cgi/MailingListEtiquette

Russell Senior

2008-01-23 22:36:46 UTC

Permalink

Keith> http://www.spectrum.ieee.org/jan08/5877

Keith> The article doesn't explain how it is possible to inject new
Keith> firmware into a wifi router without a hardwire link; the APs I
Keith> know about are normally managed over the user-side hardwired
Keith> ethernet ports.

If there is a vulnerability (always a possibility), it might be
possible to remotely reflash a device. However, it seems to me this
would be fairly challenging, in that you'd have to have a version of
firmware to reflash that is right for each device (there is
considerable variablility between devices, how they are flashed, etc.
you'd need to know exactly which device you were on and have a version
specifically adapted to it) and you'd need a way to flash it.
Furthermore, it seems like a dumb thing to worry about, since lots of
hosts are connected over much more reliable media, namely wires.

I guess I am glad that academics are thinking about various potential
problems, but this one sounds particularly academic to me.
--
Russell Senior, Secretary
russell-LS+HbC+***@public.gmane.org

Irving Popovetsky

2008-01-23 22:52:17 UTC

Permalink

2 comments:

1. Last I checked, almost all Linksys devices allow themselves to be
flashed via wireless by default, via the web interface. Experience
shows that most Linksys owners use open wireless, and leave the password
as the default. Most folks change the ESSID these days, but not much
else. I'm sure this is the case for most other major consumer-focused
wireless vendors as well. I'm fairly certain I could put together a
proof of concept script in Perl and LWP without much effort.
It would actually be harder to figure out how to ROUTE and differentiate
between all of these devices that are all IP'ed as 192.168.1.1/24. The
rest is easy.

2. To address Russell's point: Exploits are generally developed 1
target at a time, starting with the most popular devices. Even exploits
need to be QA'ed. In the above example you would ID each device as you
access the web interface, auto exploit the ones you know about and
catalog the rest for later exploitation.

-Irving

Post by Russell Senior
Keith> http://www.spectrum.ieee.org/jan08/5877
Keith> The article doesn't explain how it is possible to inject new
Keith> firmware into a wifi router without a hardwire link; the APs I
Keith> know about are normally managed over the user-side hardwired
Keith> ethernet ports.
If there is a vulnerability (always a possibility), it might be
possible to remotely reflash a device. However, it seems to me this
would be fairly challenging, in that you'd have to have a version of
firmware to reflash that is right for each device (there is
considerable variablility between devices, how they are flashed, etc.
you'd need to know exactly which device you were on and have a version
specifically adapted to it) and you'd need a way to flash it.
Furthermore, it seems like a dumb thing to worry about, since lots of
hosts are connected over much more reliable media, namely wires.
I guess I am glad that academics are thinking about various potential
problems, but this one sounds particularly academic to me.

--
-Irving Popovetsky Principal Consultant
ProStructure Consulting http://www.prostructure.com
Network and Security Consulting phone: (503) 288-1566 x201
"Crafting Connectivity that Matters"

Tyler Booth

2008-01-23 23:19:19 UTC

Permalink

Post by Irving Popovetsky
1. Last I checked, almost all Linksys devices allow themselves to be
flashed via wireless by default, via the web interface. Experience
shows that most Linksys owners use open wireless, and leave the password
as the default. Most folks change the ESSID these days, but not much
else. I'm sure this is the case for most other major consumer-focused
wireless vendors as well. I'm fairly certain I could put together a
proof of concept script in Perl and LWP without much effort.
It would actually be harder to figure out how to ROUTE and
differentiate
between all of these devices that are all IP'ed as 192.168.1.1/24.
The
rest is easy.

If your exploit is already re-flashing the device, there would be no
problem flashing it
with a derivative of roofnet to take care of routing, your exploit
could very easily target
a vendor based on the BSSID/MAC of the device.

Post by Irving Popovetsky
2. To address Russell's point: Exploits are generally developed 1
target at a time, starting with the most popular devices. Even exploits
need to be QA'ed. In the above example you would ID each device as you
access the web interface, auto exploit the ones you know about and
catalog the rest for later exploitation.
-Irving

--
-Irving Popovetsky Principal Consultant
ProStructure Consulting http://www.prostructure.com
Network and Security Consulting phone: (503) 288-1566 x201
"Crafting Connectivity that Matters"
--
The Personal Telco Project - http://www.personaltelco.net/
Donate to PTP: http://www.personaltelco.net/donate
Un/Subscribe: http://lists.personaltelco.net/mailman/listinfo/
general/
Archives: http://news.gmane.org/gmane.network.wireless.portland.general/
Etiquette: http://www.personaltelco.net/index.cgi/MailingListEtiquette

Jim Blandy

2008-01-23 23:38:27 UTC

Permalink

Post by Irving Popovetsky
1. Last I checked, almost all Linksys devices allow themselves to be
flashed via wireless by default, via the web interface.

I could be misremembering, but I'm pretty sure my WRT54GL didn't allow
administration via wireless by default. You had to connect via a wire
and then enable it.

Russell Senior

2008-01-24 00:23:05 UTC

Permalink

Irving> 2. To address Russell's point: Exploits are generally
Irving> developed 1 target at a time, starting with the most popular
Irving> devices. Even exploits need to be QA'ed. In the above
Irving> example you would ID each device as you access the web
Irving> interface, auto exploit the ones you know about and catalog
Irving> the rest for later exploitation.

The upside to all this is that, if something like this were to
actually happen, lots of exploited, reflashable devices would be
hitting Free Geek and/or the resale market, which would indirectly
benefit PTP. So, a) do not do this; and b) if you do, thank you. ;-)

That's a joke, folks.
--
Russell Senior, Secretary
russell-LS+HbC+***@public.gmane.org

Michael Weinberg

2008-01-24 00:31:43 UTC

Permalink

Post by Keith Lofstrom
http://www.spectrum.ieee.org/jan08/5877
The article doesn't explain how it is possible to inject new firmware
into a wifi router without a hardwire link; the APs I know about
are normally managed over the user-side hardwired ethernet ports.

Tyler Booth

2008-01-24 02:00:11 UTC

Permalink

A distributed attack could easily cut this down to ((65,000) / Num of
infected APs within range) words. In a dense urban environment it's
feasible that a distributed attack could cut the 51 day window down to
a single 24 hour period. A better solution would be to not allow
configuration by WAN or WLAN by default. The real problem is that
there are thousands of unprotected APs with default passwords already
out there....but only a fraction are easily crackable/flashable (open
platform systems).

Tyler Booth // President
ph. 503.548.2000 | fx. 503.548.2002
921 SW Washington St, Suite 224
Portland OR 97205

Post by Michael Weinberg

It seems to me that a fairly simple defense would be to only allow 5
login attempts from a single DHCP lease. With a typically configured
router (24 hour lease time, /24), that would be only 1270 login
attempts a day, or a ponderous 51 days to try every word in the
article-referenced 65,000 word dictionary.
Changing the password to anything but the default would result in a
reasonably secure device without forcing the average (lazy) user to
introduce difficult to recall passwords.
Michael
--
The Personal Telco Project - http://www.personaltelco.net/
Donate to PTP: http://www.personaltelco.net/donate
Un/Subscribe: http://lists.personaltelco.net/mailman/listinfo/
general/
Archives: http://news.gmane.org/gmane.network.wireless.portland.general/
Etiquette: http://www.personaltelco.net/index.cgi/MailingListEtiquette