Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Introduction Model Simulation
WiFi networks and malware epidemiology
Sistemi Complessi A.A. 2013/2014
Marco Di [email protected]
Marco Di Nicola WiFi networks and malware epidemiology 1 / 49
Introduction Model Simulation
Contents
1 Introduction
2 Model
3 Simulation
Marco Di Nicola WiFi networks and malware epidemiology 2 / 49
Introduction Model Simulation
Overview
Deployment of malware that spreads over the wireless channel of major urbanareas (in order to launch massive fraudulent attacks, es.: DDoS).
Target is a proximity network of WiFi routers.
They tend to be always on and connected to the internet.
There is no software aimed at specifically detecting or preventing theirinfection.
They may define an ad hoc communication network among themselves.
Objective: Epidemiological model that takes into consideration prevalent securityflaws on these routers.
Weak protection/encryption.
Lack of proper configuration (default and poor password selection).
Marco Di Nicola WiFi networks and malware epidemiology 3 / 49
Introduction Model Simulation
Today’s statistics
Extracted from the public worldwide database of the Wireless Geographic LoggingEngine (WiGLE):
None
WEPWPA
WPA2
Unknown
Statistics over 130,122,845 WiFi networks.
Marco Di Nicola WiFi networks and malware epidemiology 4 / 49
Introduction Model Simulation
Contents
1 Introduction
2 Model
3 Simulation
Marco Di Nicola WiFi networks and malware epidemiology 5 / 49
Introduction Model Simulation
Scenario
Construction of a proximity network graph PN = (R, L).
R is a collection of routers’ geographic locations (expressed in latitude andlongitude) from WiGLE.
The set of wireless links L between routers is built as follows:� �∀i , j ∈ R do {
pi = position(i)pj = position(j)if (distance(pi , pj ) ≤ Rint) then
L = L ∪ {(i , j)}}� �Rint is the maximum interaction radius.
Dependent on power, radio waves frequency, surrounding environment:≈ 15− 100 m.
Here assumed constant and independent of the actual location of a givenrouter.
Marco Di Nicola WiFi networks and malware epidemiology 6 / 49
Introduction Model Simulation
(A) Giant components for 4 different constant values of Rint
(B) Degree distribution for 4 values of Rint
Marco Di Nicola WiFi networks and malware epidemiology 7 / 49
Introduction Model Simulation
Infection process
Infection of a susceptible router Rvictim occurs when the malware of an alreadyinfected router Rinfected is able to interface with its administrative interface overthe wireless channel.
Steps:
1 Rinfected bypasses the used cryptographic protocol and establishes acommunication channel with Rvictim.
2 Rinfected bypasses the administrative password and takes control over Rvictim’sconfiguration interface.
3 The attacker is now able to upload the worm’s code into the router’sfirmware.
Marco Di Nicola WiFi networks and malware epidemiology 8 / 49
Introduction Model Simulation
Cryptographic protocols
WEP is completely broken: weakness of Initialization Vectors (24 bits space) ofthe RC4 stream-cipher used by the protocol.
Wait patiently for packets with the same vector to occur naturally inencrypted communication between a client and router.√
Only requires sniffing.× Might be very slow.
Create own traffic and manipulate it, making it far more likely to see suchIVs.√
Takes ≈ 1 min.× Attacker needs to be able to produce nonstandard 802.11 communication
frames.
First method is assumed to be used.
WPA(2) is assumed to be not vulnerable to attacks.
Marco Di Nicola WiFi networks and malware epidemiology 9 / 49
Introduction Model Simulation
Administrative password
Large percentage of users do not change their password from the defaultestablished by the router manufacturer (assumption: same users who do notchange their routers SSID) → these passwords are easily obtainable.
For all the other routers:
25%: password guessed with a dictionary of 65,000 words.
11%: password guessed with a dictionary of approximately 1,000,000 words.
64%: password cannot be guessed.
No back-off mechanism exists on the routers, which prevents systematic dictionaryattacks.
Marco Di Nicola WiFi networks and malware epidemiology 10 / 49
Introduction Model Simulation
Classes of individuals: SIR model
At any given instant, a router can belong to one of these classes:
Spass1/Spass2: password broken with smaller/larger dictionary attacks.
Rhidden: password cannot be bypassed (this condition is hidden to others, exceptfor the attackers).
Marco Di Nicola WiFi networks and malware epidemiology 11 / 49
Introduction Model Simulation
Dynamics
Disease dynamics are applied to each router by considering the actual state of therouter and those of its neighbors.
Transitions among different classes will occur only if a router is attacked andcan be described as a reaction process:
Snopass + I → 2I
Transition rates expressed as the inverse of the average time τ (minutes)needed to complete the attack.
es.: β (rate ruling transition from Snopass to I ) = τ−1 (with τ = 5 minutes:average time needed to infect a non protected router).
Transition probabilities:
p1: chance that a password for a Spass1 router isn’t broken.
p2: chance that a password for a Spass2 router isn’t broken.
Marco Di Nicola WiFi networks and malware epidemiology 12 / 49
Introduction Model Simulation
Transitions
No transitions between SWEP and Snopass : assuming that anyone who wentthrough the trouble of enabling encryption would also change the defaultpassword.
Marco Di Nicola WiFi networks and malware epidemiology 13 / 49
Introduction Model Simulation
Contents
1 Introduction
2 Model
3 Simulation
Marco Di Nicola WiFi networks and malware epidemiology 14 / 49
Introduction Model Simulation
Setup
Scenario: Chicago
Seeds: 5
Interaction radius (Rint): 45 m
Transition rates/probabilities:
β = 0.2 (τ ≈ 5 mins.: simulation step).β1 = 0.14 (τ1 ≈ 7 mins.: bypass password in the smaller dictionary).β2 = 0.007 (τ2 ≈ 2 hours: bypass password in the larger dictionary).βWEP = 0.001 (τWEP ≈ 16 hours: crack the WEP encryption).p1 = 0.75.p2 = 0.85.
Starting class of a router (Snoenc , SWEP , . . . ) is random, with probabilitydistribution based on WiGLE statistics.
Choice of target:
Any attacker will target the router among its neighbors with the lowest visiblesecurity settings.Simultaneous attacks aren’t allowed.
Marco Di Nicola WiFi networks and malware epidemiology 15 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 16 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 17 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 18 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 19 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 20 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 21 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 22 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 23 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 24 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 25 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 26 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 27 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 28 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 29 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 30 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 31 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 32 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 33 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 34 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 35 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 36 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 37 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 38 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 39 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 40 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 41 / 49
Introduction Model Simulation
Simulation
Marco Di Nicola WiFi networks and malware epidemiology 42 / 49
Introduction Model Simulation
Attack rate on Chicago varying the number of seeds.
Marco Di Nicola WiFi networks and malware epidemiology 43 / 49
Introduction Model Simulation
Attack rate on Chicago varying the interaction radius.
Marco Di Nicola WiFi networks and malware epidemiology 44 / 49
Introduction Model Simulation
Results
Sharp rise of the epidemic within the first 12 hours, followed by a slower increase.
Nonencrypted routers are infected in a single time step.
Progressive infection of WEP routers (attack time scale is ≈ 1 order ofmagnitude longer than others).
Remark:
Encryption percentage and geometrical constraints imposed by the urban areageography have a large impact on the propagation process.
Marco Di Nicola WiFi networks and malware epidemiology 45 / 49
Introduction Model Simulation
Clockwise: San Francisco, Boston, Chicago and New York scenarios.Marco Di Nicola WiFi networks and malware epidemiology 46 / 49
Introduction Model Simulation
Attack rate as a function of encryption percentage in 4 different urban areas.
Marco Di Nicola WiFi networks and malware epidemiology 47 / 49
Introduction Model Simulation
Conclusions
In preparation for the event of a massive and catastrophic malware invasion overthe WiFi channel connecting several routers in an urban area.......:
Get rid of those legacy products with WEP-only capabilities.
Pick some decent alphanumeric password for the administrative interface ofyour router.
Provide the subnetworks of the giant component with some WPA2 enabledrouters at key bottlenecks.
Marco Di Nicola WiFi networks and malware epidemiology 48 / 49
Introduction Model Simulation
References I
Andrea Bittau, Mark Handley, and Joshua Lackey, The final nail in wep’scoffin, Security and Privacy, 2006 IEEE Symposium on, IEEE, 2006,pp. 15–pp.
Hao Hu, Steven Myers, Vittoria Colizza, and Alessandro Vespignani, Wifinetworks and malware epidemiology, Proceedings of the National Academy ofSciences 106 (2009), no. 5, 1318–1323.
Steven Myers and Sid Stamm, Practice & prevention of home-routermid-stream injection attacks, eCrime Researchers Summit, 2008, IEEE, 2008,pp. 1–14.
Donald Welch and Scott Lathrop, Wireless security threat taxonomy,Information Assurance Workshop, 2003. IEEE Systems, Man and CyberneticsSociety, IEEE, 2003, pp. 76–83.
Marco Di Nicola WiFi networks and malware epidemiology 49 / 49