A recently unveiled piece of malware shows that users don’t have to download a file or visit a questionable website to have their systems compromised. Chameleon, the malware is just proof of concept for now, but it illustrates the expanding range of vectors for delivering cyberattacks. More specifically, it blends aspects of Wi-Fi sniffers and viruses, picking up credentials that pass through the network and analyzing wireless access points for weaknesses.
Chameleon, network security and the Internet of Everything
Chameleon has been likened to a common cold because of its infection pattern, but its treatment – were its design ever mimicked by a cyber-criminals – may be more complex than just drinking a lot of fluids and getting more rest. Since Chameleon resides on the network rather than on individual endpoints, it could be difficult to detect with many anti-virus solutions.
“When Chameleon attacked an access point it didn’t affect how it worked, but was able to collect and report the credentials of all other Wi-Fi users who connected to it. The virus then sought out other Wi-Fi access points that it could connect to and infect,” said Alan Marshall, professor of network security at the University of Liverpool. “It was assumed, however, that it wasn’t possible to develop a virus that could attack Wi-Fi networks but we demonstrated that this is possible and that it can spread quickly.”
In time, it’s possible and even likely that security professionals will find a way to sniff out Chameleon. However, the real issue goes beyond this specific threat. Chameleon’s unusual attack vector – WAPs – demonstrates the growing centrality of network infrastructure, both as the backbone of the emerging Internet of Everything and as something that should perhaps receive more security attention than it has.
The elusiveness of Chameleon makes it one of the more notable network threats, and the inclusion of a virus differentiates it from infrastructure commandeering directed at unsecured IP cameras and routers or other IoE assets. Still, these apparently different risks both underscore how attackers’ energies are shifting from standalone hardware, whether PCs, smartphones or tablets, to the network at large, exploiting vulnerable devices and sometimes pooling the hijacked resources to carry out subsequent attack campaigns.
Guarding against Chameleon’s successors and other network malware will require measure both large and small. For starters, end users will need to brush up on password security and Wi-Fi habits. The security community and device manufacturers will have to regard networking equipment and even seemingly mundane devices such as refrigerators and thermostats in the same way that they see PCs – as machines vulnerable to infection.
Dissecting Chameleon and its impact on network security
The most distressing aspect of Chameleon is how easily it seemed to move through routers and infect nearby computers. Researchers in London and Belfast found that the malware could spread to vulnerable endpoints within a 164-foot radius. While this reach won’t have much impact in suburban or rural areas, it could be trouble in densely populated cities, in which wireless access points are grouped closely together and connect thousands of devices. Chameleon-like malware could also have significant effects on hospitals and colleges/universities.
Chameleon is designed to go after the weakest access point on the network, based on its analysis of traffic and credentials. If it encounters a firewall or encryption, it simply gives up on that WAP and moves on to the next one. Given the vast number of unsecured Wi-Fi hotspots, it’s possible that similarly architected threats could cast a wide net and harvest a lot of credentials.
Porous public Wi-Fi and unsecured routers make something like Chameleon a threat worth taking seriously. A security vendor recently published a report finding that three-fourths of the top 50 best selling routers on Amazon.com had vulnerabilities that hackers could exploit. These issues are compounded by the fact that many users do not change the default password or IP address of their WAPs, leaving them vulnerable to mass-scale attacks.
These oversights have enabled several recent high-profile incidents involving home networks. For example, in January, it was discovered that external hard drives connected to Asus broadband routers may have been at risk from outside tampering. Such a setup permits convenient data access over FTP, but it leaves the drive open by default, without any password protection.
Asus moved quickly on a firmware update that would close the hole, and ideally other hardware makers will take a similarly diligent approach to security. Otherwise, it’s possible that there will be more events like the ongoing campaign that has compromised more than 300,000 routers as part of a massive attack.
Thousands of routers taken over in different attacks
Chameleon is just a proof of concept and the Asus vulnerability was noted but not widely exploited. However, there has been real fallout from attacks on weak routers and networks.
Roughly 1,000 old LinkSys routers have been infected by a self-replicating worm. ISPs began noticing that these WAPs were consuming massive amounts of bandwidth and disruption services such as VPN due to unwanted changes in DNS settings.
Similarly, hundreds of thousands of home and office routers were compromised as part of a broad attack that sought to steal online banking credentials in Poland. The attackers used different techniques to inject blank passwords or change the credentials for targeted routers, so that they could then alter the DNS settings. The payoff was redirecting affected users to malicious sites that tried to phish for credentials or install additional malware.
“The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability,” stated a Team Cymru report. “The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group.”
With wireless infrastructure becoming increasingly important to consumers and businesses and emerging as the foundation of the IoE, there must be a concerted effort to enforce better router and password security. Users should always change the default settings to something safer, and manufacturers should guide them toward doing so. These measures will help ensure that proof of concept threats like Chameleon don’t add to the list of network breaches.