Wireless Router Insecurity: The Next Crimeware Epidemic
Steve Myers, Indiana University - Indiana University
Nov 14, 2007Size: 582.8MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractThe widespread adoption of home routers by the general public has added a new target for malware and crimeware authors. A router's ability to manipulate essentially all network traffic coming in to and out of a home, means that malware installed on these devices has the ability to launch powerful Man-In-The-Middle (MITM) attacks, a form of attack that has previously been largely ignored. Making matters worse, many homes have deployed wireless routers which are insecure if the attacker has geographic proximity to the router and can connect to it over its wireless channel. However, some have downplayed this risk by suggesting that attackers will be unwilling to spend the time and resources necessary, nor risk exposure to attack a large number of routers in this fashion. In this talk, we will consider the ability of malware to propagate from wireless router to wireless router over the wireless channel, infecting large urban areas where such routers are deployed relatively densely. We develop an SIR epidemiological model, and use it to simulate the spread of malware over major metropolitan centers in the US. Using hobbyist collected wardriving data from Wigle.net and our model, we show the potential for the infection of tens of thousands of routers in short periods of time is quite feasible. We consider simple prescriptive suggestions to minimize the likelihood that such attacks are ever performed. Next, we show a simple yet worrisome attacks that can easily and silently be performed from infected routers. We call this attack 'Trawler Phishing'. The attack generalizes a well understood failure of many web-sites to properly implement SSL, and allows attackers to harvest credentials from victims over a period of time, without the need to use spamming techniques or mimicked, but illegitimate web-sites, as in traditional phishing attacks, bypassing the most effective phishing prevention technologies. Further, it allows attackers to easily form data-portfolios on many victims, making collected data substantially more valuable. We consider prescriptive suggestions and countermeasure for this attack.
The work on epidemiological modeling is joint work with Hao Hu, Vittoria Colizza and Alex Vespignani. The work on trawler phishing is joint work Sid Stamm.
About the SpeakerSteven Myers is an Assistant Professor in the School of Informatics at Indiana University, where he is also a member of the Center for Applied Cybersecurity. His research interests are in all areas of cryptography, and computer and systems security with a specific interest in phishing. He has written several papers, led panels, and given invited talks in fields ranging from Cryptography and Computer Security to Distributed Systems and Probabilistic Combinatorics. Recently he co-edited the book 'Phishing & Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft' with Markus Jakobsson (Wiley Press, 2007).
Steve Myers completed his PhD (2005) in the Department of Computer Science at the University of Toronto, under the supervision of Professor Charles Rackoff. While completing his PhD he interned in the Mathematical Research division of Telcordia Technologies (formerly Belcore) doing work on secure cryptographic voting. Additionally, he worked for Echoworx Corp, an Internet startup focusing on providing usable and secure email solutions. He has consulted for a number companies and law firms on different topics related to cryptography and computer security, and is currently processing several patents related to his research.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.