The omnipresence and constantly improving capabilities of wireless mobile devices has attracted the regrettable attention of attackers, and in particular virus writers. The "Cabir" virus, which first appeared in 2004, was the first instance of mobile malware [27]. The virus exploited vulnerabilities in the Symbian OS and propagated through Bluetooth wireless connections. Experts predict the threat for smart phones and mobile devices is likely to increase significantly in the near future [40,28].
Although such attacks may become prevalent in the years to come, in this paper we consider whether large-scale attacks are already feasible today on existing wireless infrastructure using current technology. In particular, we focus on worms that could spread entirely over 802.11 wireless networks, even if such networks are completely heterogeneous. In this environment, the main concern is not necessarily the infection of mobile devices such as PDAs and cell phones, but the existing large population of laptops, desktops and other computers communicating over wifi. We consider worms that propagate entirely over wireless connections, trying to infect other computers tuned to the same access point (AP) and also other APs within range. A notable fraction of hosts in such an environment may also be mobile, and could therefore carry the infection from one AP to another. In densely populated metropolitan areas, it is conceivable that such a worm could infect a large fraction of wireless-connected hosts, especially considering pervasive vulnerabilities such as the ones exploited by Slammer [12], and recent browser vulnerabilities [13]. Such "client-side" vulnerabilities are of particular interest in a wifi setting, because unlike wired environments where a user needs to visit a malicious site to get exploited, it is often possible for an infected client to inject this kind of exploit via spoofing to any session between the target and a legitimate server. Considering the worst-case, a device driver exploit such as the recently discovered Intel driver attack [24,36,42] could carry the worm across platforms, and would even bypass VPN software which often blocks all local, wireless connections.
Although there has been considerable work in the literature on how to deal with large-scale attacks on traditional "wired" networks, there are at least three differences between wireless networks that require alternative solutions. First, wireless attacks can spread contagiously over wireless links based on proximity - similarly to real-world diseases - in contrast to the any-to-any communication possible over the Internet. This renders previous models and analyses of Internet-based worm propagation ineffectual as they cannot be directly mapped to wireless networks. Second, traffic in wireless networks is difficult to control using conventional methods, in lack of "hard" enforcement points such as firewalls between the communicating nodes. This is likely to significantly constrain the space for potential defenses. For instance, if such a wireless worm were to be unleashed today, it would most likely go undetected by most, if not all, current attack detection infrastructures [17,2,3]. Finally, devices (e.g. handheld devices in the near future) in these environments are likely to be significantly more resource-constrained, at least in contrast to traditional desktop settings, and it is therefore more difficult and expensive to employ end-point security measures.
This paper is not the first to examine the threat of worms in wireless networks. Other researchers have made attempts at deriving contagion models in MANETs, examining viruses that spread according to user mobility, or measuring propagation dynamics in a campus network (these studies are discussed further in Section 6). Our paper is first to explore, in depth, the problem of wildfire worms and proximity propagation in densely populated areas. Specifically, we discuss the threat of worms that propagate entirely over wifi connections, and attempt to quantify the threat in terms of infection prevalence and infection timescales. Providing reliable estimates of potential infection prevalence is important for creating awareness on the severity of the threat, while the likely infection times are needed to guide the design of suitable countermeasures. Our analysis relies on simulated outbreaks of wifi worms driven by real-world data derived from wifi maps of large metropolitan areas around the world. Among other observations, our results suggest that a carefully crafted wildfire worm can infect all vulnerable wifi-connected computers in 80% of access points in some studied areas within 10-20 minutes - timescales at which traditional defenses may not be able to react in a timely fashion.
In this section, we describe the design and attack vectors of a wifi worm. The fundamental principle is that a wildfire worm relies on local, proximity-based propagation within shared medium broadcast environment such as WLAN.