Check out the new USENIX Web site. next up previous
Next: Discussion Up: Proximity Breeds Danger: Emerging Previous: Whisper attack detection

Related work

With the growing popularity of mobile devices, malware targeting wireless environment have started to emerge [27,29]. This new security challenge has recently gained some attention from the research community.

A study related to ours is the one by Tsow et al [55]. The authors suggest that attackers could drive around a city taking over vulnerable wireless home routers. Similar to our study, the threat is amplified by dense wifi deployment, as attackers can take over hosts at a higher rate. However, the attack depends on vulnerable access points, and requires the physical presence of the attacker for driving around to find vulnerable routers. The attacks we discuss in this paper can all be launched remotely, and therefore easier and less risky for the attacker.

Anderson et al. [14] analyzed the speed of worm contagion over campus-wide wireless networks. They developed a worm simulation using real data from Crawdad, e.g. user distribution, AP distribution and user mobility, to realistically study the dynamics of a mobile worm. However their results are constrained to dynamics of mobile worm at relatively small scale of a university campus with mobility as the major factor for worm spread. In contrast, our work has investigated big cities and metropolitan areas at much larger scale with wardriving data around. We have identified a much larger threat e.g. infection completion in the order of minutes whereas Anderson at al. [14] predict a few hours to infect just the campus. The main difference is that wildfire-like propagation--not just user mobility, is the key attack vector in our work. It is also unclear whether their defense proposals could be proven effective given recent major changes of wifi usage pattern.

Beyah et al. [19] discuss a worm that spreads by infecting users sharing the same hotspot. They use epidemic models to simulate its spread and find it can infect a million users worldwide over the course of a year. Again the main difference is that the simulated worm relies on user mobility, but we show using wardriving data that mere density is sufficient in metropolitan areas leading to much faster spread.

Su et al. [52] investigate worm infections in a bluetooth environment. They expect Bluetooth to outnumber wifi devices by a factor of 5 and predict large scale epidemics, but the short range of bluetooth again implies slower, mobility-based spread. Cole et al. [25] use epidemic models and simulations to discuss requirements for worm mitigation in tactical battlefield MANETS.

Stamm et al. [49] discuss remote attacks on routers that can be used for large-scale pharming and can also spread viraly. We, too, discuss pharming as one of the potential abuses of dense, weak wifi deployments - exploitable in a different way but to a similar extent.

Mickens and Noble [43] propose a framework called probabilistic queuing to model the epidemic spreading in mobile environment, which aims to treat node mobility as top priority. Their simulations showed that the probabilistic queuing model could achieve more accurate prediction than standard Kephart-White framework in many cases. However, this work assumes random waypoint model for user movement and does not take into account realistic user mobility patterns.

Henderson et al. [33] analyzed extensive network traces from mature corporate WLANs and various university campuses and observed dramatic changes in wireless usage. Indeed, all these changes are favorable for the spread of a wifi worm. First, users now run a wide variety of applications such as peer-to-peer, multimedia and VoIP services, instead of the dominance of web traffic so there are higher chances of a worm exploitable vulnerability. Local traffic in the WLAN exceeds remote traffic, i.e. users within the same organization exchange data more than before. This would help the worm to detect and probe all wireless neighbors within its reach. The study also shows that wireless users are also surprisingly non mobile, half of which remain at home for 98% of time.

In a similar approach, Hsu and Helmy [34] found that there exists a preference of wireless user association: most users only visit a small portion of access points, i.e. the ratio of visited access points hardly changes even though popularity of WLANs increases by years - this is invariant user characteristics. There is a repetitive pattern of user association over days, i.e. there is a high probability that a user reappears at the same access point at a certain time every day. This is quantified as "network similarity index". Therefore a mobile worm could distinguish itself from traditional internet worm by self-activating at the time where most mobile users are active. This is also contrary to the general assumption and over-simplification that users are always ON with no preference on association patterns; conventional randomly generated synthetic mobility models are insufficient. Another recent trend is that a mobile node stays online on average 87.68% of its life (i.e. its existence in the wireless network). That is to say, people now tend to use WLAN as a replacement for wired network and keep their laptops constantly connected (instead of old style of establishing only when needed). A modern paradigm shift from WLAN as temporary connection to always-on permanent connection. Macro mobility: users have small converage in all environments (campus + corporate): typically only associate with 1.1% to 4.52% of total APs in their corporation. Each user has very few APs where it spends most of its online time.

Blinn et al. [21] monitored five weeks of Verizon wifi hotspot network in Manhattan. They observed that far more cards associated to the network than logged into it. Most clients used the network infrequently and visited only few APs. Therefore hotspot are "locations visited occasionally" rather than "primary places of work".

Kim et al. [37] extracted a mobility model from real user traces. Speed and pause time follow log-normal distribution and direction of movements closely related to road directions. Again, most of laptop clients are NOT very mobile, so this paper relied on VoIP users to extract mobility model. The type of mobile device being used can influence its user's mobility: a laptop would tend to tie its user to his workplace whereas a PDA/VoIP user would move as he would normally. The reasons could be due to weight, size and nature of use of the device. A mobility model for laptop users should reflect relative weightage of immobility and mobility.

Staniford et al. [51] describe the risk to the Internet due to the ability of attackers to quickly gain control of vast numbers of hosts. They argue that controlling a million hosts can have catastrophic results because of the potential to launch distributed denial of service (DDoS) attacks and access any sensitive information that is present on those hosts. Their analysis shows how quickly attackers can compromise hosts using "dumb" worms and how "better" worms can spread even faster. In subsequent work [50], the same authors show how a worm using pre-compiled lists of IP addresses known to be vulnerable can infect one million hosts in half a second. They also envision a Cyber "Center for Disease Control" (CCDC) for identifying outbreaks, rapidly analyzing pathogens, fighting the infection, and proactively devising methods of detecting and resisting future attacks. The metropolitan wifi environment offers another opportunity for attacks to occur that may not be covered by defenses built for Internet worms. Our work also provides estimates of propagation speed similar to the above studies.

The issue of location privacy in a wireless setting has been examined in literature [35,16,31]. These system focus attention on protecting physical location privacy based against signal triangulation techniques and protecting against source location in sensor networks. More closely related to our work, is the work by Gruteser et al  [32]. The authors introduce the idea of short-lived disposable MAC addresses as a technique for the reduction of the effectiveness of location tracking. Our work shows that even in the presence of such techniques, user profiling can effectively track users in dense urban environments. Saponas et al. [47] describe a prototype surveillance system that can track people wearing the widely available Nike+iPod sensors. Tracknets could be exploited in similar scenarios to track people carrying any type of device whose traffic can be observed by wifi receivers, such as wifi-enabled smart-phones.

next up previous
Next: Discussion Up: Proximity Breeds Danger: Emerging Previous: Whisper attack detection