Figure 2 illustrates the propagation dynamics of wildfire worms. Three access points A, B and C provide wireless coverage to end users, e.g. mobile nodes 1-7. They could represent, for example, WLANs deployed at adjacent buildings. Note that overlapping usually exists between adjacent access points for both residential networks (especially in densely populated cities) and corporate wireless networks (to allow for continuous connectivity and seamless mobility roaming).
Assume node 1 is the initial source of infection, i.e. it was infected previously at some other location before associating with access point A. Once activated, the worm analyzes WLAN A and probes all victims in the neighborhood; hence node 2 and node 3 eventually get infected. Note that node 3 is under coverage of both A and B. Normally node 3 picks and associates with only one access point, which is decided by certain criteria such as wifi signal-to-noise ratio. A worm-infected node, however, can gather a list of usable access points within reach and scan them for victims in the proximity. Effectively, the worm toggles association between usable WLANs to spread itself. Eventually all nodes in WLAN B and C are compromised through node 3 and nodes 5/6 respectively.
Nodes at coverage intersection of access points are "bridges" that help propagate the worm. These nodes can be thought of as "connectors" in the small-world phenomenon hypothesis [44,41]. Contrary to the context of traditional Internet worms in which node 1 could probe and infect node 7 instantly, propagation dynamics of wildfire worms are similar to gradual and local diffuseness of disease. Therefore, a major advantage and difference of a wildfire worm over a regular Internet worm is that a wildfire worm can propagate entirely locally within each connectivity area, and thus evade firewalls and intrusion detection/prevention systems located at traditional enforcement points on the boundary between the local networks and the Internet.
Fertile ground for wildfire worms are wireless hotspot networks, which provide Internet access in public areas such as restaurants and airports, and private wireless networks of home users in residential areas. For example, Singapore government is realizing a "Digital Singapore" with wireless hotspots available at every street corner where people can log onto the Internet and receive emails on the move. Section 2.6.2 evaluates whether wifi penetration in metropolitan areas is sufficient for sustaining the spread of a wifi worm.