Check out the new USENIX Web site. next up previous
Next: Infection process Up: Wildfire worms Previous: Mobility


Open vs. Protected Access Points

There is a significant number of publicly available "open" access points; the rest are protected with Wired Equivalent Privacy (WEP) encryption or Wifi Protected Access (WPA). A worm can propagate over unprotected wireless networks in the way shown in Figure 2. Moreover, as a result of design and implementation flaws, WEP encryption is insecure. There is a handful of WEP attacks in the literature, e.g. weak IV attacks [30], keystream re-use [15,22] and more recently fragmentation attacks [20] . These attacks are not just of theoretical value; they have been implemented into many practical and efficient WEP cracking tools freely available on the Internet. Wepcrack [8] did a performance comparison on some of such tools. Among them, Aircrack [1] is particularly powerful with a high success rate and relatively low cracking time that could vary between 5 seconds to 1 minute. However Aircrack needs to spend considerable time to sniff and capture sufficient wireless packets before cracking attempt. For example, after analyzing wireless usage statistics at a university campus [7], we determine that it may take 1-2 hours on average to successfully crack WEP encryption. Instead of passively sniffing packets, the worm could also employ active attacks e.g., discovering the encrypted version of a plaintext packet [8]. As for WPA, while not inherently weak, it is susceptible to bruteforce attacks if used with a weak password in the most common WPA/PSK configuration. Given the apparent susceptibility of the currently available protection mechanisms, it seems likely that worms would consider carrying the additional payload of including cracking tools.


next up previous
Next: Infection process Up: Wildfire worms Previous: Mobility