It’s difficult to imagine University of Liverpool’s professor Alan Marshall as an evil scientist when he picks up the phone to tell me a little bit about the virus he’s created. Speaking with a bright Irish lilt, he’s incredibly patient and polite while describing the first Wi-Fi virus that, like the flu, can spread over the air, but with the potential to infect thousands of laptops via coffeehouse routers.
“The actual term is called ‘informed disclosure,’” he says when I ask him why he might think to make something like this. “Up until now, people assumed that it was impossible, or extremely unlikely to create this particular type of virus. So, number one, we thought, it is possible, and it’s not that difficult to do, so let’s just do it in a lab-controlled environment.”
And that’s what they did. Marshall, along with two of his PhD students, created “Chameleon,” the first virus that can take over wireless routers and seek out new routers to infect, and published the results in the EURASIP Journal on Information Security. First, the researchers tested it among 866 different kinds of routers in the lab. They then simulated what a Chameleon attack might look like in Belfast and London. In London, which is a far denser city, the virus simulation infected 2,000 routers in a matter of six to seven weeks. Over months, it affected more than 5,000.
The important variable is how many computers are connected to any single router. Some routers, Marshall explains, are more vulnerable than others. Corporate Wi-Fi networks, for example, are usually a lot more secure than your local coffee shop or even your own apartment (i.e. where the administrator is “administrator” and the password “password”). “The attacker would gain access to a particular router, one that’s easy to get into,” he says. “Once it does that, it actually finds out if it can then flash or reprogram the firmware of the router.”
Once the virus takes control of a router, it can then send whatever messages it wants to anyone on the network. “Oops! Connection lost,” a pop-up screen might read. “Please tell us your password, social security number, or address, in this box.” Of course, the connection wouldn’t actually be lost. And that’s how they get you.
Here’s why it’s terrifying: Most of our virus-protection technology looks for attacks like these in two places–the Internet, and your actual computer. Chameleon eludes both because it travels on the air, in between the Internet and your computer, on Wi-Fi frequencies. And at 3 o’clock in the morning, when most are offline, it seeks out new routers within range to target.
It’s no coincidence that Marshall and his colleagues are working on embedded technology to combat a virus like Chameleon on routers. Their startup, Traffic Observation & Management, is looking to commercialize a tool to do just that.
But how secure is the virus? Marshall says he’s not seeking a patent on that–nor would he ever let the code go open source. He laughs when I ask him how he plans on keeping that safe, as discreetly hacking into thousands of computers in urban coffee shops might, you know, be a criminal money-maker.
“That’s a very good question,” Marshall says. “We just have it in our own heads, I guess. We have had some inquiries, but I can’t go into that.”