Yes, malware can spread throughout wi-fi by means of malware, attackers, and weak security practices.
When using wi-fi in public or in a trusted environment, there are security concerns. Wi-fi encryption, SSID broadcast, MAC filtering, and password strength are just some of the security practices to take into consideration with a wi-fi network.
This article is focused on how malware is spread through wi-fi, how a wi-fi network can be secured, and attacker techniques to penetrate a network.
How hackers penetrate wi-fi networks
In this section we will go over the recon, scanning, and exploit steps in the cyber attack lifecycle. Attackers have a specific order of steps they go through during an attack. There are prep steps and covering tracks as well.
It is important to note that the most of the tools attackers use are open-source meaning that they are free to use. These tools aren’t illegal, but the way they are used can depend on its legality. Understanding the order of operations for an attack or incident will help a user to defend their systems and data better.
In this phase an attacker performs scanning techniques to survey the attack surface of their target. The target may be a server, client, or other host. A very popular open-source tool that attackers use is NMAP.
NMAP is a tool that can be used on Linux and Windows OS’s and it has many scanning options. The GUI layout is very nice and inviting. Alternatively, the Linux command line interface (CLI) is available for Linux users.
Here are the common types of scans that attackers will execute.
- Network discovery-This is used for determining the IP addresses on a given network.
- Host scans-This scan is designed to be performed on a host to determine host details. Some data that you can gain from this are: OS, version,
- Port scans-Useful for finding the port status on an IP address. Attackers use this to find open ports for which to launch their attacks.
Port scanning can be detected by certain security measures on the victim’s machine. It would be a good practice to close unused ports in order to deny the attacker that particular entry in.
I will cover intermediate systems security in future articles that will address security techniques to better protect the host/services. Next we have the scanning phase, and it is a very important step. The attacker is gaining even more information about the target.
In this phase, the attacker is performing various scanning techniques to find vulnerabilities and other data. Now that the recon phase is complete, target selected, and ports discovered next comes the vulnerability scans.
Vulnerability scanning identifies vulnerabilities on the host, referring to a common vulnerabilities and exploits (CVE) database. An effective open-source scanner like NESSUS will print out a report of the scan results.
The results will have a severity rating next to them. Another great thing about this tool is that details of each vulnerability will be available like the recommended fixes and the full name of the vulnerability.
NESSUS also offers several types of scans making it very versatile. Network scan, advanced network mobile, web application, and malware scans are just some of the available features.
This phase is when the attacker leverages the exploits discovered from the vulnerability scans. These exploits may come in the form of outdated Java runtime environments (JRE), expired Windows versions, or outdated security patches. For example, an attacker can use an exploit in an SQL database that allows for remote code execution due to insecure practices.
Attackers will leverage open ports, outdated applications, weak protocols, or password attacks. The exploits and security holes create entrance points for attackers. Password attacks will be used with password cracking and recovery tools such as:
- John the Ripper
- AirCrack (for wi-fi)
- inSSIDer 4 (wi-fi)
Upon accessing the wi-fi with the stolen wi-fi credentials, the attacker now can gain access to the physical machines on the network via methods like non-secure services, print/file shares. The attacker can now imbed a remote access trojan or (RAT) in one of the machines’ file systems.
Along with the RAT, spyware or other malware could be propagated throughout the system. This supports my point that a strong password is essential for a wi-fi network. The stronger the password is, the longer it will take a machine to uncover it.
How do I get rid of malware on my system?
Malware can be spread on you wi-fi if malicious email links are clicked, intrusion occurs remotely in real-time, or physically. Malware can come in a variety of forms: remote access trojan (RAT), spyware, keylogger, adware etc.
Upon malware detection by vulnerability scanning, anti-virus scanning, or other techniques, you must kill the internet connection so the malware doesn’t spread throughout your wi-fi network. After segregating the infected system, perform scans and eradication.
A lot of anti-malware/anti-virus tools will detect malicious downloaded files and prevent them from completing the download. They will place these files in a quarantine block which you can review the details of. Once the file(s) are in quarantine you can choose whether or not to allow them on your device.
Many scripts, programming languages, and security tools will trigger a false positive alert to the anti-virus tagging it as a potentially unwanted program (PUP). If the download is malicious then it will have a tag of trojan, adware, etc.
How to secure a wi-fi network and prepare for an attack
You can secure your wi-fi by changing the default password to at least an 8 character password with a mixture of cyber best practices. Preparation for an intrusion is also key. Here are some steps for recovery.
The National Institute of Standards and Technology highlights the steps for cyber incident recovery, “Identify, protect, detect, respond, and recover”  Although these steps are geared towards corporations and agencies, most of these steps will work for a home user.
Next, identify what your type of encryption your wi-fi uses. This is very important as there are some outdated encryption standards. You can usually find this information when you select the wi-fi network and go to the security tab.
- WEP-Wired equivalent privacy is outdated, it came out in 1999. This is insecure and is not recommended to use.
- WPA-Wi-fi protected access is also easy to break into but more secure than WEP. It was meant as a replacement for WEP, avoid this encryption method as well (if possible).
- WPA2-Wi-fi protected access version 2 is far more secure than WPA or WEP. It is based on the 802.11i IEEE standard. WPA2 uses advanced encryption standard (AES) for security.
- WPS-Wi-fi protected setup is used for fast setup between a router and wireless device. This works by pressing a WPS connect button on the router, extension box, and/or wireless device. WPS will only work with one of the WPA access methods.
The SSID is the service-set identifier, this is the network name. Selecting disable on the ‘Broadcast SSID’ option in your router options will hide the network name; doing so will hide the wi-fi network to a certain degree. Once SSID broadcast is disabled you can connect via “Connect to hidden Network,” enter SSID, and encryption type along with the password.
Norton anti-virus talks about some things you can do to secure your wi-fi, “Change the default wi-fi network name, create a strong password, enable network encryption, turn off network name broadcasting, keep router firmware and operating systems up to date, set up a good firewall, and use VPNs”.
The router firmware can be updated in your router settings. You can access your router’s web interface by using ‘http://192.168.1.1’ which is almost always the IP address. You will want to select ‘check for firmware updates’ and if there is one then download it. Keep in mind, you will lose network connectivity and the router will usually reboot on its own.
Firewalls can be deployed as a hardware or software solution. A third party firewall will allow for advanced features such as intrusion detection/protection, firewall rule set, stateful/packet filter options.
VPN’s are a great addition to any wi-fi network. A VPN is a virtual private network. A VPN works by routing your system IP address to another IP address within the world. Your IP address doesn’t just bounce to one IP but several until it stops at the server that you specify.
VPN’s encrypt your network traffic using IPSec/L2TP, and OpenVPN. These protocols vary in speed, encryption, authentication, and hash algorithm length. They are considered extremely strong protocols and are almost impossible to decrypt.
Proxies work differently and don’t provide all of the features that VPNs provide. They act as a filter or firewall between the end-user and the web page or application. There are forward and reverse proxies.
To learn what a VPN is and how to choose one go here
To summarize, wi-fi should be secured with the best available methods. Protecting your wi-fi will decrease the chances of:
- Loss of data
- Account credential theft
- Identity theft
- Malware spread