The Borg Worm is a theoretical worm which aims to create a mesh network of home routers.
All testing on the project was completed in September 2017, and made use of 10 TP-Link TL-WR841N Home Routers, in a controlled setting.
The worm is composed of a bash script, making use of various off the shelf software components.
It’s lifecycle can be broken into the following stages:
1) Using Aircrack and a list of discovered routers, collect WPA handshakes and attempt to crack the password of a random access point, first by wordlist, then bruteforce with a random seed, and access their administration interfaces.
1a) After a given timeout while bruteforcing a router, move to the next router in the list, looping to the beginning as needed.
2) Programmatically install openWRT, and Aircrack on the accessed router. Using tools like OpenWISP, enroll the new router as a node in a wi-fi mesh network.
3) Share the initial router list with the new router node, using the new node collect new WPA handshakes not on the list, update the list and distribute the changes to other routers in the mesh network.
4) Return to step 1
Research was done programmatically cracking, accessing, and installing cracking software from one known router model to another. Difficulties with this attack include identifying routers compatible with the software to be installed, and router memory constraints as the handshake list grows.
The main methods limiting this type of attack are removing wireless access to router administration panels, limiting password guesses and offline cracking (such as the defenses proposed in WPA3), and geographic distance between routers.
Initial “seed” cracking could be preformed with desktop computers, or more powerful password cracking options, until the processing power of the mesh routers is large enough to crack low strength passwords in a reasonable time frame without support. The amount of routers needed to reach this point is perhaps the largest issue in the attack’s feasibility.