"Attack of the Wireless Worms"

Jerry Leichter leichter at lrw.com
Thu Jan 29 16:12:08 EST 2009 

On Jan 29, 2009, at 10:07 AM, Donald Eastlake wrote:

> "Recent research has shown that a new and disturbing form of computer
> infection is readily spread: the epidemic copying of malicious code
> among wireless routers without the participation of intervening
> computers. Such an epidemic could easily strike cities, where the
> ranges of wireless routers often overlap."
>
> <http://blogs.spectrum.ieee.org/tech_talk/2009/01/attack_of_the_wireless_worms.html 
> >
It's worth reading both the original article that describes the  
simulation - cited in the blog entry as http://arxiv.org/abs/0706.3146  
- and the actual blog entry, which is much more reasonable.

The original article posits that, if you can get onto a wireless  
network, you can load an update into the wireless router.  (They  
should have said "access point", but ignore that; the confusion is now  
so well established that it doesn't much matter.)  Given that  
assumption, and further given the assumption that not only could you  
do it, you could write a virus that would do it for you, across a wide  
variety of router models from multiple vendors, they use some  
simulations to determine how long it would take to infect all the  
routers in several "well-wirelessed" metropolitan areas.  The numbers  
come out to a matter of days to hours.  Their only recommendation is  
that everyone use WPA2 with a strong password.

Of course, I could equally well write a paper on the assumption that  
car computers could infect other car computers by modulating the  
headlights, and then calculate how long it would take a virus to  
spread through all the cars in a city.  Maybe we all need to cover the  
headlights of our cars "for security".

Access to a wireless network is a long way from administrative access  
to the router for that network.  Granted, some devices have weak  
administrative passwords.  That's certainly a problem - but the right  
approach to fixing *that* problem is, well, to fix that problem: Use a  
strong password.  It's very rare that anyone needs admin access to  
their wireless routers.  There's no reason not to choose a complex  
password, write it on sticker, and attach it to the router:  If  
someone has physical access to your router, your security is gone  
anyway.  The Spectrum article makes this point, and also points out  
that this would be a non-problem if vendors shipped routers with  
unique passwords pre-set on them.  (In fact, DSL routers - and  
probably cable routers - typically come that way.  They can also  
usually be set to permit admin access only from the "home" side, not  
the "network" side - as some wireless routers can be set to allow  
admin access only from their wired ports.)

There are many real problems around, but there are also many pseudo- 
problems.  The pseudo-problems do let you publish neat papers  
sometimes, but it's important not to take them *too* seriously.
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list