On Jan 29, 2009, at 10:07 AM, Donald Eastlake wrote:
"Recent research has shown that a new and disturbing form of computer
infection is readily spread: the epidemic copying of malicious code
among wireless routers without the participation of intervening
computers. Such an epidemic could easily strike cities, where the
ranges of wireless routers often overlap."
<http://blogs.spectrum.ieee.org/tech_talk/2009/01/attack_of_the_wireless_worms.html
>
It's worth reading both the original article that describes the
simulation - cited in the blog entry as http://arxiv.org/abs/0706.3146
- and the actual blog entry, which is much more reasonable.
The original article posits that, if you can get onto a wireless
network, you can load an update into the wireless router. (They
should have said "access point", but ignore that; the confusion is now
so well established that it doesn't much matter.) Given that
assumption, and further given the assumption that not only could you
do it, you could write a virus that would do it for you, across a wide
variety of router models from multiple vendors, they use some
simulations to determine how long it would take to infect all the
routers in several "well-wirelessed" metropolitan areas. The numbers
come out to a matter of days to hours. Their only recommendation is
that everyone use WPA2 with a strong password.
Of course, I could equally well write a paper on the assumption that
car computers could infect other car computers by modulating the
headlights, and then calculate how long it would take a virus to
spread through all the cars in a city. Maybe we all need to cover the
headlights of our cars "for security".
Access to a wireless network is a long way from administrative access
to the router for that network. Granted, some devices have weak
administrative passwords. That's certainly a problem - but the right
approach to fixing *that* problem is, well, to fix that problem: Use a
strong password. It's very rare that anyone needs admin access to
their wireless routers. There's no reason not to choose a complex
password, write it on sticker, and attach it to the router: If
someone has physical access to your router, your security is gone
anyway. The Spectrum article makes this point, and also points out
that this would be a non-problem if vendors shipped routers with
unique passwords pre-set on them. (In fact, DSL routers - and
probably cable routers - typically come that way. They can also
usually be set to permit admin access only from the "home" side, not
the "network" side - as some wireless routers can be set to allow
admin access only from their wired ports.)
There are many real problems around, but there are also many pseudo-
problems. The pseudo-problems do let you publish neat papers
sometimes, but it's important not to take them *too* seriously.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
