On Jan 29, 2009, at 10:07 AM, Donald Eastlake wrote:
Recent research has shown that a new and disturbing form of computer
infection is readily spread: the epidemic copying of malicious code
among wireless routers without the participation of intervening
computers. Such an epidemic could easily strike cities, where the
ranges of wireless routers often overlap.
http://blogs.spectrum.ieee.org/tech_talk/2009/01/attack_of_the_wireless_worms.html
It's worth reading both the original article that describes the
simulation - cited in the blog entry as http://arxiv.org/abs/0706.3146
- and the actual blog entry, which is much more reasonable.
The original article posits that, if you can get onto a wireless
network, you can load an update into the wireless router. (They
should have said access point, but ignore that; the confusion is now
so well established that it doesn't much matter.) Given that
assumption, and further given the assumption that not only could you
do it, you could write a virus that would do it for you, across a wide
variety of router models from multiple vendors, they use some
simulations to determine how long it would take to infect all the
routers in several well-wirelessed metropolitan areas. The numbers
come out to a matter of days to hours. Their only recommendation is
that everyone use WPA2 with a strong password.
Of course, I could equally well write a paper on the assumption that
car computers could infect other car computers by modulating the
headlights, and then calculate how long it would take a virus to
spread through all the cars in a city. Maybe we all need to cover the
headlights of our cars for security.
Access to a wireless network is a long way from administrative access
to the router for that network. Granted, some devices have weak
administrative passwords. That's certainly a problem - but the right
approach to fixing *that* problem is, well, to fix that problem: Use a
strong password. It's very rare that anyone needs admin access to
their wireless routers. There's no reason not to choose a complex
password, write it on sticker, and attach it to the router: If
someone has physical access to your router, your security is gone
anyway. The Spectrum article makes this point, and also points out
that this would be a non-problem if vendors shipped routers with
unique passwords pre-set on them. (In fact, DSL routers - and
probably cable routers - typically come that way. They can also
usually be set to permit admin access only from the home side, not
the network side - as some wireless routers can be set to allow
admin access only from their wired ports.)
There are many real problems around, but there are also many pseudo-
problems. The pseudo-problems do let you publish neat papers
sometimes, but it's important not to take them *too* seriously.
-- Jerry
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
