Emerging Tech

Blog archive
Wi-Fi Virus

Wi-Fi virus: Much ado about (almost) nothing

Researchers at the University of Liverpool made a splash in the media two weeks ago when they announced that they had demonstrated the first virus to infect a wireless network.

In a laboratory setting, the virus, dubbed Chameleon, moved from wireless access point to wireless access point, and while it didn’t affect the network, it did report the credentials of connected users. 

Apparently, however, the virus was not able to infect access points that were encrypted and password protected.  So basically what the researchers demonstrated was that vulnerable networks are … well … vulnerable.

"First, what they did is theoretical.  They haven't proved to anybody that they can do it," noted Martin Lindner, principal engineer in the CERT Division of the Carnegie Mellon University Software Engineering Institute. 

“What I think they're alluding to is that they can compromise access points themselves.  But that would be no different than compromising a PC, a router or any other device on the network.  The new part is that they are talking about taking control of a piece of hardware that most people don't really think is worth taking control of.”

And in any case, Lindner said, the security community is already well aware of the vulnerability of access points. 

“If I'm the IT guy at an agency, I should have a regimen in place that tracks what access points I own and operate, and I’ll be surveying the building on a regular basis looking for things that claim to be my network that I don't know about,” Lindner said.  “If you are doing your due diligence looking for rogue access points, you have little risk that one of your employees is going to connect to a network you don't control.”

If there’s a lesson to be learned from Chameleon – apart from the obvious one not to assume you’re secure on a public Wi-Fi network – it is the importance of implementing end-to-end encryption. 

“You still might have WPA2 for wireless encryption, but you then would be tunneling a direct path between the client and the server using end-to-end encryption. So even if the guy had control of the access point, the information would still be garbage,” Lindner said.

Unfortunately, Lindner added, some federal agencies have lagged in implementing end-to-end encryption.  “It's probably not as prevalent as it could be,” he said.  “But it is clearly on the radar.” 

Another thing that would help is adoption of IPv6, which natively supports end-to-end encryption.  “There is a push – slow, but it is there – for IPv6,” Lindner noted. 

Posted by Patrick Marshall on Mar 11, 2014 at 11:49 AM


  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected