Emerging Tech

Blog archive
Wi-Fi Virus

Wi-Fi virus: Much ado about (almost) nothing

Researchers at the University of Liverpool made a splash in the media two weeks ago when they announced that they had demonstrated the first virus to infect a wireless network.

In a laboratory setting, the virus, dubbed Chameleon, moved from wireless access point to wireless access point, and while it didn’t affect the network, it did report the credentials of connected users. 

Apparently, however, the virus was not able to infect access points that were encrypted and password protected.  So basically what the researchers demonstrated was that vulnerable networks are … well … vulnerable.

"First, what they did is theoretical.  They haven't proved to anybody that they can do it," noted Martin Lindner, principal engineer in the CERT Division of the Carnegie Mellon University Software Engineering Institute. 

“What I think they're alluding to is that they can compromise access points themselves.  But that would be no different than compromising a PC, a router or any other device on the network.  The new part is that they are talking about taking control of a piece of hardware that most people don't really think is worth taking control of.”

And in any case, Lindner said, the security community is already well aware of the vulnerability of access points. 

“If I'm the IT guy at an agency, I should have a regimen in place that tracks what access points I own and operate, and I’ll be surveying the building on a regular basis looking for things that claim to be my network that I don't know about,” Lindner said.  “If you are doing your due diligence looking for rogue access points, you have little risk that one of your employees is going to connect to a network you don't control.”

If there’s a lesson to be learned from Chameleon – apart from the obvious one not to assume you’re secure on a public Wi-Fi network – it is the importance of implementing end-to-end encryption. 

“You still might have WPA2 for wireless encryption, but you then would be tunneling a direct path between the client and the server using end-to-end encryption. So even if the guy had control of the access point, the information would still be garbage,” Lindner said.

Unfortunately, Lindner added, some federal agencies have lagged in implementing end-to-end encryption.  “It's probably not as prevalent as it could be,” he said.  “But it is clearly on the radar.” 

Another thing that would help is adoption of IPv6, which natively supports end-to-end encryption.  “There is a push – slow, but it is there – for IPv6,” Lindner noted. 

Posted by Patrick Marshall on Mar 11, 2014 at 11:49 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.