The inherent insecurity of wireless devices is now a matter of US national security.
John Stenbit, the Pentagon's CIO, said this week that he plans to issue new policy guidelines that will ban most if not all wireless devices within military installations.
Pentagon officials fear that the latest generation of wireless devices, including mobile phones and two-way pagers, can be used as eavesdropping devices during classified meetings. Military facilities and offices that are used for highly classified meetings are already routinely scanned for listening devices.
However, with the growing use of personal wireless communications systems, security audits increasingly find military officers attending meetings in classified office spaces with these devices on their person, creating the potential for adversaries to turn these devices into crude eavesdropping systems, military officials acknowledged.
Devices such as cell phones have long been banned from facilities known as Sensitive Compartmented Information Facilities. In fact, all military personnel who are granted top secret security clearances are required to attend an indoctrination briefing on the growing list of threats posed by electronic devices. However, the new Pentagon policy extends the wireless ban to the majority of office spaces where sensitive but unclassified information may be discussed. It also builds upon a larger government policy of using the government's purchasing power as a market driver to get the IT industry to improve the security of its products if it wants to sell into the government.
"Why is it that companies have sold products that they know are insecure?" asked Richard Clarke, President Bush's chief cybersecurity adviser. "And why is it that people have bought them? We should all shut [wireless LANs] off until the technology gets better."
Steven Aftergood, a defense analyst at the Federation of American Scientists in Washington, said the policy change makes perfect sense for a high-risk environment such as the military.
"People get accustomed to using nifty products that are extremely useful in other parts of their lives, such as cell phones, wireless Internet connections and all kinds of recording devices," said Aftergood. "And it's easy to forget that these are inappropriate in a secure environment."
In May, a wireless security expert managed to detect the nonsecure wireless LAN at the Defense Information Systems Agency (DISA) in Arlington, Va. While parked across the street from DISA's headquarters, the security expert was able to view the Service Set Identifier numbers of access points and numerous IP addresses. Using a standard 802.11b wireless LAN card attached to his laptop computer and access point detection software from San Diego-based NetStumbler.com, he was able to scan the network in less than half an hour.
Some airlines also pulled the plug earlier this year on their wireless bag checking systems after auditors managed to hack their way into sensitive back-end systems, such as the passenger manifest and aircraft maintenance systems.