Chapter 25 Key Takeaways: Wireless Network Attacks

Core Concepts

1. Wireless networks are inherently exposed. The broadcast nature of radio signals means the network perimeter extends beyond physical walls. Attackers can interact with wireless networks from parking lots, neighboring buildings, or public areas without physical access.

2. WEP is broken beyond repair. WEP's cryptographic weaknesses (small IV space, weak key scheduling, CRC integrity) make it crackable in minutes. Any discovery of WEP in an environment is an automatic critical finding.

3. WPA2-PSK is only as strong as the passphrase. Capturing a four-way handshake or PMKID enables offline dictionary attacks. Strong, random passphrases of 20+ characters are essential for PSK security. WPA2-Enterprise eliminates this attack vector.

4. KRACK demonstrated protocol-level vulnerability. The Key Reinstallation Attack showed that even properly implemented WPA2 had a fundamental flaw in its handshake specification. Every correctly implemented client was vulnerable, underscoring the importance of protocol security verification.

5. WPA3 improves security but is not perfect. SAE provides forward secrecy and offline dictionary attack resistance, but Dragonblood attacks revealed implementation vulnerabilities. Proper WPA3 implementation with current patches provides the strongest available wireless security.

6. Evil twin attacks exploit trust. Clients automatically reconnect to known SSIDs, enabling attackers to impersonate legitimate networks. Wireless IDS, certificate validation, and user awareness are essential defenses.

7. Bluetooth and BLE are significant attack surfaces. BlueBorne, KNOB, BIAS, and BLE relay attacks demonstrate that Bluetooth security requires the same rigor as Wi-Fi security. The proliferation of IoT and wearable devices expands this surface continuously.

8. Wireless security requires specialized hardware. Monitor mode-capable adapters, directional antennas, and BLE sniffers are essential tools for wireless security assessment. Not all wireless adapters support the features needed for security testing.

9. Defense requires detection and prevention. Wireless IDS/WIPS for rogue AP detection, proper network segmentation for wireless traffic, and regular wireless security assessments form the foundation of wireless defense.

10. Application-layer encryption is essential defense-in-depth. Even if wireless encryption is compromised, HTTPS, TLS, and VPNs protect data in transit. Wireless security should never be the only layer of protection for sensitive communications.

Defensive Priorities

• Deploy WPA3 where possible; WPA2-Enterprise as the minimum acceptable standard for corporate networks
• Implement wireless intrusion detection and prevention systems (WIDS/WIPS) with dedicated sensors monitoring the RF environment
• Enforce client certificate validation for Enterprise wireless authentication to prevent rogue RADIUS server attacks
• Segment wireless networks with firewall rules controlling internal access; isolate guest, IoT, and corporate networks on separate VLANs
• Conduct regular wireless security assessments including rogue AP detection, signal leakage evaluation, and encryption strength verification
• Implement 802.11w Protected Management Frames (PMF) to prevent deauthentication attacks, which are a prerequisite for many wireless exploitation techniques
• Manage wireless client configurations through MDM or Group Policy to prevent connection to unauthorized networks and enforce certificate pinning
• Keep access point firmware updated to address known vulnerabilities (KRACK, FragAttacks, Dragonblood)
• Disable WPS on all access points, as it provides an alternative authentication bypass that undermines strong WPA2/WPA3 configurations

Key Tools Reference