5 Wi-Fi vulnerabilities you need to know about

Effectively securing enterprise Wi-Fi networks is about more than simply setting up the latest encryption or implementing 802.1X authentication. Those are certainly important, but there are many more vulnerabilities to consider.

Whether you’re trying to troubleshoot strange Wi-Fi behavior or want to broaden your understanding of weaknesses in the wireless spectrum so you can better protect the networks you design or administer, it’s important to understand these potential Wi-Fi vulnerabilities.

Users eavesdropping on wireless traffic

Since Wi-Fi signals travel across the airwaves, attackers can passively listen to the wireless communication between devices and access points (APs), even outside the physical barriers of a facility. On insecure networks, attackers may be able to capture sensitive information like login credentials, browsing history, or other confidential data.

A major vulnerability of the WPA/WPA2-Personal security protocol, particularly on business networks, is that a user with the Wi-Fi passphrase could snoop on another user’s network traffic and perform attacks. The enterprise mode of WPA/WPA2 provides protection against user-to-user snooping. But that requires a RADIUS server or cloud service to deploy, and requires more of the user or client device in order to connect. Thus, many enterprise environments still broadcast signals with the simpler WPA/WPA2-Personal security.

Thanks to WPA3, which was introduced by the Wi-Fi Alliance in 2018, eavesdropping won’t be a concern for those networks and devices that support this newer security method. Encryption with WPA3 (both personal and enterprise modes) is more individualized. Users on a WPA3 network cannot decrypt the traffic from other users on the network, even when the user has the Wi-Fi password and is successfully connected.

The Pre-Shared Key (PSK) authentication method used in prior WPA versions is replaced by Simultaneous Authentication of Equals (SAE) in WPA3. This means WPA3-Personal networks with simple passphrases are far more difficult for hackers to crack using off-site, brute-force, dictionary-based cracking attempts than it was with WPA/WPA2.

Denial of service (DoS) attacks

Like wired networks, Wi-Fi is susceptible to Denial of Service (DoS) attacks, which can overwhelm a Wi-Fi network with excessive amount of traffic. This can cause the Wi-Fi to become slow or unavailable, disrupting normal operations of the network, or even the business.

A DoS attack can be launched by generating a large number of connection or authentication requests, or injecting the network with other bogus data to break the Wi-Fi. An attacker could also send de-authentication frames to disconnect devices from the Wi-Fi network, disrupting the connections and possibility getting the client devices to connect to rogue access points (APs). Attackers can also flood the network with fake or malicious beacon frames, causing confusion among connected devices and disrupting network operations.

Preventing Wi-Fi DoS attacks involves implementing security measures such as intrusion detection systems (IDS), firewalls, and traffic filtering. Regularly updating firmware, using strong encryption, and configuring network equipment to handle excessive traffic can also help mitigate the impact of DoS attacks. Additionally, monitoring network traffic for unusual patterns and promptly addressing any vulnerabilities can enhance overall Wi-Fi security.

Wi-Jacking authorized Wi-Fi devices

Wi-jacking occurs when a Wi-Fi-connected device has been accessed or taken over by an attacker. The attacker could retrieve saved Wi-Fi passwords or network authentication credentials on the computer or device. Then they could also install malware, spyware, or other software on the device. They could also manipulate the device’s settings, including the Wi-Fi configuration, to make the device connect to rogue APs.

Reducing the chances of Wi-jacking involves implementing general computer security measures, such as utilizing good antivirus and firewall protection, keeping devices physically secure, implementing anti-theft features, and educating users on social engineering attacks.

RF interference

RF interference can cause Wi-Fi disruptions. Instead of being caused by bad actors, RF interference could be triggered by poor network design, building changes, or other electronics emitting or leaking into the RF space. Interference can result in degraded performance, reduced throughput, and increased latency.

Poor Wi-Fi design or changes in the building can cause interference issues, especially with the existence of overlapping channels from nearby APs and other neighboring Wi-Fi networks. Other wireless devices that share the Wi-Fi bandwidth, such as Bluetooth devices, cordless phones, wireless cameras, and baby monitors, can cause interference. Even electronics you wouldn’t think of being wireless can cause RF interference, such as microwave ovens, fluorescent lights, and poorly shielded cables.

There will always be noise in the Wi-Fi bands that can impact the network, but there are ways to mitigate Wi-Fi interference vulnerabilities. A professional RF site survey during the design phase can help reduce issues, as well as site surveys in the future to provide checkups. You can also utilize any monitoring provided by your Wi-Fi APs or controllers to keep tabs on the health of the Wi-Fi bands.

Evil twins and bad KARMA

A rogue access point (AP) in a Wi-Fi network is an unauthorized or illegitimate wireless AP or router that has been installed on the network without the explicit consent or knowledge of the network administrator. This can include innocent employees/visitors plugging in a home router in hopes of increasing Wi-Fi range, or it can be malicious actors specifically seeking to exploit vulnerabilities. It could also be misconfigured APs, like a legitimate AP that lacks security from a malfunction or an oversight of the IT staff.

Regardless of how it happened, a rogue AP can introduce security vulnerabilities, enabling unauthorized access to the network. Attackers can exploit this access to launch attacks such as data interception, injection of malicious content, or unauthorized access to sensitive information.

Malicious actors can set up rogue APs to mimic legitimate networks, tricking users into connecting to them. This exploit, known as evil twin attacks, allows them to intercept and manipulate data. Attackers may passively wait for users to connect, or speed up the process by sending out de-authentication frames to disconnect the users from the real network.

KARMA attacks exploit the default behavior of most Wi-Fi devices, where they automatically connect to networks they have connected to in the past. Attackers can set up rogue APs with commonly used network names (SSIDs), enticing devices to automatically connect and potentially exposing them to attacks.

Having professional site surveys performed before and after network deployment, regularly scanning for unauthorized APs, and using intrusion detection systems can help identify rogue APs. Additionally, implementing strong security measures such as WPA3 encryption, certificate-based 802.1X authentication, and implementing proper access controls can also mitigate the risk of rogue APs.

Do your own Wi-Fi pen testing

One of the best ways to learn more about network security and to better protect the networks you administer is to investigate penetration testing tools. These can help you assess the security of a Wi-Fi network to identify vulnerabilities and weaknesses. Of course, you want to be careful not to exploit other Wi-Fi users or attack networks you don’t administer.

Unauthorized access to networks and devices is illegal and unethical. Penetration testers should adhere to legal and ethical guidelines, and ensure they have permission to assess the security of the Wi-Fi networks they are testing. Especially when you’re learning the pen testing tools in the beginning, understand as much about the tool as you can, and what it will do before turning in on, so you don’t unknowingly interrupt your own network or attack your peers and neighbors.

Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity providing a cloud-based Wi-Fi security service, Wi-Fi Surveyors providing RF site surveying, and On Spot Techs providing general IT services.