Wi-Fi & Wireless Security
The network with no walls — how radio changes the threat model, and every attack that broke it.
01 How Wi-Fi actually works
Wi-Fi is the marketing name for the IEEE 802.11 family of standards. Instead of confining signals to a cable, it broadcasts them as radio waves — which is exactly what changes the threat model: with wireless, an attacker never has to touch your building. They just have to be in range.
Wi-Fi uses unlicensed radio bands: 2.4 GHz (longer range, more crowded and interference-prone), 5 GHz (faster, shorter range), and newer 6 GHz (Wi-Fi 6E). Each band is divided into channels. Because everyone shares the air, devices use CSMA/CA (carrier sense multiple access with collision avoidance): listen first, transmit only if the air is clear, and back off if it isn't.
An access point advertises a network name (the SSID) and is identified at the hardware level by its BSSID (essentially the AP's MAC address). Generations have marched forward — 802.11n, ac (Wi-Fi 5), ax (Wi-Fi 6/6E) — each adding speed via wider channels, more antennas (MIMO), and better encoding.
02 The security evolution: WEP to WPA3
Wi-Fi encryption is a story of repeated breakage and repair.
- WEP (Wired Equivalent Privacy, 1997): fatally flawed. It used the RC4 cipher with a tiny 24-bit initialization vector that repeated quickly, letting attackers recover the key from captured traffic in minutes. Utterly broken — never use it.
- WPA (2003): a stopgap on the road to something better. It added TKIP to patch WEP on existing hardware, but TKIP inherited enough weakness that it too is now deprecated.
- WPA2 (2004): the long-time standard. It replaced TKIP with AES-CCMP, providing genuinely strong encryption. Its weak point is the personal-mode passphrase and the 4-way handshake.
- WPA3 (2018): the current best. It replaces the pre-shared-key handshake with SAE (Simultaneous Authentication of Equals, a.k.a. Dragonfly), which provides forward secrecy and resists offline password-guessing even on weak passwords.
03 Handshake capture and KRACK
Even strong WPA2 has two well-known attack paths.
Handshake capture + offline cracking: when a device joins a WPA2-Personal network, it performs a 4-way handshake to prove it knows the passphrase. An attacker within range can capture that handshake (often speeding it up by sending a forged deauthentication frame to knock a client off so it reconnects), then take it offline and guess passwords at billions per second with tools like hashcat. The encryption is sound; a weak password is the vulnerability. A related trick, the PMKID attack, can grab the needed material from the AP without even waiting for a client.
KRACK (Key Reinstallation Attack, 2017, by Mathy Vanhoef) was different — a flaw in the WPA2 protocol itself, not the password. By manipulating and replaying handshake messages, an attacker could force reinstallation of an already-in-use key, resetting cryptographic counters (nonces) and enabling decryption or forgery of traffic. It affected essentially every WPA2 device until patched, and was a major reason WPA3 was accelerated.
04 Evil twins and rogue APs
Wireless clients are eager to connect — and that eagerness is exploitable.
An evil twin is an access point an attacker sets up to impersonate a legitimate one, broadcasting the same SSID (say, Airport_Free_WiFi) with a stronger signal. Devices that have connected before may auto-join, and once your traffic flows through the attacker's AP, they can intercept, redirect, and inject. A convincing captive portal can even harvest credentials by mimicking a login page.
A rogue AP is a broader term: any unauthorized access point on a network. Sometimes it's an attacker's device; often it's an employee who plugged in a cheap consumer router "to get better Wi-Fi," accidentally punching an unsecured hole straight into the corporate network — a classic insider-by-accident risk.
Defenders counter with wireless intrusion detection (WIDS) that watches for unexpected BSSIDs and SSID impersonation, plus 802.1X so clients authenticate the network, not just vice versa. For users, the discipline is simple: don't trust an open network just because the name looks right.
05 Public Wi-Fi, Bluetooth, and RF
Open public Wi-Fi deserves healthy paranoia. On a truly open network, nearby attackers can attempt eavesdropping, evil-twin redirection, and captive-portal trickery. The saving grace is that pervasive HTTPS/TLS now encrypts most traffic end to end regardless of the network — but a VPN adds a strong second layer by tunneling everything through an encrypted link, hiding even which sites you visit from the local network.
Wireless is bigger than Wi-Fi. Bluetooth and its low-energy variant BLE have their own attack history: BlueBorne (2017) was a set of vulnerabilities allowing takeover with no pairing and no user action; the KNOB attack forced encryption keys down to a trivially guessable strength. The lesson repeats: keep Bluetooth off or non-discoverable when you don't need it, and patch.
Zoom out to RF (radio frequency) generally and the attack surface widens: RFID and NFC cards can be cloned or relayed, garage and car key fobs can be captured and replayed, and many building systems still trust radio signals implicitly. The unifying principle of wireless security: anyone in range is on your network's doorstep, so encryption and authentication have to do the work walls used to.
⌘ Field Glossary
- 802.11
- The IEEE family of standards behind Wi-Fi, defining how devices communicate over shared radio bands (2.4, 5, and 6 GHz) using CSMA/CA to avoid collisions.
- WPA2 vs. WPA3
- WPA2 (2004) uses AES-CCMP and a 4-way handshake vulnerable to offline cracking; WPA3 (2018) uses the SAE handshake for forward secrecy and resistance to password guessing.
- KRACK
- Key Reinstallation Attack (2017) — a flaw in the WPA2 protocol that let attackers force reuse of a key by replaying handshake messages, enabling decryption or forgery.
- Handshake capture
- Capturing a WPA2 4-way handshake (often after a forced deauthentication) to crack the passphrase offline; the encryption is sound, so a weak password is the weakness.
- Evil twin
- A rogue access point impersonating a legitimate network's SSID to lure clients into connecting, enabling interception, redirection, and credential harvesting.
- Deauthentication attack
- Sending forged 802.11 deauth management frames to forcibly disconnect clients — historically unauthenticated, now mitigated by 802.11w Protected Management Frames.
- BlueBorne
- A 2017 set of Bluetooth vulnerabilities allowing device takeover with no pairing and no user interaction; a reminder that wireless attack surface extends well beyond Wi-Fi.
Knowledge Check
Field Assessment
01 When an attacker captures a WPA2 handshake and cracks it offline, what is the actual weakness being exploited?
02 What made KRACK different from ordinary Wi-Fi password cracking?
03 On open public Wi-Fi, what best protects the confidentiality of ALL your traffic, including which sites you visit?