Wireless networks are uniquely vulnerable because their signals extend beyond physical boundaries. An attacker in your parking lot can attack your Wi-Fi without ever setting foot inside your building. This guide covers the real Wi-Fi threats and practical defenses — from home networks to enterprise wireless deployments.
Wi-Fi Encryption Standards: The Complete Picture
# Wi-Fi encryption history and status:
WEP (1997) — Broken in 2001. Never use. Crackable in minutes.
WPA (2003) — Deprecated. Vulnerable to TKIP attacks.
WPA2-TKIP — Weak. Avoid TKIP mode.
WPA2-AES — Acceptable. Still the standard for most deployments.
WPA3-SAE — Current best. Replaces PSK with Simultaneous Authentication of Equals.
WPA3-Enterprise — 192-bit security for high-security environments.
# Check your router's encryption:
# Router admin panel > Wireless > Security settings
# Should show WPA2-AES or WPA3Evil Twin Attack: The Most Dangerous Wi-Fi Threat
# Evil Twin setup:
# 1. Attacker identifies target network: "CoffeeShop_WiFi"
# 2. Attacker creates rogue AP with same SSID
# 3. Attacker uses higher transmit power to overpower legitimate AP
# 4. Victims connect to evil twin thinking it is legitimate
# 5. All traffic flows through attacker (full MITM)
# Tools attackers use (for educational awareness):
# Airbase-ng, hostapd-wpe, Fluxion, Wifiphisher
# Detection signs:
# - Captive portal you do not remember from before
# - Certificate warnings when connecting to HTTPS sites
# - Unusually slow connection
# - Disconnect and reconnect loop
# Defense:
# 1. Always use a VPN on public Wi-Fi
# 2. Verify certificate fingerprints for critical sites
# 3. Use HSTS preloaded sites (cannot be MITMed even with evil twin)
# 4. Enterprises: deploy 802.1X (RADIUS) authentication
# Devices must present certificates — rogue APs cannot issue theseWPA2 Handshake Capture and Offline Cracking
# WPA2 is vulnerable to offline dictionary attacks:
# 1. Attacker captures 4-way handshake (triggered by deauth packet)
# 2. Handshake is extracted from pcap
# 3. Dictionary attack performed offline
# Check your Wi-Fi password strength:
# aircrack-ng can test against rockyou.txt in seconds if password is weak
# How long to crack with Hashcat (RTX 4090):
# 8 chars lowercase: ~3 minutes
# 8 chars + uppercase + numbers: ~3 hours
# 12 chars + all characters: ~50 years
# Passphrase "correct horse battery staple": hundreds of years
# Defense:
# 1. Use WPA3 (SAE mode - not vulnerable to offline dictionary attacks)
# 2. If WPA2: use a password of 20+ random characters
# 3. Or use a diceware passphrase of 6+ wordsEnterprise Wi-Fi Security with 802.1X
# 802.1X = Port-based access control using RADIUS authentication
# Devices must authenticate with certificates (EAP-TLS)
# or credentials via EAP-PEAP
# Setup with FreeRADIUS (open source):
sudo apt install freeradius
# Configure EAP-TLS (certificate-based, most secure):
# /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = tls
tls {
private_key_file = /etc/ssl/private/radius.key
certificate_file = /etc/ssl/certs/radius.pem
ca_file = /etc/ssl/certs/ca.pem
}
}
# Client device requirements:
# Install company CA certificate
# Install user/device certificate
# Configure Wi-Fi profile to use EAP-TLSWireless Security Monitoring
# Detect rogue access points on your network:
# Kismet (passive wireless monitoring):
sudo apt install kismet
sudo kismet -c wlan0
# Kismet features:
# - Detects all Wi-Fi networks in range
# - Alerts on new/unexpected APs with your SSID
# - Logs all wireless traffic for forensics
# - Can run on Raspberry Pi as permanent sensor
# For enterprises:
# Cisco WLC or Aruba Mobility Controller have built-in rogue AP detection
# Alert when unauthorized AP appears using your corporate SSID
# Check for clients on wrong band:
# Clients on 2.4GHz (older, weaker) vs 5GHz (faster, shorter range)
iwconfig wlan0 | grep FrequencyWi-Fi Security Checklist
- Use WPA3 or WPA2-AES (not WEP, WPA, or TKIP)
- Wi-Fi password: minimum 20 characters or diceware passphrase
- Guest network separate from production network
- IoT devices on isolated VLAN
- Enterprise: 802.1X with EAP-TLS certificate auth
- Rogue AP detection deployed
- VPN required for public Wi-Fi
- Management interface not accessible over Wi-Fi
Wrap Up
Wi-Fi security is often treated as an afterthought but represents a significant physical perimeter bypass. Use WPA3, enforce strong passphrases, deploy 802.1X for enterprise environments, and monitor for rogue APs. A single evil twin attack on a corporate network can compromise credentials for every employee who connects.