Wireless Security Assessment

Your front door is physically constrained by the boundaries of your building. Your wireless network is not. The electromagnetic waves that mediate it spill out into the car park, the neighbouring unit, and the pavement, where anyone within range can probe it without ever setting foot inside. The Wireless Security Assessment evaluates your wireless estate from the perspective of someone in radio range but without authorised access. Because radio is inherently local, this assessment involves an on-site element, and it combines efficiently with our Physical Security Assessment when the goal is to understand every way someone could approach and penetrate your premises.

Wireless Authentication

We assess your wireless protections directly. The first check takes only a moment: does your network have a password? If not, your traffic presumably lacks link-layer encryption, which means a large amount of traffic information will be leaked to anyone listening in via radio. It also means that anyone can connect to it, enumerate and probe your systems, and even impersonate your devices through MAC spoofing.

However, a password is only the beginning of securing a WiFi network. For pre-shared-key networks we evaluate the strength of the key and the feasibility of capturing and cracking the handshake offline, against both WPA2 and the improvements and residual weaknesses of WPA3. For enterprise networks using 802.1X and EAP, we examine certificate validation and the configuration weaknesses that allow credential interception, since enterprise wireless that fails to validate the authentication server can leak corporate credentials to a convincing impostor.

Mapping Physical Radio Range

Wireless security inherently depends on the physicality of the network - just how far does it actually travel, and where to? Our Wireless Security Assessment includes a survey of your RF environment - how far the networks you broadcast reach beyond your walls, and conversely, what other networks and RF sources in similar frequency bands coexist with them. Where you operate across multiple sites, we agree which premises are in scope and whether the goal is a representative sample or full coverage, since wireless posture can vary considerably between a head office and a branch.

Rogue Access Points And Impersonation

One of the most common and serious forms of attack on wireless networks is the evil twin: an access point that mimics your legitimate network and lure devices, or users, into connecting - harvesting credentials or facilitating man-in-the-middle attacks. We assess susceptibility to deauthentication and the client-side behaviours that make these attacks effective, including devices that aggressively probe for and reconnect to remembered networks, and we check whether protections such as management-frame protection are enabled. Where possible given practical and legal constraints, we can also conduct live testing of deauthentication attacks on your network.

What Your Wireless Connects To

Equally important is the destination. A guest network that is properly isolated is a minor concern; one that bridges to your corporate environment is a serious one. We test segmentation rigorously, along with captive portals and client isolation. Where in scope we extend to other radio surfaces such as Bluetooth. We also look for any existing rogue devices accessing your network.

What You Receive

This assessment generally involves an on-site element, since radio is inherently local. You receive a report detailing each wireless weakness, the access it would grant, and concrete remediation - from key and protocol hardening to segmentation and the wireless intrusion detection that notices a rogue access point the moment it appears, rather than at your next assessment. Because the work is local, it combines efficiently with a Physical Security Assessment, letting a single visit cover both the airwaves around your premises and the doors into them.