WiFi Attacks replaces APT Corporate attacks


As more APT detection and prevention system had been released the Advance Cyber Attackers realize that the lateral movement inside the victim's network exposes their acts. The longer they move inside and the more stations and servers they "touch" the detection probability increases. 

Therefore they searched for a network "zone" that is entirely in the dark. A zone that no event logs exist and yet, the Attacker can harvest superuser privileges quickly and safely. They realized that those high profile IT personnel and corporate executives with superuser permissions travel and use their mobile stations (laptop and phone) from conferences, airports, hotels, etc.

These ultra busy executives need to retain connectivity when traveling and mostly needs a high-speed connection to do their tasks. The 3G/4G connection is not good enough for a video conference or downloading multi-gigabytes presentations over a VPN connection. 


Conferences and Airports WiFi networks are the most dangerous networks.


They host Rogue Access Points and Evil Twin Access Points that looks exactly like the official WiFi network.


There are many publically available Rogue AP toolkits, that automatically duplicate the WiFi landing page and divert all URLs to a spoofed landing page: "Welcome to JFK WiFi". The only difference between the original splash screen and the spoofed one is malware or trojan horse embedded in the spoofed splash screen. This step is happening much before the VPN client is loaded, making it immune to VPN solutions.

Connecting to these WiFi networks leaves no audit trail and therefore will fail the post-attack investigation.


Attackers load these AP traps in public WiFi and wait. In average they harvest thousands of user's credential per hour, many with senior privileges. They know to which corporation network they connect and at any time later can log in and carry an Advanced Attack. 

In recent years, hackers have found a variety of ways to slip between the cracks of WiFi connections and steal private data. As public WiFi networks are wildly used by everyone It is important for the general public to be aware of the dangers out there. 


Traveler's WiFi Risk

Conferences and Airports WiFi networks are the most dangerous networks.  They host Rogue Access Points and Evil Twin Access Points that looks exactly like the official WiFi network.  Attackers can their unassociated Station and end the victim's WiFi connection. This is done by sending a DeAUTH 802.11 frame or Action frame ordering the victim's Station to disconnect from the current Access Point and reconnect with the Attacker's Rogue AP or Station.

Why is Wifi higher risk than wired network?

While traditional wired networks are difficult to tap (traffic monitoring) by the attacker, Wifi networks are wide open for any attacker’s Wifi tools. Wifi traffic is managed and controlled via 802.11 frames which are not encrypted, even when using WPA2 encryption or VPN clients.

Also, the 802.11 protocol allows any unassociated Station or any Rogue AP to send and receive packets from and to any other associated Wifi Station or AP.

This makes Wifi vulnerable to 802.11 attacks.

We call it: “the missing layer 2 and 3 security in WiFi networks.”

Why are existing Cybersecurity solutions not enough?

Every corporate network comes with Firewall ,VPN server ,Intrusion Detection and Prevention systems ,etc . However, these tools are operating on top of TCP/IP connections and UDP broadcast.

While this provides adequate security in wired networks ,it’s not enough for the 802.11 networks.

802.11 frames are part of layers 2 and 3 in the OSI model,  while TCP/IP starts with level4 continue to layer (7 SMTP, HTTP, etc ).,  All the existing cybersecurity solutions are active on top of TCP/IP (layer 4 and higher) leaving Wifi layers 2 and 3 unprotected and wide open for the WiFi attacker.

There are very few Legacy systems for enterprises that are capable of 802.11 frame's monitoring. They are limited, outdated and expensive  When considering Public Wifi networks, they do not exist at all.

An additional aspect that makes 802.11 attractive for attackers is the fact that there is no event logging for 802.11 activity.  While on TCP/IP every request and every transaction is logged and stored for later forensics and investigations or monitoring by the SOC team,  these abilities mostly not exist for WiFi.

Hence, Wifi attacker has an advantage over the defenders when it comes to WiFi Attacks.  The success probability of an investigation and post-attack forensics is very low due to lack of WiFi logging.

Many attacks started in the Wifi network,  allowing the attacker to harvest supervisor credentials through one of the WiFi attacks described in this document and continue into the traditional wired network with a single step attack, creating a devastating light speed attack that leaves no trace behind.

Why using a VPN on a Wifi network is not enough?

VPN is a great solution to create a protected “tunnel” between the station (phone, laptop, tablet, etc.) to the destination server (bank website, corporate database, email, etc.).

When the VPN tunnel is established, all the information on top of Wifi is encrypted and therefore not visible to the attacker, even during Man-In-The-Middle-Attack (MIMA).  

However, 802.11's management and control frames are still not encrypted.

An attacker can“ shake the tree ”and create an opportunity to attack when the tunnel is active and whenever needed.

This is done by terminating the 802.11 association between the victim’s station (sending DeAUTH frame or Action frame instructing channel switching, etc.) and the Access Point  (AP).

DeAUTH frame terminates TCP/IP and therefore VPN is no longer valid (operates on top of TCP/IP which is no longer active).  When the station tries to reconnect to the original AP the attacker hijacks the connection using a Rogue AP toolkit.

Now the Station has connected to the Attacker’s Rogue AP. At that point, the attacker sends a spoof AP’s splash screen (the first screen that the AP delivers for approving the terms or requesting credentials as frequently used in Hotels and Airports WiFi) much before VPN is active again.

Here the attacker has many options, for example, injecting a malicious code embedded in the spoofed splash screen.  By the time the victim’s station connects to the internet and starts VPN, it is contaminated by a malicious code that “ see ”all content unencrypted.

Want to read more?

Check our White Paper

  • White Facebook Icon
  • linkdin-01
  • White Twitter Icon
  • White Instagram Icon