Wireless networks are a part of almost every office environment, and they are a part of the attack surface that receives less scrutiny than the wired infrastructure. Organisations that invest in perimeter security, endpoint protection, and network monitoring sometimes treat their wireless environment as an afterthought, configured once during fit-out and rarely reviewed.

The risks are real and consistent. Wireless assessments conducted as part of penetration tests regularly surface misconfigurations that allow external access to internal networks, weak authentication protocols, and rogue access points that have been connected by employees without IT knowledge.

Common Wireless Vulnerabilities

WPA2-Personal networks using pre-shared keys are vulnerable to offline brute force attacks if the handshake can be captured. Any attacker within radio range can capture the four-way handshake when a client connects and attempt to crack the key offline. Weak or reused passphrases are particularly susceptible.

WPA2-Enterprise deployments that do not enforce server certificate validation are vulnerable to evil twin attacks. An attacker sets up a rogue access point advertising the same SSID and captures credentials when devices connect. Without certificate pinning, devices accept the rogue access point’s certificate and hand over credentials.

Guest Network Segmentation Failures

Guest networks that are not properly isolated from the corporate network allow attackers in the guest segment to reach internal resources. This is more common than it should be. A firewall rule that should prevent guest-to-corporate traffic is missing, misconfigured, or has exceptions that were added for convenience and never removed.

The practical implication is that an attacker who connects to the guest wireless network can enumerate and potentially access internal services, file shares, and management interfaces that should be unreachable from outside the organisation.

Rogue Access Points

Employees connect personal wireless routers, travel adapters with Wi-Fi capability, and smart devices without considering the security implications. Any of these can create an unmanaged wireless entry point to the internal network. Rogue access point detection requires either periodic wireless surveys or continuous radio frequency monitoring.

Internal network penetration testing that includes a wireless assessment will identify rogue devices, test the segmentation between guest and corporate networks, and assess the configuration of enterprise wireless authentication. This is often separated as a distinct workstream within a broader engagement.

Physical Exposure

The physical dimension of wireless security is frequently overlooked. Wireless signals do not respect property boundaries. An attacker in a car park, a neighbouring building, or a shared lobby can be within range of corporate wireless networks. The attack surface extends beyond the physical perimeter of the building.

Expert Commentary

William Fieldhouse, Director of Aardwolf Security Ltd

“Wireless security findings are more impactful than clients often expect. A guest network that is not properly segmented from the corporate environment, or a WPA2-Enterprise configuration with weak certificate validation, can give an attacker a foothold that looks no different from a legitimate internal connection. The attack surface is physical as well as digital.”

Strengthening Wireless Security

External network penetration testing that includes wireless coverage identifies which networks are visible from public areas and whether any can be attacked from outside the building.

Upgrading to WPA3 where supported, enforcing server certificate validation in WPA2-Enterprise deployments, conducting periodic rogue device sweeps, and ensuring guest networks are properly isolated are all practical improvements. None require significant investment; each meaningfully reduces the wireless attack surface.