CompTIA Security+: Wireless Attacks

Next up in the “Attacks” portion of the CompTIA Security+ study guide is: wireless!  As with the previous sections, it’s a broad but shallow overview.  As before, I’ll be adding some recent examples to each type.

This section talks about wireless attacks.  “Wireless” refers to networking technology (standards, protocols, processes, etc.) that allow users to connect to networks via radio signals.  Suddenly, there’s no physical barrier to attack.

This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.

Wireless Attacks

As with the previous sections, the types of attacks are a mix of very specific and very abstract.  I’ll go through them in the order they’re provided.

Replay Attacks

Replay attacks were mentioned in the application attack post, too.  Essentially, you record traffic between endpoints and the wireless access point (you could do this with Bluetooth, etc. as well).  Then you can replay those messages to authenticate, execute a transaction, etc.  Car manufacturers have been in the press lately for vulnerability to replay attacks using key fob technology.


Initialization vectors (IV) are used in wireless systems as a “randomization element at the beginning of a connection.”  IV attacks, then, are efforts to find the IV and use that to undermine the encryption.  A recent Defcon talk discussed issues in home security systems, including IV vulnerabilities.  The book notes that the WEP protocol is insecure due to initialization vector issues.  The IV is sent in plaintext, and is only 24-bits long (meaning that it will likely repeat over a few hours).

Evil Twin

This is a type of wireless attack using substitute hardware.  By using an access point with higher-gain antennas, devices will attach to that AP, as it will be the “better” connection option.  From here, man-in-the-middle or denial-of-service attacks can occur.

Rogue AP

A rogue access point is similar to the evil twin one.  An attacker can use a rogue AP to get users to connect, enter credentials, etc.  From here, MitM and other attacks can occur.  My understanding is that the difference between evil twin and rogue AP attacks is that an evil twin AP is made to look legitimate.  A recent Hackaday post shows how to use an ESP8266 to hunt for rogue APs.


Jamming refers to blocking wireless or radio signals and causing denial of service.  It’s illegal, so don’t do it.  It’s become a big issue for the military, both on the offensive side, and the anti-jamming defensive side.


Wi-Fi Protected Setup (WPS) is a wireless security standard meant for easy wifi configuration.  Unfortunately, the 8-digit PIN used is susceptible to brute force attacks.  Once an attacker has the PIN, they can get the WPA/WPA2 passphrase and gain access to the network.  Android Pie (or Android P?) has deprecated use of WPS in the past year.


Bluetooth is another wireless standard, and exists on most mobile and laptop devices.  One Bluetooth-related attack is “bluejacking,” which means sending unauthorized messages to a Bluetooth-enabled device.  This seems like the Bluetooth equivalent of Airdropping someone a bunch of photos.


Here, we can see that good naming is not one of infosec’s strong suits.  Bluesnarfing is another Bluetooth-related attack that involves stealing information (instead of sending unwanted information).  It’s popped up in some news stories in conjunction with gas station skimming.

There are other, newer Bluetooth attacks than what the book covers.  Two examples are BlueBorne and BtleJack.  The latter was a great talk and demo at Defcon 26.


This stands for radio frequency identification.  RFID tags can either be active or passive.  Active tags have their own power source, whereas passive tags are powered by (nearby) RF fields.  Because RFID is increasingly used for authentication, building access, etc., RFID attacks are a serious issue.

Attacks can happen against RFID tags and readers, as well as against communication between different components of the system (including the backend system).  The radio frequencies in use are publicly known, so eavesdropping and replay attacks aren’t that difficult.  A few examples are the Tesla key fob attack linked earlier, and a Mercedes attack.


Near-field communication, or NFC, is a wireless protocol that lets devices talk over a very short range (~4 inches).  This has become more popular in mobile payment systems (the “tap to pay” thing).  I haven’t found many recent stories for this, but here’s a 2012 NFC article about Android and Nokia.  Last week, Apple expanded NFC functionality and an upcoming conference in Japan will offer $60k to anyone who can exploit iPhone NFC.


Disassociation attacks mean disconnecting (or dissociating) a device from the network.  The wifi standard includes a “deauthentication” frame which can be sent to a device to remove it from the network.  So, if an attacker has (or can guess) the MAC address of the victim device, they can send a packet.  This could be a denial-of-service attack, and/or they could listen to the reconnect messages and try to steal a password.  While I don’t have an article for it, reportedly there was talk of Defcon 26 badges that would send deauth packets (for fun, I guess).