What Is Wireless Security? Wi-Fi Protocols and Threats
Wireless security is the set of protocols, controls, and monitoring that protect a wireless network and the data traveling across it from unauthorized access, interception, and disruption.
In October 2017, a researcher at KU Leuven named Mathy Vanhoef published an attack he called KRACK. It did not break a password or guess a key. It abused a flaw in the WPA2 four-way handshake, the exchange every Wi-Fi client and access point run to agree on an encryption key, by replaying one of the handshake messages and forcing the client to reinstall a key it was already using. The result was that an attacker in radio range could decrypt traffic on a network protected by WPA2, the protocol that secured almost every Wi-Fi network on earth at the time. KRACK was tracked under ten separate CVEs, from CVE-2017-13077 through CVE-2017-13088.
KRACK is the lesson wireless security keeps teaching. The network has no cable to tap. The signal is in the air, reachable by anyone with an antenna and the patience to listen, and the only thing standing between an attacker and your traffic is the cryptography of the protocol protecting the link. When that protocol has a flaw, the wire might as well not be encrypted at all. That gap is what wireless security exists to close.
This guide covers what wireless security is, how the Wi-Fi security protocols evolved from WEP to WPA3 and which ones are safe to run today, the attacks that target wireless networks, the difference between Personal and Enterprise Wi-Fi, and the controls that actually reduce risk. It is written for blue teamers: SOC analysts, network defenders, and students prepping for detection-and-response work.
What is wireless security?
Wireless security is the set of protocols, controls, and monitoring that protect a wireless network and the data traveling across it from unauthorized access, interception, and disruption. In practice that usually means Wi-Fi (the IEEE 802.11 family), though the same principles cover Bluetooth, cellular, and other radio links.
The defining problem is the medium. A wired network confines traffic to a physical cable, so an attacker has to gain physical access to tap it. A wireless network broadcasts in every direction, through walls and out into the parking lot, so anyone within radio range can receive the frames. There is no perimeter to stand at. The boundary is wherever the signal reaches.
That changes what the controls have to do. Wireless security cannot rely on physical separation, so wireless security leans almost entirely on three jobs:
- Encryption. Scramble the traffic so a listener in range captures ciphertext, not data. This is the work the Wi-Fi protocols do.
- Authentication. Prove a device or user is allowed onto the network before it gets a key, so an attacker cannot simply associate and join.
- Integrity and availability. Keep an attacker from forging management frames to knock clients offline or trick them onto a fake network.
Almost everything that follows is one of those three jobs, done well or done badly.
The Wi-Fi security protocols: WEP to WPA3
Wireless security is a history of protocols breaking and being replaced. Knowing which generation a network runs tells you most of what you need to know about whether it is defensible, and it is the first thing any wireless security assessment establishes. The protocols are certified by the Wi-Fi Alliance, the industry body that owns the WPA trademarks.
| Protocol | Year | Encryption | Status today |
|---|---|---|---|
| WEP | 1997 | RC4 stream cipher, 24-bit IV | Broken. Deprecated by IEEE in 2004. Never use. |
| WPA | 2003 | TKIP (still RC4) | Broken. Interim fix only. Never use. |
| WPA2 | 2004 | AES-CCMP | Legacy. Vulnerable to KRACK; acceptable only patched and with PMF. |
| WPA3 | 2018 | AES, SAE handshake | Current. Mandatory for new certified devices since July 2020. |
WEP (Wired Equivalent Privacy). The original 802.11 security, and a cautionary tale. WEP encrypts with the RC4 stream cipher using a 24-bit initialization value that is too short and gets reused, which leaks enough information that an attacker can recover the key passively by collecting traffic. The IEEE deprecated WEP in 2004. Tools have cracked it in minutes for two decades. A network still running WEP is effectively open.
WPA (Wi-Fi Protected Access). A stopgap released in 2003 to patch WEP without new hardware. It introduced TKIP, which still rode on RC4 and inherited enough weakness that it too is now considered broken. WPA was always meant as a bridge to WPA2.
WPA2. The long-reigning standard, ratified as IEEE 802.11i in 2004. WPA2 replaced the broken stream cipher with AES in CCMP mode, which has no practical cryptographic break to this day. Its weakness is not the cipher but the handshake: KRACK showed in 2017 that the four-way handshake could be manipulated to reinstall keys. The flaw is patchable, and most current devices are patched, but WPA2 also lacks the built-in protections that WPA3 makes mandatory.
WPA3. The current generation, introduced by the Wi-Fi Alliance in 2018 and required for all newly certified Wi-Fi devices since July 1, 2020. Its central change is replacing the pre-shared-key handshake with SAE, Simultaneous Authentication of Equals, a password-authenticated key exchange. SAE matters for a specific reason: it provides forward secrecy and resists offline dictionary attacks. Under WPA2, an attacker who captures the handshake can take it home and guess the password offline as fast as their hardware allows. Under WPA3-SAE, that captured handshake is useless for offline guessing, because each guess requires a fresh live exchange with the access point. WPA3 also mandates Protected Management Frames, which WPA2 left optional.
The practical takeaway for a defender, and the foundation of any wireless security posture: WEP and WPA are dead, WPA2 is acceptable only fully patched and ideally with PMF enabled, and WPA3 is the target state. Most environments run WPA2/WPA3 transition mode while clients catch up, which is fine as long as the WPA2 side is hardened.
How an attacker breaks Wi-Fi: handshake capture and cracking
The classic attack on a WPA2-Personal network does not attack the cipher. It attacks the password, offline, and it is the wireless security failure mode defenders see most often.
The four-way handshake that a client and access point run when the client joins contains enough material for an attacker to verify a password guess against. An attacker in range captures that handshake passively, or speeds things up by sending a forged deauthentication frame to kick a client off so it reconnects and re-runs the handshake on cue. With the handshake in hand, the attacker walks away and runs an offline brute force attack against it, testing millions of candidate passwords per second with tools like aircrack-ng and hashcat against a wordlist or by exhaustive guessing.
Nothing about this touches the network while the cracking runs, so there is no failed-login alert to fire. The defense is not detection, it is password strength and protocol choice: a long random passphrase makes offline cracking impractical, and WPA3-SAE removes the offline-guessing path entirely by design. This is the single clearest reason to move to WPA3.
Wireless attacks every defender should know
The wireless security threats below give an attacker options a wired network does not, because the attacker does not need to be plugged in. The common ones:
Eavesdropping on open networks. This is the oldest wireless security failure. On an unencrypted network (a coffee-shop SSID with no password), every frame is in the clear. Anyone in range can capture and read the traffic with a wireless adapter in monitor mode. This is why open Wi-Fi should be treated as hostile and why sensitive traffic needs its own encryption on top, such as TLS or a VPN.
Evil twin and rogue access points. An attacker stands up an access point broadcasting the same SSID as a legitimate network, often with a stronger signal, so nearby clients associate with it instead. Once a client connects through the attacker's AP, the attacker sits in the middle of all its traffic, which is a wireless man-in-the-middle attack. A rogue AP can also be one an insider plugs into the corporate LAN, creating an unmanaged door into the network that bypasses the front-door controls entirely.
Deauthentication attacks. The 802.11 standard sends management frames, including deauthentication and disassociation, in the clear on networks without Protected Management Frames. An attacker can forge a deauth frame and knock a target client off the network repeatedly, either as a denial-of-service or to force the handshake re-runs that feed handshake capture. Protected Management Frames (802.11w), which WPA3 mandates, add a check that lets clients reject these forged frames.
WPS PIN brute force. Wi-Fi Protected Setup was meant to make joining a network easy with an eight-digit PIN. In December 2011, Stefan Viehbock disclosed a design flaw (CERT VU#723755): the PIN is validated in two halves and the last digit is a checksum, which collapses the brute-force space from 100 million combinations to roughly 11,000. Tools like Reaver exploit it to recover the PIN, and through it the network password, in hours. WPS PIN should be disabled on every access point.
Downgrade and protocol attacks. When a network runs WPA3 in transition mode to support older clients, an attacker can sometimes force a client down to the weaker WPA2 path and attack that instead. The Dragonblood research by Vanhoef and Ronen in 2019 showed downgrade and side-channel weaknesses in early WPA3-SAE implementations (CVE-2019-9494 and related), most of which were fixed in firmware updates, which is exactly why wireless gear has to be patched.
Capturing handshakes, cracking WPS, and standing up an evil twin are all standard moves in wireless penetration testing, which is the legitimate, authorized version of these same techniques used to find a network's weak points before an attacker does.
Wi-Fi Personal vs Enterprise
Wireless security comes in two authentication models, and the difference matters for any network bigger than a home.
Personal (PSK). Everyone shares one password, the pre-shared key. It is simple, and it is fine for a home or a small office. The drawbacks scale badly: there is no per-user identity, so you cannot tell who is on the network or revoke one person without changing the password for everyone, and a single leaked passphrase exposes the whole network.
Enterprise (802.1X). Each user authenticates with their own credentials or certificate against a central authentication server, using 802.1X with a RADIUS server and an EAP method such as EAP-TLS. There is no shared password to leak. Access is tied to identity, so a defender can see who connected, revoke one account without touching anyone else, and feed those authentication events into monitoring. WPA3-Enterprise adds an optional 192-bit security mode for high-assurance environments.
| Personal (PSK / SAE) | Enterprise (802.1X) | |
|---|---|---|
| Authentication | One shared passphrase | Per-user credential or certificate |
| Identity | None; cannot tell users apart | Per-user, tied to a directory |
| Revocation | Change the password for everyone | Disable one account |
| Infrastructure | Access point only | RADIUS server + EAP |
| Best for | Home, small office | Any organization |
For an organization, Enterprise is the right default and the cornerstone of serious wireless security. Per-user identity is what turns Wi-Fi from an anonymous shared medium into something a SOC can actually monitor and an incident responder can actually attribute.
Wireless security best practices
These are the wireless security controls that move risk, roughly in order of impact.
1. Run WPA3, or hardened WPA2 at minimum. Retire WEP and WPA entirely. If clients still need WPA2, run WPA2/WPA3 transition mode, enable Protected Management Frames, and treat full WPA3 as the destination.
2. Use long, random passphrases (Personal) or 802.1X (Enterprise). On PSK networks, passphrase length is the whole defense against offline cracking. For any organization, move to Enterprise 802.1X so access is tied to identity instead of a shared secret. This connects directly to vulnerability management, since weak wireless credentials and unpatched access points are exactly the exposures a program is meant to find and fix.
3. Disable WPS PIN. The 2011 flaw never fully went away. Turn off WPS PIN on every access point.
4. Patch access points and clients. KRACK and Dragonblood were both fixed in firmware, so patching is a core part of wireless security, not an afterthought. Wireless infrastructure is a target like any other, and an unpatched access point is an open hole. Inventory and update the gear.
5. Segment wireless from the core. Put guest and untrusted Wi-Fi on a separate VLAN that cannot reach internal systems. Treat the wireless network as untrusted terrain so a compromise on the air does not become a compromise of the LAN. This is where wireless security folds back into broader network security.
6. Hunt for rogue and evil-twin access points. Use wireless intrusion detection or periodic site surveys to find APs broadcasting your SSID that you did not deploy, and rogue APs plugged into your wired network.
7. Encrypt above the link. Assume the wireless layer can fail. Require TLS for applications and a VPN for remote access, so intercepted Wi-Fi traffic is still encrypted at a higher layer.
Getting started with wireless security
If you are building wireless security skills, the work is hands-on and it lives in the radio traffic. Every step below is a piece of wireless security you can practice in a lab you own.
- Learn the 802.11 frame types. Know the difference between management, control, and data frames, and why deauth frames being unencrypted is the root of so many attacks.
- Capture traffic in monitor mode. Put a wireless adapter into monitor mode and capture frames in Wireshark. Watch a four-way handshake happen and learn to recognize it.
- Crack a handshake you captured legally. In a lab you own, capture your own WPA2 handshake and run aircrack-ng or hashcat against it to understand why passphrase length is everything.
- Build a test network. Stand up an access point, run it under WEP, WPA2, and WPA3 in turn, and see how the attacks change against each.
- Tie it to detection. Feed wireless authentication and intrusion events into a SIEM and learn what a rogue AP or a deauth flood looks like from the defender's side. That detection skill is where wireless security work actually pays off in a SOC.
Frequently Asked Questions
What is wireless security in simple terms?
Wireless security is the practice of protecting a Wi-Fi or other radio network and its traffic from being intercepted, accessed, or disrupted by anyone in range. Because a wireless signal travels through the air rather than a cable, wireless security relies on encryption to scramble the traffic and authentication to control who is allowed to join. WPA3 is the current standard that provides both.
What is the most secure Wi-Fi security protocol?
For wireless security, WPA3 is the most secure Wi-Fi protocol available and has been required for newly certified Wi-Fi devices since July 2020. It replaces the older pre-shared-key handshake with SAE, which provides forward secrecy and blocks the offline password-guessing attacks that work against WPA2. It also makes Protected Management Frames mandatory, which defends against forged deauthentication frames.
Is WPA2 still safe to use?
WPA2 is acceptable but no longer ideal. Its AES-CCMP cipher has no practical break, but the 2017 KRACK attack exposed a flaw in its handshake, and it leaves Protected Management Frames optional. WPA2 is safe only when devices are fully patched, the passphrase is long and random, and ideally PMF is enabled. WPA3 is the recommended target.
What is an evil twin attack?
An evil twin is a rogue access point that broadcasts the same network name (SSID) as a legitimate Wi-Fi network, often with a stronger signal, to trick nearby devices into connecting to it. Once a victim connects, the attacker sits in the middle of all their traffic and can intercept or alter it. Using a VPN and verifying networks before connecting are the main defenses.
Why is WEP no longer used?
WEP, the original Wi-Fi encryption from 1997, uses the RC4 cipher with a short 24-bit initialization value that repeats, leaking enough information for an attacker to recover the key passively in minutes. The IEEE deprecated it in 2004, and free tools have cracked it for two decades. A network running WEP should be treated as unencrypted.
What is the difference between WPA3-Personal and WPA3-Enterprise?
WPA3-Personal uses a single shared passphrase with the SAE handshake and suits homes and small offices. WPA3-Enterprise uses 802.1X authentication, where each user logs in with their own credential or certificate against a RADIUS server, so access is tied to individual identity and can be revoked per user. Enterprise also offers an optional 192-bit security mode for high-assurance environments.
The bottom line
Wireless security is the discipline of protecting a network whose boundary is wherever its signal reaches. With the perimeter gone, wireless security rests on cryptography and authentication instead of a locked door. With no cable to tap, everything rests on the protocol securing the link, and the history of that protocol, from WEP to WPA to WPA2 to WPA3, is a record of each generation breaking and the next one fixing it. KRACK and Dragonblood are reminders that even the current standard has to be patched, not just deployed.
The practical mandate is short: run WPA3 or hardened WPA2, use Enterprise 802.1X where you can, kill WEP and WPS, patch the access points, and segment the wireless network from everything that matters. Past that, the constraint is the same as everywhere else in defense: the analyst who can read 802.11 traffic and tell a rogue AP from the noise.
Frequently asked questions
<p>Wireless security is the practice of protecting a Wi-Fi or other radio network and its traffic from being intercepted, accessed, or disrupted by anyone in range. Because a wireless signal travels through the air rather than a cable, wireless security relies on encryption to scramble the traffic and authentication to control who is allowed to join. WPA3 is the current standard that provides both.</p>
<p>For wireless security, WPA3 is the most secure Wi-Fi protocol available and has been required for newly certified Wi-Fi devices since July 2020. It replaces the older pre-shared-key handshake with SAE, which provides forward secrecy and blocks the offline password-guessing attacks that work against WPA2. It also makes Protected Management Frames mandatory, which defends against forged deauthentication frames.</p>
<p>WPA2 is acceptable but no longer ideal. Its AES-CCMP cipher has no practical break, but the 2017 KRACK attack exposed a flaw in its handshake, and it leaves Protected Management Frames optional. WPA2 is safe only when devices are fully patched, the passphrase is long and random, and ideally PMF is enabled. WPA3 is the recommended target.</p>
<p>An evil twin is a rogue access point that broadcasts the same network name (SSID) as a legitimate Wi-Fi network, often with a stronger signal, to trick nearby devices into connecting to it. Once a victim connects, the attacker sits in the middle of all their traffic and can intercept or alter it. Using a VPN and verifying networks before connecting are the main defenses.</p>
<p>WEP, the original Wi-Fi encryption from 1997, uses the RC4 cipher with a short 24-bit initialization value that repeats, leaking enough information for an attacker to recover the key passively in minutes. The IEEE deprecated it in 2004, and free tools have cracked it for two decades. A network running WEP should be treated as unencrypted.</p>
<p>WPA3-Personal uses a single shared passphrase with the SAE handshake and suits homes and small offices. WPA3-Enterprise uses 802.1X authentication, where each user logs in with their own credential or certificate against a RADIUS server, so access is tied to individual identity and can be revoked per user. Enterprise also offers an optional 192-bit security mode for high-assurance environments.</p>