Wireless Penetration Testing Services
Wireless is inherently insecure and often the launching pad for larger attacks and breaches. With our Wireless Penetration Testing we gather wireless security information, collect data on the wireless network, analyze wireless implementation, and analyze internal wireless security procedures. We also attempt to capture sensitive data, gain unauthorized access, break wireless passwords, etc.
Our Wireless Penetration Test is a combination of a Wireless Penetration Test against the wireless network itself and a Vulnerability Assessment against the access point if we are able to compromise the wireless network. We alter this approach based on the scope of the engagement. The combination of the Wireless Penetration Test and Vulnerability Assessment against the WAP provides you with a clear understanding of the risk introduced by the wireless network and access point.
Our goal with the Wireless Penetration Test is to determine the security posture of the wireless network(s) by scanning wireless traffic associated with each WAP. During this process, we eavesdrop on wireless traffic to capture authentication handshake(s), determine the type of security, and attempt to gain access using this information. Each WAP is assigned a score as part of our Wireless Penetration Test. The score is determined by how well security controls are configured on the WAP. Our scoring is on a scale of 1 to 10, where 1 = No Security and 10 = Highly Secure.
We also scan for rogue access points and evil twins. We have discovered numerous organizations with rogue access points that enabled an attacker to bypass all security controls by allowing them to connect wirelessly to the internal, "trusted" network.
BENEFITS / RETURN ON INVESTMENT (ROI)
Wireless access points are often the easiest way for an attacker to gain access to your network. The unbound nature of wireless signals increases touch points an attacker can use to break into your network. Attackers can now compromise your facility remotely - from a park across the street, a hotel nearby, a parked vehicle, the office next door, etc. Our Wireless Penetration Test provides a report-card type of rating on a scale of 1-10 about the security of your wireless access points. We provide specific recommendations on how to improve your security rating to fall inline with your risk tolerance.
What you Get / Deliverable
The Wireless Penetration Test Report covers the SSIDs we assessed and includes a “report card” rating of how secure the wireless access points are in terms of risk. We also outline tactics we used to gain access and provide recommendations to improve the security rating of each access point assessed. Below is an excerpt from a report that shows a a sample of the items we cover for our rating and assessment.
Interested in testing your wireless security?
Contact Us or use the order form below to schedule your Wireless Penetration Test.
Wireless Penetration Test FAQs
Is the Wireless Security Assessment performed remotely or onsite?
For the Wireless Security Assessment we typically travel to your location and perform this service onsite. To leverage the fact that we will be traveling to your location, we offer to bundle (at a discount) other services that require us to be onsite, such as our Internal Penetration Test, Internal Vulnerability Assessment, and Physical Security Review.
We can also perform the wireless penetration test remotely, by shipping a device to you.
What is a Rogue Access Point?
A rogue access point is an unauthorized access point. Rogue access points typically fall into three categories - malicious, convenience, and accidental. Malicious rogue access points are designed to help an attacker carry out an objective, such as expanding a foothold on your network, stealing passwords, or using your network to attack someone else. Malicious rogue wireless devices can be used to attack any of the following:
Wireless devices, such as keyboards and mice
Other RF technologies, such as RFID
Rogue access points set up for convenience are typically configured by users unhappy with corporate wireless access or Bring Your Own Device (BYOD) policies. Users often bring their own WAP from home and plug the wired portion into the corporate network. This allows the user to connect all their personal wireless devices (cell phone, iPad, etc.) to their access point that is connected to the corporate network.
Rogue access points that are accidental are devices, such as printers, that an organization did not realize had wireless enabled or accessible. On a recent wireless assessment we discovered printers on an enterprise environment that were accessible to anyone over the wireless network. We were able to manage these printers over an ad hoc wireless network without the organization ever noticing.
What is an Evil Twin?
An evil twin is a WAP that with the same "look and feel" as the real WAP. An evil twin is used by an attacker to trick users into connecting to the attacker WAP instead of the real WAP. The attacker then sniffs all of your traffic (passwords, credentials, personally identifiable information (PII), etc.) from your system to the Internet, as the evil twin access point acts as a Man-In-The-Middle (MITM). An example would be an access point called "Starbucks". How do you know you are connected to the real "Starbucks" access point and not an evil twin?