[ ] Change default SSID and admin credentials
[ ] Use WPA3 (or WPA2 minimum — never WEP/WPS/legacy WPA)
[ ] Apply strong passphrase (20+ chars)
[ ] Disable internet-based administration
[ ] Disable ICMP from untrusted interfaces
[ ] Enable MAC filtering (where appropriate)
[ ] Use captive portal for guest access
[ ] Segment guest and corporate networks (separate VLANs)
| Protocol | Status | Notes |
|---|
| WEP | Broken — do not use | Trivially cracked |
| WPA | Compromised — avoid | TKIP weaknesses |
| WPS | Vulnerable — disable | PIN brute-force attack |
| WPA2 (CCMP/AES) | Current standard | Vulnerable to KRACK — patch required |
| WPA3 | Recommended | SAE, CCMP-128 minimum, Enterprise-192 mode |
KRACK (Key Reinstallation Attack) — affects WPA2 by replaying cryptographic handshake messages. Vendor patches exist; always keep firmware updated.
| Feature | WPA2 | WPA3 |
|---|
| Auth method | PSK (Pre-Shared Key) | SAE (Simultaneous Auth of Equals) |
| Encryption | CCMP-128 (AES) | CCMP-128 minimum, GCMP-256 (Enterprise) |
| Forward secrecy | No | Yes |
| Brute-force resistance | Lower | Higher |
| Enterprise mode | RADIUS + 802.1X | RADIUS + 802.1X + 192-bit keys |
| Mode | Description |
|---|
| Personal | Pre-shared passphrase (home/small office) |
| Enterprise | RADIUS server + 802.1X — per-user credentials |
| Enterprise 192-bit | WPA3 only — larger cryptographic keys |
| Attack | Description |
|---|
| Evil twin / rogue AP | Spoofed AP to intercept traffic |
| KRACK | Replay attack against WPA2 handshake |
| Deauth flood | Forces clients to reconnect (used pre-attack) |
| WPS PIN brute-force | PIN space only 11,000 combos — trivially broken |
| Wardriving | Scanning for open/weak networks while mobile |
| Bluejacking | Unsolicited Bluetooth messages |
| Bluesnarfing | Unauthorized access to Bluetooth device data |