Advanced Persistent Threats and Wireless Local Area Network Security: An In-Depth Exploration of Attack Surfaces and Mitigation Techniques

Abstract

Wireless Local Area Networks (WLANs), particularly Wi-Fi, serve as the backbone of modern connectivity, supporting billions of devices globally and forming a critical component in Internet of Things (IoT) ecosystems. However, the increasing ubiquity of WLANs also presents an expanding attack surface for adversaries—especially Advanced Persistent Threats (APTs), which operate with high levels of sophistication, resources, and long-term strategic objectives. This paper provides a holistic security analysis of WLANs under the lens of APT threat models, categorizing APT actors by capability tiers and examining their ability to compromise WLANs through logical attack surfaces. The study identifies and explores three primary attack surfaces: Radio Access Control interfaces, compromised insider nodes, and ISP gateway-level exposures. A series of empirical experiments—ranging from traffic analysis of ISP-controlled routers to offline password attack modeling—evaluate the current resilience of WLANs and highlight specific vulnerabilities such as credential reuse, firmware-based leakage, and protocol downgrade attacks. Furthermore, the paper demonstrates how APT resources significantly accelerate attacks through formal models of computational scaling. It also incorporates threat modeling frameworks, including STRIDE and MITRE ATT&CK, to contextualize risks and map adversary tactics. Based on these insights, this paper offers practical recommendations for enhancing WLAN resilience through improved authentication mechanisms, network segmentation, AI-based anomaly detection, and open firmware adoption. The findings underscore that while current WLAN implementations offer basic protections, they remain highly susceptible to well-resourced adversaries, necessitating a shift toward more robust, context-aware security architectures.

1. Introduction

Wireless Local Area Networks (WLANs) have become integral to global connectivity. Wi-Fi technology is one of the most prominent ways to facilitate WLANs, enabling seamless communication. The global usage of Wi-Fi is growing rapidly. As of 2024, there are over 50 billion Wi-Fi devices in use worldwide. This number is expected to reach more than 70 billion by 2027 [1]. Wi-Fi is the most popular wireless technology in the world. More than 90% of all Internet traffic is carried out on Wi-Fi networks [2]. Wi-Fi is used in a wide variety of settings, including homes, businesses, schools, and public places. Wi-Fi is essential for many everyday activities, such as browsing the Internet, streaming video, and playing online games. Wi-Fi speeds are increasing all the time.

WLANs play a key role in the widespread adoption of the Internet of Things (IoT), contributing significantly to the connectivity of interconnected devices. As IoT applications continue to proliferate in various domains, from smart homes and healthcare to industrial settings, WLANs serve as a ubiquitous and reliable means of facilitating data exchange between these connected devices. The convenience and versatility offered by Wi-Fi make it an attractive choice for IoT deployments, enabling users to control and monitor devices remotely. However, this increased dependence on Wi-Fi in IoT applications amplifies the importance of Wi-Fi security. With numerous devices exchanging sensitive data over a wireless network, vulnerabilities within Wi-Fi protocols become potential targets for malicious actors.

Protecting Wi-Fi is critical to preventing unauthorized access, which can lead to severe consequences in various scenarios. In residential settings, unauthorized access by a neighbor could result in crimes committed using the victim’s network, potentially incriminating the legitimate user and subjecting them to legal consequences. In a corporate environment, a criminal targeting the WLAN network could exploit vulnerabilities to access high-value items or compromise video surveillance systems, gaining valuable insight into potential thefts or attacks. Furthermore, for companies handling sensitive data, inadequate WLAN security could lead to unauthorized access to personal information, posing a significant risk to privacy and data integrity. Therefore, securing WLANs is essential to protecting individuals and organizations from legal complications, security breaches, and the compromise of sensitive information.

Given the high-value nature of modern Wi-Fi environments, they have become increasingly attractive for Advanced Persistent Threats (APTs), sophisticated, well-resourced adversaries capable of sustained and covert network infiltration [3]. Unlike conventional cybercriminals, APTs typically consist of organized teams with access to custom toolkits, zero-day exploits, and deep technical expertise. Their hallmark traits include persistence, stealth, and the ability to move laterally across systems over extended periods. Common actors include nation-state groups, advanced criminal syndicates, and elite hacktivist collectives. To evaluate WLAN resilience, this study classifies APT capabilities into tiers based on resource availability and operational scope, as shown in

Table 1. APT tier classification based on capabilities and resources.

Tier	Description	Capabilities	Typical Actors
Tier 1	Opportunistic advanced attackers	Moderate computing resources, open-source tools, long-term access via phishing	Hacktivists, cybercrime groups
Tier 2	Coordinated persistent groups	Custom malware, lateral movement, infrastructure control	Organized cybercrime syndicates
Tier 3	Nation-state-level APTs	Zero-days, supply chain attacks, firmware/rootkit access, ISP compromise	Government agencies, military units

. These targeted, long-term attacks, often motivated by espionage or data theft, seek to exploit weaknesses in WLAN infrastructures as entry points to broader network environments.

This research aims to study this aspect and answer the following research questions:

• Q1: To what extent is the current implementation of WLANs effective in resisting APTs?
• Q2: What characteristics make future WLAN implementations resilient and robust in countering APTs?

To answer these research questions, this article extensively investigates the various attack surfaces of WLANs. In addition, several experiments are performed to explore how these surfaces can be exploited with increased resources. The focus of this paper is solely on logical attacks, excluding any consideration of physical attacks where an attacker breaches the environment to perform actions that grant them access to WLANs.

The main contributions of this paper are summarized as follows:

• Conducting an in-depth analysis of the attack surface of WLANs, categorizing it into three primary areas: the radio access network, compromised insider nodes, and the gateway to the Internet service provider.
• Exploring how attacks on these surfaces can be amplified or made more potent through the resources wielded by APTs.
• Evaluating the effectiveness of current WLAN implementations in mitigating APTs involves detailed examination and experimentation.
• Deliberating on future design implementations geared towards bolstering the security of WLANs in the forthcoming years.

This study aims to fill the gap in WLAN security literature by conducting a holistic analysis of attack surfaces, including ISP-layer traffic analysis, resource scalability of APT attacks, and non-intrusive empirical evaluation of packet flows. Although previous studies have provided valuable information on protocol-level vulnerabilities or device-based risks, few have examined ISP-level privacy issues or provided attack scalability models grounded in resource scaling. This study addresses these gaps.

The manuscript is structured as follows: Section 2 discusses various research projects on wireless network security analysis, encompassing both theoretical analysis and practical applications. Moving forward, Section 3 offers a detailed exposition of the various attack surfaces that are pertinent to WLANs. Section 4 builds upon this foundation by providing an in-depth analysis of these attack surfaces. Section 5 summarizes the research findings and outlines security enhancements for WLAN systems. It compares these findings with previous studies and discusses the study’s limitations in dedicated subsections. Finally, Section 6 concludes the paper.

2. Related Work

This section discusses research in the field of network security, with a focus on WLANs and their resilience against APTs. The first paper [4] covers various aspects of wireless network security, including both theoretical analyses and practical applications. This work also focuses on Wi-Fi Fine Timing Measurement (FTM) in applications like geo-fencing and mobile identification, revealing vulnerabilities in distance measurement manipulation. This highlights a crucial gap in current Wi-Fi security protocols.

Another significant study [5] analyzes the development of wireless networks, particularly their use in public LAN and military applications. It emphasizes the security challenges these networks face, such as data integrity and Denial of Service attacks, underscoring the importance of robust security protocols.

In [6], the authors examine wireless communication security in the context of personal devices connected to Wi-Fi networks. The focus is on the evolution of WLAN technologies and the increasing prevalence of wireless attacks, which is crucial to understanding the vulnerabilities of modern wireless networks.

The work in [7] introduces a systematic methodology for analyzing 802.11 WLAN networks using wardriving. The study, conducted in Finland, reveals that while most WLAN networks use WPA2 encryption, a significant number remain unencrypted or use insecure protocols, pointing to widespread security oversights.

The paper [8] addresses the issue of rogue access points in WLAN 802.11 technology, categorizing various wireless attacks and focusing on those using rogue access points. This includes a range of attack methodologies that reveal the extent of potential threats in wireless networks.

An analysis of the open and accessible nature of wireless networks is presented in [9]. The study contrasts the security vulnerabilities of wireless systems with more secure wired networks and outlines the fundamental security requirements of wireless networks, dissecting threats across network protocol layers.

In [10], a comprehensive analysis and solution framework for WLAN security is proposed, focusing on the four-layer network architecture. The SAEW system, consisting of the security assessment (SAW) and security enhancement (SEW) subsystems, employs fuzzy logic for vulnerability analysis and introduces measures for security enhancement.

The paper [11] discusses the growth in the use of wireless network devices and the associated security challenges. It highlights threats such as data theft and unauthorized access, particularly focusing on vulnerabilities in the WPA2 protocol.

In [12], a critical examination of the IEEE 802.11ac standard is provided, evaluating its security and performance. The study finds that 802.11ac, despite its speed advancements, shares the same security vulnerabilities as its predecessors, 802.11n and 802.11g.

The paper [13] investigates the Wi-Fi 802.11 standard’s frames for detecting attacks. The study focuses on tracking attack parameters and exploring frame types for network attack detection. Ref. [14] aims to analyze preventive measures for wireless network security threats, studying network attack behaviors related to Wi-Fi. This paper takes a case study approach to understand the impact of these threats and proposes practical solutions.

More recently, several works have emerged that highlight both the evolution and the remaining limitations of WLAN security frameworks. For example, Ref. [15] provides a comprehensive review of cyberattack trends, including APTs and wireless vulnerabilities, but lacks formal modeling of attack surfaces. The work in [16] introduces WiFly, a hardware-based attack tool that exposes protocol weaknesses but does not analyze attack scalability or APT resource escalation.

On the defensive side, Ref. [17] emphasizes AI-driven approaches for WLAN security but offers limited insight into multi-vector threat alignment. Similarly, Ref. [18] focuses only on Easy Connect vulnerabilities without assessing holistic or layered WLAN threats. Ref. [19] surveys secure Wi-Fi sensing, although its scope is primarily focused on device-level signal inference, omitting insider and ISP-level threats.

Recent experimental research [20,21] addresses consumer and protocol-level security but does not incorporate threat modeling frameworks such as STRIDE or MITRE ATT&CK. These limitations create opportunities for deeper integration of formal models, attack scaling analysis, and layered architectural perspectives.

Although much research has been published in the field, there is a need for a paper that considers adopting a holistic approach, including attack scaling, ISP-side traffic analysis, APT resources, and compromised insider nodes, which this paper presents. More details about these considerations and a comparison of this paper with related works are presented in Section 5.3.

3. Attack Surface Description

To address the research questions, the attack surface is classified into three distinct areas susceptible to attacks within WLANs. The initial surface pertains to Radio Access Control, focusing on the authentication procedures for WLAN network access. This paper specifically focuses on Wi-Fi-based WLANs. The second attack surface involves malicious insiders, examining the potential compromise of already-connected internal devices to the WLAN through malware or other means. The third attack surface, the back-end, investigates the extent of access the Internet Service Provider (ISP) has to the WLAN. These attack surfaces will be explored in detail in the respective subsections.

3.1. Attack Surface Taxonomy and Definition

In the context of WLANs, an attack surface can be defined as the aggregate of all possible points of unauthorized interaction through which an attacker can attempt to extract data, gain access, or disrupt the operation of a network. Formally, let:

$$\mathcal{A}=\bigcup _{i=1}^n{\mathcal{V}}_i$$

(1)

where the following are true:

• $\mathcal{A}$ denotes the total attack surface;
• ${\mathcal{V}}_i$ represents individual vulnerability vectors (e.g., radio interface, insider device, ISP gateway);
• n is the number of distinct attack vectors.

Each vector ${\mathcal{V}}_i$ can be evaluated based on three critical dimensions: exposure risk, ease of exploitation, and potential impact.

We categorize WLAN attack surfaces into three fundamental domains:

• Radio Access Surface (${\mathcal{V}}_1$)—vulnerabilities in wireless protocols and authentication schemes.
• Compromised Insider Nodes (${\mathcal{V}}_2$)—internal network devices acting as intrusion points.
• ISP Gateway Surface (${\mathcal{V}}_3$)—ISP-level routing, DNS control, and firmware-based access mechanisms.

To address the research question, the attack surface is classified into three distinct areas susceptible to attacks within WLANs. The initial surface pertains to Radio Access Control, focusing on the authentication procedures for WLAN network access. This paper specifically focuses on Wi-Fi-based WLANs. The second attack surface involves malicious insiders, examining the potential compromise of already-connected internal devices to the WLAN through malware or other means. The third attack surface, the back-end, investigates the extent of access the Internet Service Provider (ISP) has to the WLAN. These attack surfaces will be explored in detail in the respective subsections.

3.2. Radio Access Control

In WLAN networks, the Radio Access Control attack surface refers to the vulnerabilities and potential points of exploitation related to the mechanisms that control access to the wireless medium. There are several types of protocols, which are discussed in the following.

Protocols

The initial wireless security protocol, Wired Equivalent Privacy (WEP), served as the standard method for wireless network security from the late 1990s to 2004. WEP, utilizing basic encryption (64-/128-bit), presented configuration challenges and used the RC4 cipher algorithm to encrypt data with a pre-shared key length ranging from 64 to 128 bits [22]. Despite its prevalence as a first-generation security solution, WEP faced vulnerabilities due to limitations in key size, initially at 40 bits and later extended to 104 bits, and its absence of replay detection. To address these shortcomings, users often had to supplement WEP with additional security measures such as Virtual Private Networks (VPNs), IEEE 802.1X, or proprietary solutions to meet their security requirements [23]. Given its recognized insecurities, WEP is no longer considered a secure option and is recommended to be replaced by more modern protocols. The method in [24] provides insight into an easily exploitable method to crack WEP authentication. Generally, there are two modes of authentication in Wi-Fi:

• Pre-shared Key Authentication: In this mode, a shared key or passphrase is used for authentication between the client device and the access point.
• Enterprise: In this mode, each user or device has a unique set of credentials. Typically used in business or enterprise environments, it involves a RADIUS (Remote Authentication Dial-In User Service) server for centralized authentication. It requires individual usernames and passwords or digital certificates for each user or device.

There are several protocols that support the above authentication methods. One protocol is WPA (Wi-Fi Protected Access), introduced in 2003, providing enhanced encryption, employing a security protocol known as the Temporal Key Integrity Protocol (TKIP) to achieve stronger (128-/256-bit) security compared to WEP [22]. Alongside WPA2, WPA stands out as one of the most widely utilized protocols today, with the distinction of being compatible with older software, unlike WPA2 [5]. Commonly used in both home and organizational networks, WPA in commercial settings uses 802.1x + EAP for authentication and replaces WEP with TKIP. This mode operates without a pre-shared key, necessitating the use of a RADIUS server for increased security [25].

WPA2, introduced in 2004 as an advanced version of WPA, offers enhanced network security and a simplified configuration utilizing the Advanced Encryption Standard (AES) as its security protocol [22]. This protocol, available in custom versions for individual users and enterprises, is widely regarded as the predominant choice globally. WPA2 uses a 128-bit key size for data encryption, using AES or TKIP [24]. The secure communication established by WPA2 unfolds in four phases. The initial phase involves authentication and pre-authentication, where the access point and the client agree on security policies. Subsequently, a master key is generated in the second phase, followed by the creation of temporal keys in a regular manner during the third phase. The fourth phase utilizes the countermode CBC-MAC Protocol (CCMP) protocol, employing all keys generated in phase three to ensure data integrity and confidentiality.

WPA3, a new iteration that surpasses its predecessors, aims to provide a simplified configuration and enhanced security with encryption capabilities ranging from 192 to 256 to 384 bits [22]. Specifically designed to function seamlessly with the latest Wi-Fi 6 networks, devices equipped with WPA3 benefit from advanced security measures, prohibiting expired asset policies, and mandating the use of protected frames (PMFs). Despite these advancements, in WPA3-TM networks, multiple stations remain susceptible to downgrades. The study [26] demonstrates successful downgrades without the need for special software and with a low inherent difficulty. In particular, Apple iOS and macOS stations automatically connect to a WPA2-only SSID, even if the initial connection was established using simultaneous Authentication of Equals (SAE) at a WPA3-TM-enabled access point, potentially exposing information needed to crack the pre-shared key. However, Windows and Network Manager, which rely on stored Authentication and Key Management (AKM) for connection establishment, remain unaffected if the previous connection was made using WPA3 [27,28].

Enterprise Wi-Fi authentication operates in a more robust and secure manner compared to simpler authentication modes. In an enterprise environment, organizations implement WPA/WPA2-Enterprise or WPA3-Enterprise authentication protocols to enhance the security of their Wi-Fi networks. This method goes beyond the use of pre-shared keys and employs a more sophisticated approach by integrating the 802.1X authentication standard. In WPA/WPA2-Enterprise or WPA3-Enterprise, each user or device that connects to the Wi-Fi network is assigned unique credentials, such as a username and password or digital certificates. The authentication process is centralized and managed by a RADIUS server, which validates the credentials provided by users or devices. This personalized authentication improves security by ensuring that each connection is uniquely identified and authorized. This mode is particularly advantageous in business settings where multiple users with distinct access levels require secure and controlled access to the Wi-Fi network. Additionally, the 802.1X standard facilitates the dynamic assignment of encryption keys for each session, further strengthening the overall security posture of the enterprise Wi-Fi network.

3.3. Compromised Insider Nodes

The threat of compromised insider nodes in WLANs is significant. An attacker can gain unauthorized access to WLANs through compromised devices connected to the network. Devices can be compromised in different ways. Once part of the WLAN, these compromised devices can identify and collect information from other devices in the same network, posing risks such as the extraction of network passwords. This compromise allows attackers to access sensitive credentials, allowing them to connect additional potentially unauthorized devices to the WLAN. This not only jeopardizes network security but also opens avenues for further malicious activities. The compromised device serves as an attack surface, facilitating the reconnaissance of the WLAN environment. Malicious insiders actively scan and discover devices within the network, creating an inventory of potential targets and collecting information about their configurations, vulnerabilities, and network interactions. The extraction of network credentials becomes a crucial tactic, enabling attackers to persist in unauthorized access and extend their influence by connecting new devices to the WLAN. This ability to expand the pool of compromised devices amplifies the scope of potential threats, emphasizing the importance of implementing robust security measures. In the following section, we examine the susceptibility of various device types to compromise, explore the actions possible with a compromised device, and assess the level of danger associated with this vulnerable attack surface.

3.4. Gateway to Internet Service Provider

To be connected to the Internet, almost everyone relies on ISPs. The amount of control an ISP has over the security and privacy policies of users varies from country to country. However, since the connected device sends Domain Name Service (DNS) requests to the default ISP DNS servers, they can monitor the Internet activities that are being performed on the device. ISPs can also track a user through their devices when the user logs into their network [29,30]. The amount of access the ISP has compared to other organizations is much higher as they are the only means of connection to the network between a user and the Internet [31]. When the user connects to the Internet, all their data pass through the ISP architecture before reaching the intended destination.

Most ISPs collect data about users, devices, personal information, Internet activity, and location, which is mentioned in their privacy policy. The ISP collects and stores user personal information through registration forms. They also collect data automatically regarding the MAC address, IP address, number of devices, types of devices, status of connected devices, network traffic data, device configurations, and many other key pieces of information that can be used to learn about a user and their online behavior [32,33,34]. ISPs can also see passwords set by the user if the password is entered in HTTP sites or sites with expired Secure Sockets Layer (SSL) certificates [35].

In many cases, modems and routers are provided by the ISP and cannot be manually configured by the user. The routers need to be configured by ISP applications, which reduces the amount of control the user has over the security settings. The security control of routers is very important as data flow through them when connected to the Internet, and hackers can exploit a router to retrieve crucial personal data for misuse [30].

ISPs can share the collected data for various scenarios. User data can be obtained from the government through the ISP for monitoring. The privacy policies set by the ISP also include a clause that states that user data can be shared with affiliated organizations [32]. These factors can be considered as a breach of privacy as the user has no control over the sharing of their data by the ISP. As the Internet has become a vital part of everyone’s life, data on Internet activity can be used to understand the personality and behavior of users [36], to predict user online behavior [37], and to influence user decision and behavior without them realizing it.

There are two crucial network positions where security issues can arise—one is at the user end and the other is at the ISP architecture. As we want to conduct non-intrusive network probing, we will conduct our study at the user end, which will be further elaborated on in the next section. We will analyze the network traffic going through the router when multiple devices are connected to it via Wi-Fi for security checks both when the devices are browsing the Internet and when the devices are idle.

4. Attack Surface Analysis

In this segment, we analyze potential attack scenarios corresponding to the attack surfaces discussed in the previous section. In addition, we explore the scalability of these attacks. Each attack surface receives individual scrutiny within its respective subsection.

4.1. Radio Access Control

In this subsection, we will analyze the attack surfaces for both pre-shared key and enterprise-based Radio Access Control to Wi-Fi-based WLANs.

4.1.1. Pre-Shared Key Based Systems

PSK authentication is vulnerable to password attacks, including brute-force and dictionary attacks. The subsequent subsections dive into the specifics of these attacks and strategies for scaling them.

Online vs. Offline Attack

This section focuses on attacks targeting wireless network access control, particularly those aimed at authentication mechanisms employing pre-shared keys. Such authentication methods are susceptible to password attacks that can occur offline or online. Online attacks exploit vulnerabilities in the Wi-Fi network while it is actively in use. These attacks often involve intercepting data packets or trying to guess the Wi-Fi password through various combinations. The effectiveness of online attacks is constrained by network traffic and the access point’s capacity to handle authentication requests.

In contrast, offline attacks target password hashes stored on the network or handshake captures obtained from Wi-Fi connections. Unlike online attacks, offline attacks are not bound by current network activity and are generally faster and more efficient. The success of offline attacks depends on factors such as password complexity and the resources available to the attacker. Online attacks typically take longer than offline attacks due to their reliance on live network interactions and authentication request processing. Consequently, online attacks are more detectable and relatively easier to defend against. Our experiments reveal that online attacks typically require between 1 and 10 s to complete the authentication process, with variations based on the device used and the network’s status.

In contrast, offline attacks are typically more straightforward and swifter than online assaults as they operate independently of network activity. Attackers can exploit captured handshakes or password hashes to decipher passwords without arousing suspicion from network administrators. Tools such as Hashcat [38] and John the Ripper [39] are frequently used to conduct offline attacks. One strategy involves transforming online attacks into offline ones, which is achievable because the pace of offline attacks relies solely on the capabilities of the local device, allowing for convenient scalability. A strategy to scale attacks against Radio Access Control is shown in Figure 1. A common method to transition from online to offline attacks involves leveraging a KRACK (Key Reinstallation Attack) [40], which targets the WPA/WPA2 protocols.

KRACK

This attack exploits vulnerabilities in the four-way handshake, a key-exchange process that occurs when a client device attempts to join a protected Wi-Fi network. Here are the cryptographic operations involved in the KRACK:

• Four-Way Handshake: The four-way handshake is used to establish a fresh encryption key between the client device and the access point when a device joins a Wi-Fi network. The four messages exchanged during the handshake are as follows: Message 1 (M1): Initiated by the access point. Message 2 (M2): Response from the client. Message 3 (M3): Initiated by the client. Message 4 (M4): Response from the access point.
• Replay Attack: The attacker captures a previous key exchange and replays it during the attack to force the key reinstallation.
• Key Reinstallation: The vulnerability in WPA2 identified by the KRACK is related to the improper handling of key reinstallations during the four-way handshake. Instead of rejecting already-used keys, the protocol allows for the reuse of a previously used key. The attacker forces the victim to reinstall an already-in-use encryption key by manipulating the four-way handshake process. The attacker intercepts and modifies the key exchange, tricking the client and access point into reinstalling an encryption key that has already been used.
• Data Decryption: Once the attacker has successfully forced the key reinstall, they may be able to decrypt and intercept Wi-Fi traffic between the client and the access point. This allows the attacker to potentially gain unauthorized access to sensitive information transmitted over the compromised Wi-Fi connection.

The four-way handshake captures the exchange of messages between a client and an access point during the process of establishing a secure connection. The cryptographic values involved in this handshake are as follows:

• Anonce: The Anonce is a random number generated by the access point and included in the first message of the four-way handshake. It is used in the computation of the Pairwise Transient Key (PTK).
• Snonce: The Snonce is a random number generated by the client and included in the third message of the four-way handshake. It is also used in the computation of the PTK.
• PMK (Pairwise Master Key): The PMK is derived from the pre-shared key or from an Extensible Authentication Protocol (EAP) exchange. It serves as the foundation for deriving other keys, including the Pairwise Transient Key (PTK).
• PTK (Pairwise Transient Key): The PTK is derived from the PMK and is unique to the specific session between the client and the access point. It consists of multiple subkeys, including the Key Confirmation Key (KCK), Key Encryption Key (KEK), Temporal Key (TK), and Michael MIC Key. The Temporal Key (TK) is particularly important for encrypting and decrypting data during the session.
• EAPOL HMAC (EAPOL-Key HMAC): EAPOL stands for Extensible Authentication Protocol over LAN, and it is used to manage communication during the WPA2 handshake process. The term HMAC (Hash-based Message Authentication Code) refers to a cryptographic technique that combines a hash function with a secret key to ensure data authenticity. In this context, the EAPOL HMAC is a specific type of Message Integrity Code (MIC). It is generated using a cryptographic hash function (such as HMAC-SHA1) and is applied to the contents of the EAPOL frames exchanged during the four-way handshake. Its purpose is to verify the integrity and authenticity of these exchanged messages.

In the pursuit of uncovering the pre-shared key, attackers frequently resort to techniques like offline brute-force attacks or dictionary attacks on the captured four-way handshake. As depicted in Figure 2, the captured values, Anonce, Snonce, and MIC are the pivotal factors in these attacks.

It is important to note that the KRACK exploits not weaknesses in the encryption algorithm itself but rather vulnerabilities in the WPA2 protocol’s implementation of key management. The attack highlights the importance of proper protocol implementation and the need for timely security updates to address such vulnerabilities. WPA3 incorporates robust security mechanisms [41], addressing the issues present in older standards. However, the widespread adoption of WPA3 is expected to take several years. Recognizing the limited security knowledge and skills of the general population, it is unlikely that users will immediately recognize the need to upgrade to WPA3 [28]. Furthermore, upgrading all IoT devices to WPA3 presents a considerable challenge, not only for end users but also for cybersecurity professionals and manufacturers, given that not all devices are currently equipped to support WPA3 [42].

However, a survey involving nearly 400 participants [43] reveals vulnerabilities among users of the WPA2 protocol. The findings indicate that a significant portion, approximately 60%, of the examined users possess Wi-Fi passwords with 12 characters or less, and a notable 61% never change their passwords. This situation poses potential security risks and underscores the need for heightened awareness and proactive measures to address these issues.

Downgrade Attack

In addressing the limitations of WPA/WPA2, WPA3 introduced the Dragonfly handshake, also known as Simultaneous Authentication of Equals (SAE) [44]. This cryptographic protocol improves security by establishing a secure connection between a user device and a Wi-Fi access point. SAE is designed to thwart password-based attacks and man-in-the-middle attacks by using a zero-knowledge proof mechanism. This means that intercepted communication does not yield useful information to compromise the connection. However, a downgrade attack exploits security vulnerabilities by coercing a system to revert to a less secure version of a protocol or encryption standard. In the realm of Wi-Fi security, a downgrade attack targets the transition between WPA3 and older protocols such as WPA2 or WPA. Attackers manipulate communication between a device and an access point to induce the use of an older, less secure protocol, thus exploiting known vulnerabilities to gain unauthorized network access.

4.1.2. Formal Model for Attack Scaling

Attack Scaling Model:

Let us define the Attack Time T for a brute-force password attack as a function of the following:

• Password space size: S;
• Processing rate per node: R (in attempts/second);
• Number of parallel nodes: N.

Then, the attack time T is given by:

$$T={\displaystyle \frac{S}{R·N}}$$

(2)

For dictionary-based attacks, let D be the size of the dictionary. Then, the attack time becomes:

$$T_{\mathrm{dict}}={\displaystyle \frac{D}{R·N}}$$

(3)

Example: If a password dictionary has $5\times {10}^6$ entries, each node attempts $5\times {10}^5$ passwords per second and there are 2 parallel nodes:

$$T_{\mathrm{dict}}={\displaystyle \frac{5\times {10}^6}{5\times {10}^5·2}}=5\mathrm{s}$$

Scalability Insight: As N increases linearly, T decreases inversely. This shows that brute-force and dictionary attacks can be significantly accelerated using parallel computing resources, which APTs often possess.

Pseudocode: Scalable Dictionary Attack

This pseudocode Listing 1 abstracts the concept of attack scaling using multiprocessing logic. It simulates how APTs can distribute brute-force or dictionary attacks across multiple processing nodes or cloud systems for significantly reduced execution time.

Listing 1. Parallelized Dictionary Attack Simulation.

def scalable_dictionary_attack(dictionary, password_hash, nodes): partitioned_dicts = split(dictionary, nodes) parallel_results = [] for i in range(nodes): result = spawn_worker(partitioned_dicts[i], password_hash) parallel_results.append(result) for r in parallel_results: if r.found: return~r.password return None

Transitioning the attack from online to offline improves scalability, particularly with augmented computing capabilities. Although our analysis initially relied on naive brute-force methods to simulate adversarial password attacks, recent developments in password cracking highlight the importance of adopting more advanced models. State-of-the-art tools such as John the Ripper and Hashcat incorporate probabilistic techniques like Markov chains and Probabilistic Context-Free Grammars (PCFGs) to efficiently guess human-chosen passwords. Bonneau’s foundational work [45] revealed that users tend to select highly predictable passwords, making them susceptible to such probabilistic attacks. More recently, machine learning-based guessers like those presented by Pasquini et al. [46] and Ji et al. [47] have demonstrated improved efficiency in prioritizing guesses based on empirical distributions from large password leak datasets. Future versions of our attack simulation will incorporate these optimized models to more accurately reflect the capabilities of resourceful APT actors.

In our study, we evaluated the performance of both brute-force and dictionary attacks, emphasizing the scalability potential of these approaches. One objective is to scrutinize the security disparities between implementing passphrases and using common word passwords, assessing their relative efficiencies against password attacks. All aspects are elaborated below:

• Brute-force Attack: In brute-force attacks, attackers systematically try all possible password combinations until the correct one is discovered. This approach relies heavily on computational power. An experiment was conducted to measure brute-force performance across different computing devices.

  Table 2. Brute-force attack times for password lengths (8–16 characters).

  Password Length	Number of Possible Passwords	Time (i7 CPU) (h)	Time (RTX 3070 GPU) (h)	Time (RTX A6000 GPU) (h)
  8	$2.18\times {10}^{14}$	$1.83\times {10}^6$	$8.07\times {10}^4$	$4.22\times {10}^4$
  9	$1.34\times {10}^{16}$	$1.12\times {10}^8$	$4.96\times {10}^6$	$2.11\times {10}^6$
  10	$8.39\times {10}^{17}$	$7.06\times {10}^9$	$3.10\times {10}^8$	$1.31\times {10}^8$
  11	$5.20\times {10}^{19}$	$4.37\times {10}^{11}$	$1.92\times {10}^{10}$	$8.11\times {10}^9$
  12	$3.22\times {10}^{21}$	$2.71\times {10}^{13}$	$1.19\times {10}^{12}$	$6.23\times {10}^{11}$
  13	$2.00\times {10}^{23}$	$1.68\times {10}^{15}$	$7.41\times {10}^{13}$	$3.87\times {10}^{13}$
  14	$1.24\times {10}^{25}$	$1.04\times {10}^{17}$	$4.59\times {10}^{15}$	$2.40\times {10}^{15}$
  15	$7.68\times {10}^{26}$	$6.46\times {10}^{18}$	$2.84\times {10}^{17}$	$1.48\times {10}^{17}$
  16	$4.67\times {10}^{28}$	$3.93\times {10}^{20}$	$1.72\times {10}^{19}$	$7.41\times {10}^{18}$

  provides a detailed summary of brute-force attack times for passwords of various lengths, ranging from 8 to 16 characters. Each row indicates the password length alongside the corresponding number of possible passwords, calculated as follows.

  $$Numberofpossiblepasswords=n^{62}$$

  (4)

  where n represents the password length. We consider 62 as the number of character types, which includes 26 lowercase letters, 26 uppercase letters, and 10 numbers. Special characters such as (?, ", $, [, ]’) are also included in our calculations. Some special characters are allowed, but they are less common.
  The following table illustrates the estimated time needed for brute-force attacks on passwords using various hardware configurations: an Intel i7 CPU, an NVIDIA GeForce RTX 3070 GPU, and an NVIDIA Quadro RTX A6000 GPU. The data highlight the increasing challenge of brute-force attacks with longer passwords and demonstrate the significant influence of hardware acceleration, particularly evident in the marked reduction in attack times when utilizing powerful GPUs. This insight proves crucial in assessing password resilience against brute-force attacks and emphasizes the importance of implementing robust password security measures. Specifically, tests revealed that the i7 node can attempt approximately 33,000 passwords per second, the RTX 3070 node around 750,000 passwords per second, and the A6000 node approximately 2 million passwords per second.
  As can be seen in the table, employing longer passphrases yields enhanced security. This applies even to a single node. Expanding the attack by adding nodes would not significantly alter the outcome. It is crucial to note that this assessment only considers standard computing units and not specialized hardware tailored for password attack purposes.
• Dictionary attack: Passphrases are generally considered more secure due to the considerable time required by brute-force attacks. However, they often pose a challenge in terms of memorization. Hence, many Wi-Fi networks resort to spoken words or phrases, a method increasingly adopted by access points preconfigured by ISPs. To assess the resilience of such measures against password attacks, various password formats were amalgamated. Although numerous combinations exist, the analyzed configurations provide insight into the requisite duration of the attack. We considered passwords that comprise the 1000 most common English words, 5000 English words, 20,000 English words, and 50,000 English words mixed with numbers. The number of possible combinations was calculated using the following equation:

  $$Numberofpossiblecombinations=I!\prod Mi$$

  (5)

  where I is the number of total elements in the passwords. Mi is the number of possible combinations of each element. Ensuring robust password security is particularly critical when passwords contain common English words. However, the lack of an optimized industry-specific dictionary presents a significant obstacle. In this project, our aim was to develop dictionaries of varying sizes and evaluate their effectiveness against potential attacks. When discussing the breadth of the English language, it is important to note three key figures: there are over a million total words, with approximately 170,000 words currently in use, and a typical individual’s vocabulary comprising 20,000–30,000 words. To assess the vulnerability of passwords to dictionary attacks, we analyzed different word set sizes. The results of these tests are detailed in

  Table 3. Dictionary attack times for passwords with different formats.

  Password Format	1000 Usable Words	5000 Usable Words	20,000 Usable Words	50,000 Usable Words
  1 word and 1 number	0.0001666	0.000833	0.003332	0.00833
  1 word and 2 numbers	0.05	0.25	0.5	2.5
  1 word and 3 numbers	0.2	1	4	10
  2 words and 1 number	0.5	12.5	200	1250
  2 words and 2 numbers	20	500	8000	50,000
  2 words and 3 numbers	1000	25,000	400,000	2,500,000
  3 words and 1 number	2000	250,000	$1.6\times {10}^7$	$2.5\times {10}^8$
  3 words and 2 numbers	100,000	$1.25\times {10}^7$	$8\times {10}^8$	$1.25\times {10}^{10}$
  3 words and 3 numbers	6,000,000	$7.5\times {10}^8$	$4.8\times {10}^{10}$	$7.5\times {10}^{11}$

  .
  The table indicates that employing a format consisting of three words and three numbers yields performance comparable to utilizing a 12-character passphrase. This presents a superior solution, as passwords are easier to recall than passphrases. During our investigations, we evaluated a single GPU node. However, these attacks can escalate considerably with a higher number of nodes. For example, in a system that houses 1000 nodes, the attack speed could potentially decrease by a factor of 1000. Additionally, it is worth noting that in this study, we exclusively employed general-purpose computers. APTs might possess specialized hardware tailored for password attacks.

4.1.3. Attacks on WPA/WPA2 Enterprise

The authentication and key generation process of WPA/WPA2-Enterprise differs significantly from that of WPA/WPA2. Unlike WPA/WPA2, WPA/WPA2-Enterprise employs individual login credentials for each user and verifies them through a RADIUS server [48]. Although this setup is more complex, it improves security by utilizing unique keys for each user, enabling accountability. Consequently, administrators can fine-tune wireless access for individual users, increasing the difficulty for potential attackers to carry out certain exploits, even if the volume of generated traffic is comparable to that of a WPA/WPA2 network. Additionally, since the keys are likely unique for each participant, the traffic generated is indistinguishable from that of distinct access points, even if it originates from the same AP in theory.

Although WPA-Enterprise deviates from WPA/WPA2 primarily in its authentication method and key generation algorithms, it retains theoretical susceptibility to the same attacks as WPA and WPA2. However, its likelihood of compromise is reduced due to its individual access point behavior for each client. However, in addition to conventional attacks targeting WPA and WPA2, WPA-Enterprise networks are vulnerable to Evil Twin attacks [49]. In such an attack, an adversary establishes a fraudulent access point with the same SSID as the genuine network, associating it with a RADIUS server. The attacker then initiates deauthentication probes or passively waits for clients to connect to the counterfeit access point. Despite potential warnings from certificates designed to validate access point authenticity, users often overlook them. Consequently, the attacker acquires the client’s credentials, facilitating further exploitation, such as password cracking and unauthorized access to the corporate wireless network. Open-source tools like hostapd-wpe [50] in Kali Linux provide specific patches to hostapd and FreeRADIUS [51] servers, enabling such attacks. Implementing server certificates can mitigate these attacks by preventing access points from claiming the identity of others.

4.2. Compromised Insider Nodes

In this section, we analyze the attack surface of malicious insiders. Generally, the WLAN device can be categorized into three types of devices, user devices, IoT devices, and network equipment. This is discussed as follows:

4.2.1. User Devices

User devices encompass hardware or electronic devices utilized by individuals to interact with or access digital information, applications, or services. Examples of user devices include computers, mobile phones, tablets, games consoles, and more. When a device is compromised, the risk of network credentials being stolen increases, and ransomware attacks on personal computers are on the rise. Businesses are particularly susceptible to such attacks because sensitive data are often stored on workstations. Malware can infiltrate personal devices through various means, such as downloads from Internet browsing [52] or email attachments [53]. It extends its reach beyond personal computers, affecting gaming consoles [54] and smartphones [54]. The methods through which user devices can be compromised are diverse, and the incidence of malware targeting them is increasing. Factors contributing to this surge include the increasing sophistication of malware attacks, the growing prevalence of mobile devices, and the growing use of cloud-based services [55]. Depending on the access levels, malware can achieve different objectives. In many systems, elevated access rights are required to view stored network passwords [56] and access the network interface [57]. Generally, the plain text of Wi-Fi passwords needs to be stored on the device. For example, for Windows, the Wireless Configuration Manager [58] is stored in a specific file. Within this file structure, each wireless device is represented by a Group User ID (GUID), and its settings are stored in an XML file with a randomly generated GUID name. The process involves utilizing ’Windows Cryptography’ functions employing CryptProtectData [59] functions for encrypting wireless keys and passwords. Decrypting the information is relatively straightforward and involves using CryptUnprotectData. However, it is important to note that this process requires running it with system-level privileges.

4.2.2. IoT Devices

IoT devices face susceptibility to compromise through various channels, presenting considerable security challenges [60]. A prevalent vulnerability arises from default credentials and weak passwords, often preconfigured by manufacturers, which facilitate unauthorized access for potential attackers [61]. Devices are left exposed to known vulnerabilities due to insufficient software updates and patch management practices over time [62]. Additionally, attackers can exploit insecure network communication protocols to intercept or manipulate data exchanged between IoT devices, a critical concern given the limited processing power of these devices and their data-oriented nature [63]. Physical tampering, particularly in unsecured environments, stands as another avenue for compromise [64]. The escalating number of IoT devices has led to a surge in attacks targeting them [65,66,67], establishing them as prime entry points to WLANs. Major IoT operating systems, such as Contiki OS and FreeRTOS, are Linux-based choices that include network functionalities, with the drawback of storing network credentials in plain text [68], rendering them susceptible targets for initiating WLAN infiltration.

4.2.3. Network Equipment

Local Area Networks are particularly vulnerable to cyber attacks targeting network equipment, given their central role in managing communication and data transfer within organizations. Cyber adversaries exploit weaknesses in routers, switches, and similar devices, jeopardizing the integrity and confidentiality of network data. Attack vectors often involve exploiting default credentials [69], known software vulnerabilities, and misconfigurations [70] in network devices. Once breached, attackers can engage in various malicious activities, including intercepting and altering network traffic [71], executing man-in-the-middle attacks, or causing network disruptions. Specific attack scenarios, such as man-in-the-middle attacks [72], exemplify the interception and manipulation of device communication, leading to unauthorized access or eavesdropping. Techniques such as ARP spoofing [73] and DNS Spoofing [74] further illustrate this vulnerability. Furthermore, router spoofing [75] involves impersonating a legitimate router to redirect or intercept network traffic, as seen in BGP hacking [76]. Device misconfigurations, such as relying on default credentials or weak passwords, pose serious risks. DNS Spoofing and Cache Poisoning [77] manipulate the Domain Name System, redirecting network traffic or introducing malicious entries into the DNS cache. Firmware exploits [78] target vulnerabilities in the firmware of the device, granting attackers control, as in Firmware Injection [79]. Logical Attacks on Switches [80] exploit vulnerabilities in switch configurations for traffic manipulation or unauthorized access, as demonstrated by MAC Flooding [81]. Routing Table Poisoning [82] manipulates routing tables to redirect traffic or cause network disruptions, exemplified by Routing Information Protocol (RIP) Poisoning [83]. Consequently, there are numerous attacks that can target network equipment, providing several types of unauthorized access to the network. These attacks may enable eavesdropping, traffic manipulation, or injection attacks.

4.3. Gateway to Internet Service Provider

As discussed in the previous section, the modem and router provided by the ISPs contain firmware that can provide more access to the user’s LAN. This is mentioned in the user agreements. To investigate data collection activities, we used LANProbe for non-intrusive network tapping on two routers—one of which was provided by the ISP, and the other one was a personal router. The personal router used was an R6400 Netgear router. Both the ISP router and the personal router were automatically configured via the mobile application and hence did not provide flexibility in terms of control over router security configuration.

The motivation behind this experiment was to check for security issues on the user end and also determine the type of packets that are being exchanged and how the router impacts the type of packets being exchanged. The routers were observed individually during each session of the experiment. The devices that participated in the experiment were connected to the routers via Wi-Fi. An LANProbe was placed between the router and the ISP’s modem. Using the Wireshark packet analyzer, the data packets that passed through the routers were captured and then analyzed.

The experiment was carried out separately on the routers for the two scenarios. In the first scenario, the user devices performed some Internet activities while connected to a router. The devices used during this session were one Windows laptop, one MacBook, and two cell phones. In the other scenario, the user devices were left idle but connected to the Internet via the router. The user devices used here were one Windows laptop and one MacBook, as it is very hard to limit Internet activity in mobile devices. The findings of the experiment are summarized as follows:

4.3.1. Sessions with Internet Activity

During the experiment, the type and duration of web activities were kept the same on both routers for consistency.

Table 4. Internet activities with durations.

Sl. No.	Activity Details	Duration (min)
1	Search the Internet browser for shoes and visit three individual business websites	0–9
2	Go to an online marketplace and search for a 32” TV	11–13
3	Go to another online marketplace and search for a 32” TV	14–16
4	Stream short videos	17–31
5	Create an account in an online learning platform	33–35
6	Log in to the university student portal	36–38
7	Use personal email to send messages, pictures, and documents	39–49
8	Turn on incognito mode and search for hotels and gaming console deals from online marketplaces	50–58
9	Turn off incognito mode and stream a movie	59–65
10	Sit idle with the browser open	66–70

details the Internet activities, along with their durations, that were performed during the experiment. The total duration of the experiment with Internet activities on each router was 70 min.

Online marketplaces and business websites were visited and certain products were searched to determine the types of data packets exchanged through the router. By analyzing the data packets, we could check if malicious data packets were being exchanged through the router. Malicious data packets refer to not only data packets that could harm the user’s devices but also unauthorized ones that might be used to expose information about user’s devices or networks. Figure 3 shows the overall steps of the experiment with the Internet activity.

Initially, the LANProbe was physically connected between the router and the modem to access the network. This setup allowed for the monitoring of traffic departing from the WLAN to the ISP. In addition, a laptop was connected to the LANProbe to monitor the data packets that flowed through the router using Wireshark. Once the Wireshark session was initiated, the activities described in Table 4 were carried out for their designated durations. Upon completion of all activities, the Wireshark session was saved and subsequently analyzed.

Some of the common packets found on both routers are shown in

Table 5. Data packets found during experiment with Internet activity in both ISP router and personal router.

Protocol	Information	Packet Description
ICMPv6	Neighbor solicitation	Protocol used by devices to discover the link-layer addresses of other devices on the same network.
DHCPv6	Solicit	This was sent by devices for locating DHCPv6 servers on the ISP network.
IGMPv2	Membership report group	Protocol used by a device to inform routers that it wants to receive traffic for a specific multicast group.
SSDP	M-SEARCH * HTTP/1.1	Simple Service Discovery Protocol (SSDP) that is used for discovering plug-and-play devices on a local network. * means broadcast to all.
DHCP	DHCP discover	Protocol used by devices on the network to find the DHCP servers and obtain IP address and other network configuration information.
MDNS	Standard query	Multicast DNS (MDNS) is used for resolving hostnames to IP addresses.
ARP	Who has and tell	Query used to find MAC address that corresponds to the specific IP address and sent to the device specified in tell.

, along with the protocol and its description. Most of them were standard data packets that we expected to find during the Wireshark session.

Table 6. Data packets found during experiment with Internet activity in ISP router.

Protocol	Information	Packet Description
ICMPv6	Router advertisement	Message sent by routers to advertise its presence for helping devices configure IPv6 address.
ICMPv6	Multicast listener report message v2	Multicast Listener Discovery (MLD) protocol used to indicate listening to certain multicast groups.
ICMPv6	Neighbor advertisement	Response to neighbor solicitation by devices to advertise their link-layer address.
ICMPv6	Echo (ping) request id, seq = 0 and 1, hop limit = 1 (multicast)	Ping request used for network diagnostic or control purposes.
IGMPv3	Membership report/leave group	Indicates leaving a multicast group.
IGMPv3	Membership report/join group	Indicates joining a multicast group.
NBNS	Name query	NetBIOS Name Service (NBNS) query for changing a NetBIOS name into the corresponding IP address.
NBNS	Refresh NB USERS	NetBIOS Name Service refresh request for maintaining the registration of NetBIOS name on the network.

illustrates the data packets exclusive to the ISP router. Among these, a notable discovery was the presence of ping request packets, commonly used for network diagnostics to assess device connectivity. The frequency of ping requests averaged about 26 per 1000 s. Furthermore, the remaining unique packets identified were deemed safe, with no indication of suspicious packet exchanges.

Table 7. Data packets found during experiment with Internet activity in personal router.

Protocol	Information	Packet Description
ICMPv6	Multicast listener query	Used by routers for finding interest in devices for joining certain multicast groups.
ICMPv6	Router solicitation	A message is sent by devices to routers for identification, and the router responds with a router advertisement message.
IGMPv2	Membership query, general	Query sent by multicast routers to all devices on the network for identifying which multicast group the devices want to receive data from.
SSDP	NOTIFY * HTTP/1.1	Message sent by a device to other devices on the network to inform them of their availability. * means broadcast to all.
LLTD	Discover	Link-Layer Topology Discovery (LLTD) message that helps map the network’s physical topology.
LLTD	Reset	Message used to reset the topology discovery process.

displays the majority of data packets isolated from the personal router. No signs of suspicious activity were detected. Analysis revealed that the variance in data packets between routers was caused by two primary factors: firmware variations and security protocol configurations. Since the routers were set up automatically, they employed different configurations, primarily for multicasting and router advertising, resulting in the observed diversity in data packets.

After examining the Pcap (packet capture) file that monitors Internet activities, it was found that no suspicious packets that passed between routers were detected. The ISP did not initiate any queries through the router that could pose security risks, nor were they actively gathering data from users’ ends. Most of the observed packets were associated with devices communicating with each other within the network. Hence, it is plausible that the ISP collects user data within their cloud architecture, likely achieved by analyzing specific packets and correlating them with known device types. To explore potential suspicious activities during a device’s idle periods, an experiment was conducted, as outlined in the following section.

Although the experiment revealed that no suspicious packets were actively injected by the ISP or router firmware, it is important to clarify the potential implications of ISP-controlled routers beyond the application layer. Specifically, ISP-provided firmware may expose Layer 2 (MAC address) information, which would otherwise be invisible beyond the router boundary due to standard IP routing constraints. This would enable customer profiling or device fingerprinting by correlating MAC addresses, device types, and browsing behavior. Although this study did not find evidence of this behavior in a single router instance, a broader analysis involving routers from multiple ISPs in geographical regions would be necessary to empirically validate this threat model. Such a study could also investigate whether user agreements with these ISPs allow deep traffic or device-level telemetry, which remains a critical privacy consideration.

4.3.2. Sessions with Zero Internet Activity

This experiment was carried out to inspect the type of data packets that pass through the router when devices are idle. No mobile devices were connected to the router, as it is very hard to limit the Internet activity of such devices. Hence, only two laptops were used. The devices were left idle for 40 min and the web browsers were not opened to make the environment as activity-neutral as possible. The results of the experiment are shown in

Table 8. Unique data packets found during experiment with no Internet activity.

Details	Protocol	Information	Packet Description
Packet found only in ISP router	ARP	Gratuitous ARP (Reply)	Protocol used to update APR caches of hosts present in the network so that they have the correct mapping of the MAC address to the IP address.
Packets found only in personal router	NBNS	Registration NB	Protocol used to register a NetBIOS name with an NBNS server.
	NBNS	Release NB	Protocol used to prevent NetBIOS name conflicts in an environment where devices frequently join and leave the network.
	ARP	ARP announcement	A type of gratuitous ARP where the device announces its IP address for updating the ARP caches of the network devices.

.

Most of the data packets present in Table 5 were also present during this session. Some unique data packets were found on each router, which are shown in Table 8. The ISP router only had an additional data packet, which was for updating the ARP cache of the network devices. The personal router had a different ARP protocol data packet and also had data packets for NetBIOS name registration and deregistration. The unique data packets in each router are also due to the different firmware and configuration of the routers. No suspicious data packets were found to pass through the router.

Overall, the experiments with both Internet activity and no Internet activity on the user end help us to conclude that the ISP is not exchanging any dubious data packets through the router, and hence the data gathering that the ISP conducts is not occurring at the user end. The user data are being collected in the ISP architecture, and therefore it cannot be specified which data the ISP is collecting. There is no non-intrusive method to find which types of data the ISP is gathering and how much information about each user is stored by them.

The purpose of this research is not to verify the current data collected by the ISP but rather to investigate the capability of APTs to access the WLAN. To achieve this, we will explore two scenarios.

The APT Has Access to Both the ISP and the Router, Which Is Equipped with ISP Firmware

This firmware enables the collection of data on devices within the WLAN. As stipulated in the service agreement, this data collection is acknowledged. This situation mirrors the concerns discussed earlier regarding compromised network equipment. Technically, this firmware could be considered a backdoor, through which the APT could transfer data using transmission protocols like HTTP or exploit side channels such as DNS [84].

The APT Has No Access to ISP, or a Personal Router Is Used

If the APT lacks direct access to the ISP or if a personal router is used, it can still accumulate significant data by intercepting HTTP and HTTPS packets within the WLAN. By scrutinizing the destinations of these packets, the APT can discern the types of devices utilized within the network, thereby facilitating the planning of future attacks. Additionally, the APT can execute various Man-in-the-Middle (MitM) attacks [85] to gain access to the WLAN. These attacks may involve injecting malware into network traffic [86] or hijacking sessions [87], presenting serious security risks. Expanding on this, MitM attacks could encompass techniques such as ARP spoofing [88], DNS spoofing [89], or SSL stripping [90], allowing the APT to intercept and manipulate network communications, thus compromising the integrity and confidentiality of the WLAN. By exploiting vulnerabilities in network protocols and devices, the APT can establish unauthorized access to the WLAN environment.

To further support the findings, system-level constraints should be noted. The idle behavior of the device can vary significantly depending on the operating system, power management settings, and background processes. In this study, no outbound traffic indicative of Layer 2 leakage or ISP-level device telemetry was observed during idle periods. However, it remains technically feasible for custom firmware or modified router operating systems to periodically collect and exfiltrate such metadata—independent of client-side activity. Documenting firmware versions and incorporating hardware details such as SoC type and OEM branding would offer better reproducibility and transparency in future experiments. Comparative testing on additional routers, including open-source firmware baselines, would provide a more complete picture of passive data exfiltration capabilities.

4.3.3. Threat Modeling Framework Alignment

To align this work with structured threat modeling practices, we map each identified WLAN attack surface to corresponding MITRE ATT&CK tactics and techniques. This mapping helps us to understand how adversaries may exploit different areas of the WLAN environment.

Table 9. Mapping of WLAN attack surfaces to MITRE ATT&CK techniques.

Attack Surface	Relevant ATT&CK Techniques	Description
Radio Access Control	T1078 (valid accounts), T1557 (man-in-the-middle)	Credential access, Wi-Fi spoofing, rogue access point attacks
Insider compromise	T1566 (phishing), T1203 (exploitation for client execution)	Initial access via malware or phishing; lateral movement from compromised nodes
ISP gateway	T1040 (network sniffing), T1071 (application layer protocol)	Passive monitoring, DNS abuse, and malicious traffic injection

maps WLAN attack surfaces to MITRE ATT&CK techniques.

In addition to MITRE ATT&CK, the STRIDE threat modeling framework offers a complementary lens to analyze potential risks across the WLAN infrastructure. The STRIDE model categorizes threats as follows:

• Spoofing—e.g., impersonation through rogue access points.
• Tampering—e.g., the injection of malicious packets into WLAN traffic.
• Repudiation—e.g., a lack of logging on IoT devices or access points.
• Information Disclosure—e.g., unencrypted communications intercepted via sniffing tools.
• Denial of Service (DoS)—e.g., deauthentication or jamming attacks on Wi-Fi channels.
• Elevation of Privilege—e.g., the exploitation of router firmware to gain administrative access.

By overlaying STRIDE on each WLAN component and combining it with MITRE ATT&CK mappings, defenders can assess, prioritize, and systematically mitigate threats based on observed vulnerabilities and adversary behavior.

4.3.4. Common Wireless Offensive and Defensive Tools

In real-world WLAN security contexts, various tools have been developed to attack and defend Wi-Fi infrastructures. Understanding these tools is crucial for security assessments and the design of resilient networks.

Offensive Tools:

• Airgeddon v11.41: A multi-use bash script for auditing wireless networks. It supports Evil Twin attacks, handshake capture, captive portal phishing, deauthentication, and channel hopping for attack automation.
• Wifite v2.0: A Python-based automated tool targeting WEP, WPA, WPA2 (PSK), and PMKID attacks. It passively scans networks and captures handshakes for offline brute-force or dictionary cracking.
• Fluxion v4.1: It focuses on social engineering attacks through Evil Twin APs and phishing portals to obtain WPA/WPA2 passphrases without the need for brute force.

Defensive Tools:

• Cisco Wireless Intrusion Prevention System (WIPS): It detects and mitigates rogue APs, spoofing, and deauthentication attacks, and it provides real-time wireless traffic analytics.
• Aruba Wireless IDS/IPS: It offers intrusion detection, tracking of rogue devices, and mitigation of threats such as Evil Twin, MAC spoofing, and unauthorized SSID broadcasting.
• Kismet 2023-07-R2: A passive network detector and sniffer capable of identifying hidden SSIDs, rogue devices, and channel-hopping attackers, useful for WLAN security audits.

Tool Coverage Summary:

Table 10. Summary of wireless tools vs. supported attack or defense techniques.

Tool	Handshake Capture	Evil Twin	MitM	Deauth Detection	Rogue AP Detection
Airgeddon	✓	✓	✓	✗	✗
Wifite2	✓	✗	✗	✗	✗
Fluxion	✗	✓	✓	✗	✗
Cisco WIPS	✗	✓	✓	✓	✓
Aruba IDS/IPS	✗	✓	✓	✓	✓
Kismet	✓	✗	✗	✓	✓

summarizes different tools and their capabilities.

5. Discussion

This section provides a summary of the answers to the research questions. Subsequently, it explores potential mitigations to enhance the security of current WLAN systems implementations. In addition, it conducts a comparative analysis between this study and existing research efforts. Finally, this section addresses the limitations inherent in this study, each discussed within its respective subsection.

5.1. Addressing the Research Questions

A discussion of our findings is presented on the research questions below:

• Q1: To what extent is the current implementation of WLAN effective in resisting APTs?

Securing WLANs poses a significant challenge, mainly due to the numerous potential attack pathways they present. Compromising any device connected to a WLAN could potentially compromise the entire network. This paper explored various attack surfaces, including Radio Access Control. It is crucial to implement more robust protocols to improve security. For example, WPA3 is known for its absence of known vulnerabilities, unless it is susceptible to downgrade attacks. In contrast, enterprise-level authentication, which may require username and password signing-ins, is susceptible to social engineering tactics. Therefore, protecting radio network access requires not only the adoption of secure protocols with sufficient key lengths but also the education of users to identify and resist social engineering strategies. Another vulnerable area is the devices within the system. Protecting this surface is particularly challenging due to the wide array of potential attacks, stemming from the diversity of devices, each with different operating systems and software. Moreover, vulnerabilities are dependent not solely on the system but also on the users, whose mistakes can grant unauthorized network access. Hence, social engineering tactics can be highly effective in exploiting such weaknesses.

When analyzing attacks coming from the gateway to the ISP side, the firmware of the default gateway plays a crucial role in potential attacks originating from the ISP side, as it can facilitate greater access to the WLAN. Additionally, sniffing traffic from the ISP side can result in the interception of various data types, allowing attackers to gather information such as the types of devices transmitting traffic within the network. This knowledge not only reveals the device types present but also enables attackers to manipulate traffic sent back into the WLAN. Such manipulation could involve injecting malicious software, thereby potentially exposing more information or gaining unauthorized access to the WLAN. Given the vast array of potential attack surfaces, defending a WLAN against APTs proves highly challenging. An approach involves reducing the attack surface by scaling down the network, often at the expense of functionality. Consequently, WLANs often become attractive targets for APTs looking for initial network access.

• Q2: What characteristics make future WLAN implementations resilient and robust in countering APTs?

This paper explores various potential entry points for APT attacks and suggests multiple countermeasures that future WLAN implementations can adopt. Firstly, the implementation of robust and secure authentication methods is imperative. Using challenge–response authentication, which avoids transmitting keys or derived keys, offers notable advantages. Additionally, augmenting authentication mechanisms with multifactor authentication, certificate-based authentication, and other approaches can significantly enhance security. This is crucial given that current WLAN setups often rely on authentication with either a pre-shared key or username and password, both of which are vulnerable to exploitation. Although this enhancement may pose challenges, particularly in terms of usability, potential solutions include the adoption of zero-interaction authentication techniques, facilitated by smart authentication algorithms that leverage devices users already possess.

Another important consideration is the mitigation of unauthorized access. This can be achieved by preventing or monitoring the activity of devices already connected to the network. Furthermore, the incorporation of machine learning and AI-driven anomaly detection algorithms is essential to continuously analyze network traffic patterns and quickly detect suspicious behavior indicative of Advanced Persistent Threats (APTs). Additionally, leveraging software-defined networking (SDN) principles enables dynamic segmentation and isolation of network resources, thus hindering attackers’ ability to move laterally within the network. In addition, the implementation of zero-trust security models ensures thorough verification for each device and user who attempts to access critical network resources, thus minimizing the attack surface and bolstering overall resilience against APTs.

Another crucial consideration pertains to the distrust of back-end networks and the deployment of devices that restrict access to local networks. This might involve the implementation of tunneling techniques such as VPNs to encrypt traffic to trusted nodes, thereby minimizing ISP access. Encrypting traffic ensures that communications cannot be intercepted by ISPs. In addition, the safe implementation of other protocols such as DNS is important to conceal the nature of traffic. This involves utilizing protocols such as DNS over HTTPS (DoH) [91] and DNS over TLS (DoT) [92].

5.2. Possible Mitigation for Current Systems

In this subsection, we explore measures that can enhance the resilience of WLANs against APT attacks. As previously discussed, vulnerabilities in authentication mechanisms can be exploited, enabling attackers to transition from online to offline attack vectors. Offline attacks utilize high-performance computing to accelerate malicious activities. One essential precautionary step involves thwarting the conversion of online attacks into offline ones. This can be achieved by deploying authentication protocols specifically designed to withstand such attacks, but care must be taken to prevent downgrade attacks. However, this approach poses compatibility challenges, as certain devices may not support enhanced protocols, leaving them susceptible to these attacks. This is particularly evident in smaller devices like IoT devices.

As a result, an alternative approach emerges: segregating networks according to their distinct security requirements. This strategy involves partitioning various network components into separate entities, each tailored to handle specific types of data and devices. For instance, one could establish a dedicated network exclusively for IoT devices, keeping them isolated from networks hosting computing devices or storing sensitive data. By implementing this segregation, the vulnerability to cyber attacks is significantly diminished. This separation can be achieved through different means, ranging from comprehensive hardware segregation to the implementation of sophisticated network management techniques. Full hardware segregation entails physically isolating different network segments, ensuring that each operates independently without any direct connections. Alternatively, network administrators can leverage solutions such as IP subnetting or Virtual LANs (VLANs) to create logical partitions within a shared physical infrastructure.

An important consideration is to avoid using routers provided by Internet service providers, as these devices often include additional features that grant the ISP greater access to the local network. It is crucial to carefully select access points, opting for devices with no documented firmware vulnerabilities. Choosing open-source firmware options such as DD-WRT [93] and OpenWRT [94] can offer a viable alternative, but it is essential to ensure proper implementation to avoid misconfigurations, particularly for less experienced users.

Furthermore, deploying robust firewall configurations can effectively prevent unauthorized access. Firewalls can be specifically configured to restrict the flow of WLAN information through the gateway to the ISP, enhancing network security. Additionally, leveraging tunneling protocols can minimize the amount of information exposed to potential attacks on the gateway, reducing the attack surface and mitigating the risk of man-in-the-middle attacks. These measures collectively contribute to bolstering network security and safeguarding sensitive data from potential threats.

5.3. Comparison with Related Works

In the dynamic field of network security, particularly concerning WLANs and their resilience against APTs, our study stands out for its comprehensive and multifaceted approach. This section contrasts our research with other recent works in the field, highlighting the unique aspects and depth of our analysis.

Our research distinguishes itself by adopting a holistic approach, a criterion noticeably absent in all the discussed works [4,5,6,7,8,9,10,11,12,13,14]. This comprehensive perspective is crucial for understanding the multifaceted nature of WLAN security in the context of APTs. Unlike these studies, we do not isolate individual aspects of WLAN security but consider the entire ecosystem, providing a more thorough understanding of the vulnerabilities and resilience strategies.

Another critical area where our research excels is in considering attack scaling. Studies like [6,9,12,13] touch upon this aspect, but they do not explore it to the extent we have. Understanding how APTs scale their attacks is vital for developing robust defense mechanisms, a gap our research aims to fill.

In the realm of ISP-side traffic analysis, our study is the first among the compared works to delve into this area. This analysis is crucial for identifying and mitigating APTs, as it offers insights into traffic patterns that could indicate a breach or an ongoing attack.

Considering the resources of APTs is another area where our study stands out. All of the studies in the comparison do not take into account the significant resources at the disposal of APTs. Our research fills this gap by analyzing how the resourcefulness of APTs affects the efficacy of current WLAN security measures.

Finally, the consideration of compromised insider nodes sets our study apart. While most studies like [5,6,8,9,10,11,12,13,14] acknowledge this aspect, they do not explore it in depth. Our research not only recognizes the role of insider threats in WLAN security but also provides insights into mitigating such risks.

Table 11. Comparison with the discussed works, where ✓: topic covered and ✗: not covered.

Study	Holistic Approach	Considers Attack Scaling	ISP-Side Traffic Analysis	Considers APT Resources	Considers Compromised Insider Nodes
[4]	✗	✗	✗	✗	✗
[5]	✗	✗	✗	✗	✓
[6]	✗	✓	✗	✗	✓
[7]	✗	✗	✗	✗	✗
[8]	✗	✗	✗	✗	✓
[9]	✗	✓	✗	✗	✓
[10]	✗	✗	✗	✗	✓
[11]	✗	✗	✗	✗	✓
[12]	✗	✓	✗	✗	✓
[13]	✗	✓	✗	✗	✓
[14]	✗	✗	✗	✗	✓
Ours	✓	✓	✓	✓	✓

vividly illustrates our research’s comprehensive and unique approach in the field of WLAN security against APTs.

5.4. Limitations

This study presents certain limitations that should be acknowledged:

• The analysis is confined to publicly known vulnerabilities and exploits. APT groups, however, may possess undisclosed zero-day vulnerabilities or exploits that are not publicly documented, presenting a potential blind spot in the assessment.
• This study focuses exclusively on general-purpose high-performance computers, neglecting the possibility that APT groups might leverage supercomputers designed for specific purposes. These specialized supercomputers could offer enhanced performance capabilities beyond those of general-use high-performance computers.
• Physical attacks are not taken into account in this paper. APT groups may have the resources to execute physical attacks, gaining physical access to WLAN network equipment or devices. This aspect introduces a distinct dimension of risk that was not addressed in the scope of this study.

6. Conclusions

In conclusion, this research provides a comprehensive assessment of WLANS in the face of advanced threats, particularly APTs. By delving into the vulnerabilities and resilience of WLANs and conducting a thorough comparative analysis, this study offers valuable insights into enhancing network defenses against emerging cyber threats. Through the examination of real-world scenarios and leveraging advanced threat intelligence, the efficacy of current WLAN security measures is critically evaluated. Moreover, by proposing countermeasures and mitigation strategies, including the implementation of robust authentication methods, the adoption of AI-driven anomaly detection algorithms, and the consideration of attack scaling and insider threats, this research contributes to advancing the understanding of WLAN security dynamics and offers practical recommendations for bolstering network resilience. Overall, this study serves as a significant resource for organizations seeking to fortify their WLAN infrastructure against the persistent and sophisticated nature of APTs in the ever-evolving landscape of network security.