When most security teams think of wireless threats, their focus stops at Wi-Fi. But in today’s hyper-connected enterprise environments, that’s just the tip of the antenna.

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.

You’ll learn why Wi-Fi-only strategies leave organizations blind to many in-air threats, how attackers exploit this oversight, and what you can do to take back control of your wireless airspace, a concept gaining traction in both the private sector and defense communities.

If you’re in SecOps, a CISO, or just curious about the next frontier of enterprise security, this eye-opening conversation is a must-read (or watch).
‍

‍

Mitiga Mic: The Wireless Threat No One’s Watching

Guest: Joseph Salazar, Cybersecurity Professional

Host: Brian Contos, Field CISO, Mitiga

The following transcript has been edited for clarity and flow.

Brian Contos:

Joseph, welcome to Mitiga Mic.

Joseph Salazar:

Hi, thanks for having me.

Brian:

So, Joseph, before we get started, maybe you could give our viewers a little bit of background about who you are, your journey, and what you do today.

Joseph:

Sure. So I am, I guess you can say, a reformed cybersecurity practitioner. I started way back in the ’90s, pre-Y2K. I got into IT and then very quickly transitioned into cybersecurity leading up to Y2K. I was basically an operator for about twenty-some years doing military and civilian.

I was in the Army Reserves. I retired after 22 years as a Major. First, I was a counterintelligence agent, then I got my commission and became a military intelligence officer. The last eight years of my career were in cybersecurity because I had stood up this thing called information operations, and part of that was cybersecurity. Because of my civilian job doing cybersecurity, I shifted over to it.

I did a lot on the private and public sector side. I worked mainly in financial services, financial institutions, several different banks. I also worked for defense contractors, all doing cybersecurity. Then I shifted focus and got recruited out of ASOC to be initially a sales engineer for this company that sold deception technology. Then I shifted over into marketing. For the past eight years, I’ve been doing product marketing for cybersecurity products.

Right now I’m at Bastille Networks doing product marketing for our wireless security products.

Brian:

Awesome, awesome. Well, I want to really dive into the wireless side. In our conversations, you always make it very clear that wireless isn’t just Wi-Fi. And I think a lot of people think, “Oh, it’s just my Wi-Fi access point,” but it’s so, so much more. It’s a big spectrum.

What do organizations usually deploy to cover wireless security? What are some of the ways they approach it?

Joseph:

So, you know, back when Wi-Fi first started becoming really prevalent and started moving into the enterprise, there were different versions of encryption that they would use and authentication. So, you had WEP, you had WPA, WPA2, and now WPA3. Plus, you have all the enterprise-level things that they would use to secure the communication.

So, first of all, they would start with encryption. You’d make sure at least that you’re using the built-in encryption and protection mechanisms for authentication and encryption within the protocol, and whatever your hardware supported is what you had. Unfortunately, a lot of those protocols did have weaknesses.

Like, for example, WPA2 and lower—one of the things you could do for an Evil Twin attack is you could deauthenticate everybody that’s connected to an access point using WPA2 or lower by just broadcasting a mass deauthentication signal. So there were all these little weaknesses.

They started adding other things like WIPS, wireless intrusion prevention systems, and WIDS, wireless intrusion detection systems. The goal there would be to try to detect unauthorized access on wireless and Wi-Fi and then try to detect it and go find it. But in order to find it, you would need a finishing tool. We call it a finishing tool, where you would walk around with things like a Yellowjacket or handheld devices that are essentially RF direction finders until you could find the emanator, the antenna that was transmitting.

You’d also add things like network segmentation or hardening to try to prevent lateral movement, at least over wireless networks. Because again, at some point the wireless network connects with the wired network, and so you’re getting onto a switched network. You can at least limit that lateral movement with proper segmentation and hardening – internal network firewalls and rules on routers.

Then you’d add access controls. Every device that connects to a network has a MAC address of some sort. So you could do a whitelist/blacklist approach with access controls. If something wasn’t authorized, didn’t have the right versions of software, AV, or wasn’t an approved MAC address, you’d send it to a containment area for investigation.

You could also do things like NAC, or switch-level security. But of course, there’s no such thing as a wireless switch. So, switch-level security has limitations, and so does NAC because MAC addresses can be software-defined and constantly change.

So, there are things that they would do, but a lot of those had gaps. You would sort of have to rely on a full zero-trust approach, try to get everything working at the appropriate level to protect your wireless network. Sometimes that approach wasn’t always the greatest, but at least you’d have a level of security you could be comfortable with. Any residual risk you had, you’d have to accept or add to the risk register.

Brian:

So let me ask you: let’s say I’m in SecOps or maybe I’m a CISO with an organization, and I have wireless—everybody does—and I’m concerned about what I should do. What are some things I might be missing? What are some things I should be considering that most people aren’t thinking about right off the bat?

Joseph:

One of the big things is that people, when they hear “wireless,” automatically assume Wi-Fi, and that’s not the case. If you consider what’s in your enterprise environment right now, you’ve got people walking around with smartwatches, wireless earbuds, medical devices that have Bluetooth, like a glucose monitor or insulin pump. You’ve got smart thermostats, IoT devices, badge readers, cameras. Even something as simple as an Ember mug to keep your coffee warm has Bluetooth.

And that’s just one side, because there are two networks in every enterprise: IT and OT. Operational technology. That’s your ICS, your SCADA, your functional devices. Technically not IoT, but still operational infrastructure.

These now come with wireless as well. For example, there are metal fabricating machines that have Wi-Fi and Bluetooth active from the factory. Or chillers for giant data center racks with a Zigbee console built in, so you can access it without the Wi-Fi network.

You can’t just blacklist Bluetooth, because everybody uses it. In government, you might be able to restrict access, but for regular enterprises, you can’t stop Bluetooth. You’re going to have people wearing Bluetooth earpieces. Receptionists use them, smartwatches, smartphones—one smartphone might have four or five antennas: Wi-Fi, Bluetooth, NFC, multiple for cellular. Cellular is a whole other thing. Different bands, different frequencies, all in your enterprise right now.

And we haven’t even talked about microwave antennas or Starlink. All these are in your environment, and if you’re just focusing on Wi-Fi, you’re missing about 80% of the wireless signals around you.

Brian:

We had a conversation before where you told me about some of these cameras. They can be solar powered, no power cable, and they operate on a cellular network. You can put them anywhere, and they record directly to the cloud.

Joseph:

Yeah, and they’re completely separate from your security stack. No firewalls, no IPS, no authentication. They’re out-of-band. That’s called a sideband or out-of-band attack.

And we’ve found these. There was a customer that found bugs in their headquarters when they first deployed us. Audio and video bugs. There are concerns in government agencies, executive boardrooms, and conference rooms. Someone could accidentally leave an AirPod behind with the mic on. People leave AirPods all the time.

The problem is, those operate completely outside your standard network security. And then you’ve got things like cables that look like phone chargers: OMG cables or Ninja cables. They’ve got a Bluetooth or Wi-Fi antenna built in and preloaded payloads. Plug it in, and someone can remotely connect and launch bad USB scripts: data exfiltration, commands, watering hole websites that open and close in a flash.

Unless you’re watching the screen, you’d never know. Some operate over Bluetooth and Bluetooth Low Energy. Original spec was 100 meters. Current spec, Bluetooth 5, is 1,000 meters under ideal conditions.

Imagine a parking lot. Someone 500 meters away could connect to a cable plugged into your machine, launch bad USB scripts, exfiltrate data. I don’t even need to do traditional exfiltration. I can copy data to a URL on your own web server. Your server is supposed to give data, so you’d never notice.

Brian:

And you were saying those OMG cables, you can’t tell the difference between one of those and a normal cable.

Joseph:

No. The original design came from the NSA. They were sold for $20,000. Now you can buy them for under $200. You could fill a backpack with them. There’s a device called a Wi-Fi Ducky. It’s like a Rubber Ducky but with a built-in Wi-Fi antenna. You plug it in, connect remotely, and run your payloads. Sold for $75.

Why attack the front door when you can just use one of these?

‍Brian:

So what can organizations do to mitigate this and close these gaps?

Joseph:

There are a few things. You can take lessons from government. They do RF shielding. Set up special secure areas, executive conference rooms, SCIFs, painted with RF-shielding paint that has metallic flecks. It interrupts signals and reduces transmission range. Movie theaters and concert halls use it to block cell service.

You can use wire mesh, foil-backed insulation, basically creating Faraday cages. But those are limited.

There’s a new category called wireless airspace defense. Gartner released a paper in early 2024 about it. They said traditional controls don’t address RF risks adequately. Wireless airspace defense monitors the whole spectrum, not just Wi-Fi, but Bluetooth, cellular, Zigbee.

The inspiration comes from SIGINT and EW. Signals intelligence and electronic warfare. Now they’re bringing that to enterprise security. You want visibility. You want to be able to find transmitters and analyze that data without needing a PhD in RF.

Ideally, tie it into your SIEM, SOAR, video surveillance, make your security stack aware of wireless threats. Detect, alert, respond.

You can even do assessments. Are there any wireless access points with no security or authentication?

All of this falls under wireless airspace defense. There are basic physical solutions, Faraday bags, shielding, mesh, and there are full-scale deployments that cover millions of square feet. We’re up to 4 million square feet of wireless airspace coverage now.

It’s an understudied, underprotected area. And attackers are counting on that.

Brian:

And it’s not theoretical. There was an attack you told me about over Thanksgiving?

Joseph:

Yeah. Thanksgiving 2024, reported by Velocity Security. A wireless attack was initiated from 6,000 miles away. An APT group broke into an organization by leveraging neighboring Wi-Fi networks, two of them, to access the target. It’s called the nearest neighbor attack.

There are over 60 billion wireless devices now. The number of IoT devices that are wireless is expected to triple in less than 10 years. We’re talking from about 13 billion to about 40 billion.

Brian:

Wireless airspace defense, everybody, check it out. Joseph, you painted a very grim picture, but thank you so much for being part of Mitiga Mic.

Joseph:

Thanks for having me.

‍

‍