“Any Wi-Fi Attack Can Now Be a Remote Attack”

By the AirEye Research Team
Inspired by Mathy Vanhoef’s insights

1. Objective

Wireless threats are no longer bound to physical proximity. Pre-auth vulnerabilities, beacon spoofing, and rogue access points can now be exploited remotely — even globally — thanks to cloud relays, malicious proxies, and antenna-for-hire models. This blog post outlines a 2025-ready threat model to help organizations secure their wireless airspace against this evolving threat.

2. Assumptions

• Enterprise networks use WPA2/WPA3, 802.1X, and RADIUS for wireless access.
• Attackers have access to remote infrastructure (proxies, relays, cloud VMs).
• IoT, OT, and medical devices with Wi-Fi interfaces are present in the network.

3. Evolving Threat Landscape

Here’s how today’s threats manifest, including references to recent AirEye research:

4. Real-World Attack Scenarios

• Remote Rogue AP Injection: Cloud-hosted relay enables auto-connect to malicious AP via compromised IoT device
• SSID Stripping: Spoofed network names trick users into connecting
• Antenna-for-Hire: Nearby devices (cameras, routers) broadcast attacker payloads

5. Mitigation Strategies

• Use WDR (Wireless Detection and Response – formerly know as NACP) solutions to monitor wireless airspace anomalies, risks, threats and attacks.
• Patch Wi-Fi firmware and drivers across all endpoints
• Disable auto-join for unknown SSIDs
• Zero-trust onboarding for all IoT/OT/IOMT devices
• Audit microsegmentation assumptions — isolation doesn’t block airspace-level threats (Why not)

6. The Bottom Line

Any Wi-Fi attack can now be a remote attack.
— Mathy Vanhoef

The wireless airspace must be treated as a critical part of your attack surface — one that attackers can now reach without ever being nearby. Are you watching your airspace?

→ Need visibility? Talk to us at AirEye