Attacking WiFi with traffic injection

This presentation aims at showing WiFi trafic injection applications in order to practically demonstrate weaknesses of commonly deployed WiFi environments, aka WEP or open networks such as hotspots, for network itself and also for stations connected to it. A practical point of vue is adopted instead of giving another "WiFi is insecure" theorical brief.

The first part will briefly present 802.11 basics so everyone can understand the whole stuff (management vs. data, how injection works, consequences of injection, etc.) and is ready to understand consequences and thus applications. WiFi adapters, drivers (e.g. hostap) and tools will also be shortly introduced.

The second part will develop practical injection cases, with references to existing tools. The very last topic (WiFi stations attacks) will be developped to show how one can just compromise a random host on a WiFi network without even being associated.

  • DoS using management traffic (disassoc, beacons)
  • WEP cracking methods
  • Captive Portal (commercial hotspots) breakthrough
  • WiFi station attacks

The third part will focus on how recent protection schemes, aka WPA and WPA2/802.11i, can prevent or mitigate such kind of attacks and give a conclusion to the presentation.


Cedric has spent the last 4 years working in network and Unix systems security field, performing audits and penetration testing. In 2004, he joined EADS Corporate Research Center to perform R&D within the network security field, including wireless technologies. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He also has delivered technical presentations (Eurosec, SSTIC, Cansecwest, etc.) and articles (MISC, SSTIC, etc.) about network security.