Wi-Fi monitoring
Guardian Air passively monitors Wi-Fi traffic to discover access points, client devices, and wireless networks, and to detect Wi-Fi-based attacks.
Overview
Guardian Air uses a Realtek 8821CU Wi-Fi adapter to capture 802.11 management frames. The sensor performs channel hopping across the 2.4 GHz and 5 GHz frequency bands to achieve broad coverage across active Wi-Fi channels. Guardian Air synchronizes the data to Vantage for analysis and alert generation.
What Guardian Air discovers
During Wi-Fi monitoring, Guardian Air collects the following information for each detected network and device.
| Data point | Description |
|---|---|
| service set identifier (SSID) | The network name broadcast in beacon and probe response frames. |
| basic service set identifier (BSSID) | The media access control (MAC) address of the access point. |
| Channel | The operating channel of the network. |
| Frequency band | 2.4 GHz or 5 GHz. |
| Security protocol | The encryption standard in use: open, Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), or Wi-Fi Protected Access 3 (WPA3). |
| Cipher suite | The cipher suites supported by the network, as advertised in the access point's information elements. |
| management frame protection (MFP) | Whether MFP is enabled on the network. |
| pairwise master key identifier (PMKID) | Presence of a PMKID in the network's RSN information element, which may enable offline attacks depending on network configuration. |
| Remote Authentication Dial-In User Service (RADIUS) authentication | Whether the network uses 802.1X RADIUS-based authentication (WPA-Enterprise). |
| Client devices | MAC addresses and probe requests from devices associated with or searching for Wi-Fi networks. |
Attack detection
Guardian Air includes a Wi-Fi detection engine that identifies the following attack patterns.
| Attack type | Description |
|---|---|
| Beacon flood | A high volume of beacon frames broadcast to overwhelm client device scanning and degrade Wi-Fi usability. |
| Random beacon flood | A beacon flood using randomized SSIDs to evade simple signature-based filters. |
| Probe request flood | A flood of probe request frames sent to discover networks or disrupt client scanning. |
| Flipper Zero beacon flood | A signature-based detection of beacon floods using recognizable SSID sequences associated with Flipper Zero and similar devices. |
| Deauthentication attack | Multiple deauthentication frames detected in a short period, aimed at disconnecting clients from access points. Guardian Air reports a Deauth Attack Attempt when MFP is enabled on the network, or a Deauth Attack Success when MFP is not enabled. |
| Packet injection | Wireless injection detected through traffic heuristics, such as high-frequency packet anomalies or replay activity. |
| SSID cross-site scripting (XSS) injection | An SSID in a captured packet contains script code, indicating a XSS injection attempt or malformed fields. |
| Region/country mismatch | A device uses a frequency that is only authorized in a different regulatory region than where the sensor is deployed. |
| Repeated connection attempts | A device has failed to connect to an access point multiple times, typically due to an incorrect password. |
| Malicious device (Pwnagotchi) | Detection of a Pwnagotchi device or its attack engine becoming active, including changes to deauthentication or association attack settings. |
Hardware
Wi-Fi monitoring uses the Realtek 8821CU universal serial bus (USB) Wi-Fi adapter (interface
wlan0). The adapter supports the 2.4 GHz and 5 GHz frequency
bands. Guardian Air operates the adapter in monitor mode to capture all 802.11
frames without associating to any network.