Proximity wireless exploitation

The consumer wireless stack — WiFi and Bluetooth, the radios in almost every phone, laptop, watch, speaker, and IoT device sold in the last two decades — has a long, continuing record of published vulnerabilities. The relevant property for targeting operations is that almost all of them require proximity rather than network credentials. An actor in the same building, the parking lot, or a vehicle on the street has working techniques to choose from.

Protocol-level weaknesses are the foundation. The 802.11 standard permits deauthentication frames that any radio in range can send to any client, kicking it off its network — used historically as the first step in evil-twin captures. The standard also permits any access point to advertise any SSID; client devices that remember a previously-joined network will preferentially join the rogue AP if its signal is stronger. WPA2 and WPA3 have both had high-impact protocol-level CVEs (KRACK, Dragonblood, FragAttacks) that bypass the encryption guarantees on which the entire WiFi security model rests. Many devices that received patches for these in client OS updates run on chipsets whose firmware was never patched.

Bluetooth-side weaknesses are similar but worse, because Bluetooth's threat model historically assumed proximity and trust, neither of which holds in adversarial environments. BlueBorne (2017) was a chain of CVEs that allowed remote code execution against billions of Bluetooth-enabled devices with no user interaction; subsequent disclosures (BleedingTooth, BrakTooth, BlueFrag) continued the pattern. Bluetooth Low Energy (BLE), used by most modern consumer devices, broadcasts MAC addresses that consumer devices often fail to randomize properly despite vendor claims — enabling device fingerprinting and cross-space tracking.

Implementation and chipset CVEs sit underneath both. The radio chipset is a small computer with its own firmware, often closed-source, often unpatched for the lifetime of the consumer device. Vulnerabilities in the chipset itself — Broadcom, MediaTek, Qualcomm, Apple — can be exploited via crafted radio frames the host OS never sees, because the chipset handles the radio before the host stack does. The host can be fully patched and the chipset still vulnerable.

The attacker advantages.

• No credentials needed. Most protocol-level attacks (evil-twin, deauth, KRACK-class, BleedingTooth) work without the attacker ever having the network password.
• Proximity is cheap. Same building, adjacent parking, vehicle on the street, drive-by from a phone. The historical "wardriving" infrastructure is a footnote — modern equivalents fit in a backpack.
• Always-on victims. Phones and laptops keep radios active for background sync, push notifications, location services, and proximity features. The radios are listening even when the user thinks the device is idle.
• The sleeping target is most exposed. Eight hours of unattended radio activity per night, during the window the target cannot monitor.
• Plausibly deniable. A failed pairing attempt, a phone that "lost WiFi briefly," a Bluetooth device that "needed to be re-paired" — every observable artifact of an attack has an innocent explanation.

The defensive practice is operational, not technological. Patching helps against published CVEs after the patch ships; it does not help against unpublished ones, against unpatched chipsets, or against the protocol-level attacks (deauth, evil-twin) that work as-designed. The only reliable defense is to reduce the attacker's radio access — ethernet wherever possible, radios off when not actively in use, fewer wireless devices in the environment. The technique entry on No wireless details the migration path.

This tactic pairs with WiFi sensing — the passive-observation counterpart to active exploitation. Both work from within radio range; both are dramatically more effective when the target operates radios from inside their own environment.