Wireless Security Auditing: A Checklist for IT Professionals
Most corporate wireless audits are either too surface-level ("we have a password on it") or too expensive (hiring an external firm for a full wireless pentest). There is a practical middle ground: a structured internal review using a clear checklist and some low-cost tools. This article is that checklist.
It is written for IT professionals at small to medium businesses who want to verify their wireless posture without a specialized wireless security background. Each item covers what to check, why it matters, and how to verify it. Where the BLEShark Nano is a practical tool for the check, that is noted.
Before you start: scope and documentation
A wireless audit without documentation is just poking around. Before any testing:
- Get written authorization from whoever owns or manages the network. Even if that is you. Written authorization matters for legal protection.
- Document every SSID and BSSID (AP MAC address) that belongs to your organization. You cannot detect rogue APs without knowing which APs are legitimate.
- List every physical AP location and model. Firmware versions matter for known vulnerabilities.
- Note whether any testing involves deauth or active probing - these need to be scheduled during low-traffic periods or when you have confirmed it will not disrupt operations.
In the EU: the deauth feature on devices like the BLEShark Nano is disabled by firmware to comply with the Radio Equipment Directive (RED). In the EU, passive listening and scanning are unrestricted, but intentionally sending deauth frames is regulated. Check your local regulations before any active testing.
Encryption and authentication
Check: What encryption protocol is in use on each SSID?
The hierarchy from most to least secure: WPA3 > WPA2 > WPA (WPA1) > WEP > Open. WEP is cryptographically broken and should be treated as equivalent to no encryption. WPA1/TKIP is deprecated and nearly as bad. WPA2 with AES/CCMP is the current acceptable minimum. WPA3 with SAE (Simultaneous Authentication of Equals) is the target state.
How to check: Most enterprise wireless management systems (Cisco Meraki, Ubiquiti UniFi, Aruba) show the security mode per SSID in the management console. You can also verify from a client device - on Android, connecting to a network shows the security type; on iOS, Wi-Fi settings show "Security" under the connected network. For a passive outside-in view, a WiFi scanner will show the security type advertised in beacon frames.
The BLEShark Nano's WiFi scanner shows detected APs with their SSID, BSSID, channel, signal strength, and security type. Running a quick scan of your environment shows exactly what your wireless looks like from the outside - including any SSIDs you might not have known were active.
Remediation: Any SSID using WEP or WPA1 should be updated or disabled immediately. WPA2 is acceptable with AES - if TKIP is configured, change it to CCMP. WPA3 migration should be planned for networks where the AP hardware supports it.
Protected management frames
Check: Is PMF (Protected Management Frames / 802.11w) enabled?
PMF protects deauthentication and disassociation frames from spoofing. Without PMF, any device can send a deauth frame claiming to be your AP and kick clients off the network. With PMF enforced, deauth frames are cryptographically signed - unauthenticated ones are ignored.
PMF has three states: Disabled (no protection), Optional (clients can use it if they support it), and Required (only PMF-capable clients can associate). "Required" is the strongest setting but may exclude older clients.
How to check: In your wireless management console, look for "Management Frame Protection," "802.11w," or "Protected Management Frames" in the SSID security settings. Verify what state each SSID is in.
To test whether PMF is actually working as configured: with PMF set to "Required," a deauth attack should have no effect on connected clients. The BLEShark Nano's deauth feature can be used to send test deauth frames (against your own network, with authorization) and verify that PMF-protected clients stay connected. If they disconnect, PMF is not functioning as expected. This is the most reliable way to verify the setting works rather than just assuming the checkbox does something.
Remediation: Set PMF to "Required" on WPA3 networks (it is mandatory in the WPA3 spec). On WPA2 networks, set to "Optional" minimum, "Required" if all clients support it. Verify with an active deauth test.
graph TD
subgraph PHASE1["Phase 1: Inventory and Scope"]
A1["Document all authorized APs
MAC, SSID, location, firmware"]
A2["Map physical coverage areas"]
A3["Identify client device types
corporate, BYOD, IoT"]
A4["Define compliance requirements
PCI-DSS, HIPAA, SOC2"]
A1 --> A2 --> A3 --> A4
end
subgraph PHASE2["Phase 2: Encryption and Auth"]
B1["Verify WPA3 or WPA2-Enterprise
on all corporate SSIDs"]
B2["Check for WPA2-Personal
or WEP (flag as critical)"]
B3["Validate 802.1X RADIUS config
certificate validation enforced?"]
B4["Test PSK complexity
dictionary attack resistance"]
B1 --> B2 --> B3 --> B4
end
subgraph PHASE3["Phase 3: Rogue Detection"]
C1["Scan for unauthorized APs
from multiple vantage points"]
C2["Check for evil twin SSIDs
matching corporate names"]
C3["Verify WIDS/WIPS alerts
functional and monitored"]
C4["Test deauth resilience
(802.11w PMF enabled?)"]
C1 --> C2 --> C3 --> C4
end
subgraph PHASE4["Phase 4: Network Segmentation"]
D1["Verify guest isolation
from corporate VLANs"]
D2["Test IoT device segregation"]
D3["Validate captive portal security"]
D4["Check inter-SSID routing rules"]
D1 --> D2 --> D3 --> D4
end
subgraph PHASE5["Phase 5: Reporting"]
E1["Categorize findings by severity"]
E2["Map to compliance frameworks"]
E3["Provide remediation timeline"]
E4["Schedule re-test date"]
E1 --> E2 --> E3 --> E4
end
PHASE1 --> PHASE2 --> PHASE3 --> PHASE4 --> PHASE5
Five-phase wireless security audit workflow - from inventory and scoping through encryption validation, rogue detection, segmentation testing, and final reporting with remediation priorities.
WPS status
Check: Is WPS (Wi-Fi Protected Setup) enabled on any AP?
WPS PIN authentication has a well-documented flaw (Viehböck, 2011): the 8-digit PIN is validated in two 4-digit halves, reducing the brute-force search space from 100 million to roughly 11,000 combinations. The Pixie-Dust attack makes WPS PIN cracking faster still on certain chipsets. WPS should be disabled everywhere.
How to check: Log into each AP's management interface and look for WPS settings. Many APs have a hardware WPS button - having the button does not mean WPS is software-enabled, but it is worth verifying. Some older AP firmware had a bug where WPS remained enabled in software even when the admin configured it as disabled.
Remediation: Disable WPS on every AP. If the AP firmware has the re-enable bug, update to the latest firmware first, then disable. Verify by checking whether a WPS-capable client can still find a WPS network on that SSID.
SSID configuration
Check: Do any SSIDs reveal sensitive information?
SSIDs are broadcast publicly in beacon frames. Anyone with a WiFi scanner can see every SSID in your environment. Using your company name, office address, or internal system names as an SSID tells attackers more than they need to know. "CompanyName-Corporate" or "Floor3-Servers" gives an attacker useful reconnaissance data at zero cost.
How to check: Run a passive scan of your environment from outside your building (or from the parking lot). What does your wireless look like to someone who should not know anything about your network? The BLEShark Nano's WiFi scanner shows exactly what is broadcasting and visible from that physical position.
Also check: Are there any SSIDs you do not recognize? Unknown SSIDs from your own AP hardware could indicate unauthorized SSID configuration. SSIDs from unknown BSSIDs could be rogue APs.
Check: Is SSID hiding in use?
SSID hiding ("hidden network") is not a security control. The SSID is still transmitted in probe responses and association frames - it just does not appear in passive beacon scans. It adds inconvenience for legitimate users and essentially no security against any attacker with a scanner. Do not rely on it as a control, but also do not spend effort removing it if it is already configured and someone depends on it.
graph TD
START["Wireless Audit
Finding"] --> ENC{"Encryption
check?"}
ENC -->|"WEP or Open"| CRIT_ENC["CRITICAL
Immediate remediation
Upgrade to WPA3/WPA2-Enterprise"]
ENC -->|"WPA2-PSK"| MED_ENC["MEDIUM
Migrate to 802.1X
or ensure complex PSK"]
ENC -->|"WPA2/WPA3 Enterprise"| OK_ENC["PASS
Verify cert validation"]
START --> ROGUE{"Rogue AP
detected?"}
ROGUE -->|"Yes - corporate SSID"| CRIT_ROGUE["CRITICAL
Evil twin - immediate
removal + investigation"]
ROGUE -->|"Yes - unknown SSID"| HIGH_ROGUE["HIGH
Unauthorized AP
locate and remove"]
ROGUE -->|"No rogues found"| OK_ROGUE["PASS"]
START --> PMF{"802.11w PMF
enabled?"}
PMF -->|"No"| HIGH_PMF["HIGH
Vulnerable to deauth
Enable PMF required mode"]
PMF -->|"Optional"| MED_PMF["MEDIUM
Set to required
not optional"]
PMF -->|"Required"| OK_PMF["PASS"]
START --> GUEST{"Guest network
isolated?"}
GUEST -->|"No isolation"| CRIT_GUEST["CRITICAL
Guest can reach
corporate resources"]
GUEST -->|"Partial"| MED_GUEST["MEDIUM
Review firewall rules"]
GUEST -->|"Full VLAN isolation"| OK_GUEST["PASS"]
style CRIT_ENC fill:#3a1a1a,stroke:#ff4444,color:#ff6666
style CRIT_ROGUE fill:#3a1a1a,stroke:#ff4444,color:#ff6666
style CRIT_GUEST fill:#3a1a1a,stroke:#ff4444,color:#ff6666
style HIGH_ROGUE fill:#3a2a1a,stroke:#ff8844,color:#ffaa66
style HIGH_PMF fill:#3a2a1a,stroke:#ff8844,color:#ffaa66
style OK_ENC fill:#1a3a1a,stroke:#44ff44,color:#66ff66
style OK_ROGUE fill:#1a3a1a,stroke:#44ff44,color:#66ff66
style OK_PMF fill:#1a3a1a,stroke:#44ff44,color:#66ff66
style OK_GUEST fill:#1a3a1a,stroke:#44ff44,color:#66ff66
Wireless audit finding severity classification - color-coded decision tree for common vulnerabilities found during wireless security assessments, from critical (red) to pass (green).
Rogue AP detection
Check: Are there APs broadcasting your SSID that should not exist?
A rogue AP is any AP operating on your network without authorization. This includes an employee who plugged in a cheap router "to get better coverage," an attacker who set up a device to mimic your SSID for an evil portal attack, or an AP that was set up and forgotten.
How to check: Compare your documented list of legitimate BSSIDs (AP MAC addresses) against what a scanner sees broadcasting your SSIDs. Any BSSID broadcasting your company SSID that is not in your list is a rogue. More sophisticated WIDS (Wireless Intrusion Detection Systems) do this continuously - for a manual audit, a periodic scan serves the same purpose.
The BLEShark Nano's WiFi scanner shows BSSID per detected network. Cross-referencing against your documented AP inventory is a quick way to spot unauthorized devices.
Also check: Are there APs broadcasting SSIDs that are slight variations of your company SSID? "CompanyName-Guest" when your actual guest SSID is "CompanyGuest" is a classic evil twin setup. These are harder to catch and require paying attention to BSSID - if the BSSID does not match any AP in your inventory, it is not yours.
Remediation: Any confirmed rogue AP should be physically located and removed. For ongoing monitoring, consider AP-based WIDS that uses your existing infrastructure as sensors. For SMBs, periodic manual scanning is a reasonable substitute.
Guest network isolation
Check: Is the guest network properly isolated from the corporate network?
Most organizations run a separate guest SSID for visitors. The security value of this depends entirely on whether it is actually isolated. A guest network that can reach your internal file servers or printers is not isolated - it is just a second entry point.
How to verify: Connect a test device to the guest SSID. Try to ping internal IP ranges. Try to access the corporate printer, an internal web server, a network share. Any successful connection indicates insufficient isolation. The guest network should only have internet access - nothing internal.
Also check: Can guest network devices see each other? "Client isolation" (also called "AP isolation") prevents devices on the same SSID from communicating directly. This is important on guest networks where you do not control the connected devices.
Check: Does the guest network have a sensible bandwidth cap? An unlimited guest SSID is a resource that can be abused for outbound attacks or data exfiltration.
Remediation: Guest network isolation is a firewall/router configuration issue. Verify that VLAN tagging is configured correctly and that the firewall rules between the guest VLAN and corporate VLAN are explicit deny-by-default, not implicit. Enable client isolation on the guest SSID.
802.1X for internal networks
Check: Are corporate internal SSIDs using 802.1X (WPA2/3 Enterprise)?
WPA2 Personal (PSK) uses a shared password. Anyone who knows the password can connect - and in most organizations, that password is written on a whiteboard and known by everyone who has ever worked there, including former employees. WPA2/3 Enterprise using 802.1X authenticates individual users against a RADIUS server, typically using Active Directory credentials or certificates. Each user has their own credentials, which can be revoked individually.
For corporate internal networks with any sensitive data, 802.1X should be the minimum standard. PSK is acceptable for IoT device networks or constrained environments where certificate deployment is impractical, but not for general corporate access.
How to check: Your wireless management console shows the authentication method per SSID. "WPA2-Enterprise" or "802.1X" indicates RADIUS-based authentication. "WPA2-Personal" or "WPA2-PSK" indicates a shared password.
Remediation: Migrating from PSK to 802.1X requires a RADIUS server (Windows Server's NPS, FreeRADIUS, or a cloud RADIUS service), certificate infrastructure or credential integration, and supplicant configuration on all client devices. It is a meaningful project but is the correct solution for any internal network where you need per-user accountability.
Bluetooth and BLE exposure
Check: What Bluetooth devices are broadcasting in your environment?
This is a less common audit item but increasingly relevant as BLE-enabled devices proliferate. Bluetooth headsets, smart locks, asset trackers, employee wearables, and office equipment all broadcast BLE advertisements. Some of those advertisements contain device identifiers, manufacturer data, or service UUIDs that reveal what the device is and potentially how to interact with it.
How to check: A BLE scanner shows everything advertising within range. The BLEShark Nano's BLE scanner includes OUI lookup - it identifies the manufacturer from the MAC address prefix, which helps categorize what you are seeing. Running a BLE scan of your environment gives you an inventory of BLE-active devices that you can cross-reference against what should be there.
Points of concern: BLE devices advertising with a static MAC address are trackable. Smart locks with open GATT services and no authentication represent physical security risks. BLE printers or office equipment with accessible characteristics can sometimes be interacted with by anyone in range.
Remediation: Most BLE device security is configured in the device itself, not at the network level. Review manufacturer documentation for each critical BLE device to understand pairing requirements, authentication methods, and whether firmware updates are available. Devices using "Just Works" pairing with no passkey or out-of-band confirmation have weak authentication and should be reviewed carefully.
Physical access to wireless infrastructure
Check: Are APs in physically accessible locations?
An AP in a public hallway or accessible ceiling tile can be physically tampered with. Console ports on some AP models allow local configuration bypass. Rogue devices can be plugged into the same switch port. Physical security of network infrastructure is a wireless audit item.
How to check: Walk the physical AP locations. Verify each AP is mounted where someone cannot easily reach it, disconnect cables, or attach devices to nearby ports. For high-security environments, verify that AP console ports are disabled in firmware and that access to the network closet feeding each AP is locked.
Remediation: Mount APs out of easy reach. Enable 802.1X on the switch port serving each AP where feasible, or at minimum note which switch port each AP connects to for monitoring. Document and lock physical access to network closets.
Remediation priority
If your audit turns up multiple issues, prioritize in this order:
- Critical (fix immediately): WEP or open authentication on any corporate SSID; confirmed rogue APs; WPS enabled on APs accessible from outside the building.
- High (fix within 30 days): PMF disabled on WPA3 networks; guest network not isolated from corporate; PSK on internal corporate SSID with more than one department's access.
- Medium (fix within 90 days): WPA2 still in use where WPA3 is available; SSID naming reveals internal structure; WPS enabled but only on internal APs.
- Low (track and plan): Informational BLE device inventory findings; SSID hiding in use (not a risk, just not helpful); client isolation not enabled on a low-risk guest network.
The BLEShark Nano at $36.99 is a cost-effective tool for SMBs running this kind of audit. It replaces the need for a laptop with a WiFi adapter in monitor mode for basic scanning tasks, and it provides BLE scanning that many standalone tools do not cover. For a periodic quarterly wireless audit, it is a practical addition to the IT toolkit.
A wireless audit is not a one-time event. Networks change - new APs get installed, configurations drift, new devices come online. Running through this checklist quarterly gives you a baseline and lets you catch configuration drift before it becomes a vulnerability.