PRIVATE -- WiFi Attack Mitigation & Defense Guide -- Mar 22, 2026

1 Situation Summary ACTIVE THREAT ▶

Active Attack -- Device Still Operating

A physical device has been planted in or near the building broadcasting attacks on channel 157. It has been running autonomously since at least Friday, March 20, 2026.

Target AP	Peplink B-ONE -- SSID: CTS-A (5 GHz), WPA2-Personal
Attack Channel	Channel 157 (5 GHz) -- currently avoided
Safe Channel	Channel 149 (current AP channel)
PMF Status	Enabled on both CTS-A (5 GHz) and CTS-2G (2.4 GHz)
Security Mode	WPA2/WPA3 transition mode (PMF optional)
Leading Theories	CSA (Channel Switch Announcement) injection or Evil Twin
Attack First Seen	March 20, 2026 at ~16:18 (client) / ~16:23 (AP log)
Mitigation Applied	PMF enabled at 19:11, channel changed 157 → 149

Why We're Not Fully Protected Yet

WPA2/WPA3 transition mode still processes unprotected management frames for WPA2 backwards compatibility. Until all clients support WPA3, the AP cannot enforce PMF on all connections. The attacker device on channel 157 is still broadcasting and could change channels at any time.

2 Immediate Actions (Tonight) DO NOW ▶

2.1 Lock Channel 149 DONE ~2 min

Disable auto-channel selection so the AP never roams back to channel 157.

Log into Peplink admin panel
Navigate to Network > SSID > Radio Settings > Channel Selection
Set to Manual
Select Channel 149 (or another clean channel -- NOT 157)
Remove channel 157 from the allowed channel list entirely
Save and apply

Completed

Channel was changed to 149 during initial mitigation on March 20. Verify auto-select is disabled.

2.2 Upgrade SIP Phones to WPA3 TONIGHT ~5 min per phone

Yealink SIP-T54W phones need firmware 96.86.0.100+ for WPA3 support. Three phones to update:

MAC Address	Phone ID	Action
44:DB:D2:D6:7F:62	SIP Phone 1	Update firmware + set WPA3
80:5E:0C:F0:0C:90	SIP Phone 2	Update firmware + set WPA3
80:5E:0C:E4:67:05	SIP Phone 3	Update firmware + set WPA3

For each phone:

1 Find the phone's IP address

On the phone: Menu > Status > Network -- note the IPv4 address.

2 Access the web interface

Open a browser and go to http://[phone_ip]

Login with default credentials: admin / admin

3 Update firmware (if needed)

Navigate to Settings > Upgrade > Check for Update

Firmware must be 96.86.0.100 or newer for WPA3 support.

4 Set WPA3 security

Navigate to Settings > Network > WiFi > Security Mode

Change from WPA2-Personal to WPA3-Personal. Enter the network password. Save.

Change Default Password!

While you're in the web interface, change the admin password from admin to something secure. An attacker on the network could access phone configuration with default creds.

2.3 Consider WPA3-Only Mode EVALUATE ~10 min

Currently running WPA2/WPA3 transition mode -- WPA2 clients are still vulnerable to deauthentication because their management frames are unprotected.

WPA3-only mode eliminates ALL unprotected management frame processing. This is the strongest defense available.

Risk Assessment -- What Might Break

Vivint SmartHub (84:EB:3E) -- likely WPA2-only, will disconnect
Canon printers (50:03:CF) -- connected as WPA3 in today's log, should be OK
SIP phones -- upgrade firmware first (section 2.2 above)
Scanner (38:1A:52) -- connected as WPA3 today, should be OK

Test approach:

Switch to WPA3-only on the Peplink
Monitor what disconnects over the next 10 minutes
If any critical device can't connect, fall back to transition mode
Consider a separate SSID/VLAN for WPA2-only IoT devices (see section 7)

Peplink setting: Network > SSID > Security > change from WPA2/WPA3 to WPA3-Personal only

2.4 BSSID Pinning on Windows Desktops TONIGHT ~3 min per machine

Prevents clients from connecting to evil twin APs by locking the WiFi profile to the Peplink's specific BSSID (hardware MAC address).

Critical desktops to pin: Jonathan's, both Heather desktops, Dustin's, Ashley's.

Find Your AP's BSSID First

From Peplink admin panel: Status > AP > Wireless Info -- note the BSSID for CTS-A (5 GHz). Or from airodump-ng output: it's the BSSID associated with CTS-A on channel 149.

Step 1: Export the current WiFi profile (run PowerShell as Admin):

PS> netsh wlan export profile name="CTS-A" folder=C:\temp

Step 2: Open the exported XML file in Notepad. Find the <MSM> section. Add a <BSSIDList> block inside the <MacRandomization> parent, or directly inside <MSM><security>. The key addition goes inside <connectivity>:

<!-- Add this block inside <WLANProfile> > <MSM> > <connectivity> -->
<!-- AFTER the <mode> and <autoSwitch> elements -->

<BSSIDList>
  <BSSID>[AP_BSSID]</BSSID>
</BSSIDList>

<!-- Replace [AP_BSSID] with the actual Peplink BSSID -->
<!-- Format: AA:BB:CC:DD:EE:FF (colon-separated, uppercase) -->
<!-- Example: <BSSID>E8:1D:A8:5F:23:C0</BSSID> -->

Step 3: Delete the old profile and import the modified one:

# Delete the old profile
PS> netsh wlan delete profile name="CTS-A"

# Import the BSSID-pinned profile
PS> netsh wlan add profile filename="C:\temp\Wi-Fi-CTS-A.xml"

# Reconnect
PS> netsh wlan connect name="CTS-A"

Step 4: Verify the pin is active:

PS> netsh wlan show profile name="CTS-A"
# Look for BSSID in the output

2.5 Remove Unnecessary WiFi Profiles TONIGHT ~2 min per machine

Remove saved WiFi profiles that aren't CTS-A. Leftover profiles (hotel WiFi, phone hotspots, etc.) can be exploited by evil twin attacks.

# List all saved WiFi profiles
PS> netsh wlan show profiles

# Delete each unwanted profile
PS> netsh wlan delete profile name="[unwanted_profile_name]"

# Bulk delete ALL profiles (nuclear option -- re-add CTS-A after)
PS> netsh wlan delete profile name=* i=*

Keep Only CTS-A

After cleaning, the only saved profile should be CTS-A (with BSSID pinning from step 2.4). Any other profile is an attack surface.

3 Attack-Specific Mitigations DO SOON ▶

3.1 Classic Deauthentication Attack

What It Does	Forged deauthentication frames impersonating the AP, forcing clients to disconnect and reassociate
PMF Stops It?	Yes -- but only in WPA3-only mode. In transition mode, WPA2 clients are still vulnerable
AP Setting	Network > SSID > Security > PMF: Required
Key Distinction	"Required" means clients MUST support PMF or they can't connect. "Optional" means PMF is negotiated -- WPA2 clients skip it.

Why Transition Mode Doesn't Fully Protect

In WPA2/WPA3 transition mode, the AP still accepts WPA2 associations. WPA2 clients send unprotected management frames. The AP must process these to maintain backwards compatibility. An attacker can target WPA2 clients -- or forge frames that the AP processes before determining the client's security level.

3.2 CSA (Channel Switch Announcement) Injection

What It Does	Injects fake beacon frames containing a Channel Switch Announcement, telling clients to move to a different (attacker-controlled) channel
PMF Stops It?	No. Beacons are broadcast, unsigned, and processed before any security association is established.
Why It's Dangerous	Even with WPA3 + PMF Required, clients process CSA from beacons at the driver level before authentication

Client-side mitigation on Windows:

No Configurable Defense on Windows

Windows processes CSA at the driver level with no user-accessible override. The WiFi driver follows the CSA instruction before the OS even sees it. There is no registry key, group policy, or driver setting to disable CSA processing on Windows.

Client-side mitigation on Linux (Kali monitoring station):

# Option 1: Ignore CSA via iw (per-interface, not persistent)
$ sudo iw dev wlan0 set csa_count 0

# Option 2: In wpa_supplicant.conf (if supported by driver)
$ echo "disable_csa=1" | sudo tee -a /etc/wpa_supplicant/wpa_supplicant.conf

AP-side mitigation:

Some enterprise APs can validate CSA origin (Peplink B-ONE likely cannot)
Best current defense: avoid the attack channel (already on 149) + find and remove the device
If Peplink supports it, deploy WIDS (Wireless Intrusion Detection System) -- check firmware release notes

3.3 Evil Twin / Rogue AP

What It Does	Broadcasts same SSID (CTS-A) with stronger signal. Clients roam to the rogue AP, fail authentication, cycle between real and fake AP
Best Client Defense	BSSID pinning (section 2.4) -- clients will only connect to the real AP's MAC address
Detection	airodump-ng shows multiple BSSIDs broadcasting the same SSID
Ultimate Fix	Physically find and remove the rogue AP

# Detection: look for multiple BSSIDs on same SSID
$ sudo airodump-ng wlan0mon --essid CTS-A
# If you see more than one BSSID row, there's a rogue AP

3.4 Authentication Flood

What It Does	Overwhelms the AP with fake authentication requests, exhausting its client table and preventing legitimate clients from connecting
AP-Side Defense	Set max client limit and auth rate limiting in Peplink admin
Peplink Setting	Check admin panel for client connection limits and rate limiting options
Likelihood Here	Low -- doesn't match the selective targeting pattern observed in the attack

3.5 Beacon Flood

What It Does	Thousands of fake beacon frames create SSID confusion -- the client's WiFi scanner fills with garbage SSIDs
Client Defense	BSSID pinning (section 2.4) -- client ignores all beacons except from the pinned BSSID
Detection	airodump-ng screen fills with dozens/hundreds of fake AP entries

3.6 RF Jamming

What It Does	Raw noise on the 5 GHz frequency -- brute force interference, no specific management frames
Key Difference	Not MAC-targetable -- affects everything on the channel, not just specific clients
Legal Status	Illegal under FCC 47 U.S.C. § 333 -- intentional interference with licensed radio communications
Mitigation	Channel change (already done). Ultimate fix: locate the source.
Detection	Abnormally high noise floor in airodump-ng. No management frames visible -- just raw noise.

If RF Jamming Is Suspected

Document everything. Contact the FCC if necessary (FCC interference complaint). Physical location of the jamming device is the only real solution.

4 Peplink B-ONE Hardening DO SOON ~15 min ▶

Everything configurable on the AP itself. Walk through each item in the Peplink admin panel.

Lock channel -- disable auto-select, pin to 149 (or another clean channel). Remove 157 from allowed list.
PMF Required -- Network > SSID > Security > PMF: Required (not "Optional")
WPA3-only or Transition -- evaluate (see section 2.3). WPA3-only is strongest but may break IoT devices.
Disable WPS -- if enabled, it's a common attack vector. WPS PIN brute force takes minutes.
Client isolation -- prevents client-to-client communication on the SSID. Useful if attacker gets a device on the network.
Management VLAN -- if available, isolate AP management traffic from client traffic.
Firmware update -- check for latest Peplink firmware. Security patches may address known vulnerabilities.
Change admin password -- if still default or weak. Use a strong, unique password.
Disable remote management -- if not needed. Reduces attack surface.

Skip These -- Not Helpful

Disable SSID broadcast -- security through obscurity. Doesn't help at all -- the SSID is visible in probe requests, association frames, and any passive sniffer. Breaks auto-connect and makes legitimate use harder.
Reduce beacon interval -- doesn't meaningfully affect attack surface and can hurt performance.

5 Windows Client Hardening DO SOON ▶

Apply to each critical Windows desktop: Jonathan's (CTRS-JONATHAN-DESK), Heather P's (CTS-DESK-HEATHER), Heather T's (DISPATCH-DESK-2), Dustin's (CTRS-Dustin-Belshe), Ashley's (CTS-ASHLEY).

5.1 Remove Unnecessary WiFi Profiles ~2 min

See section 2.5 above. Remove all saved profiles except CTS-A.

# List all profiles
PS> netsh wlan show profiles

# Delete specific profile
PS> netsh wlan delete profile name="SomeOldNetwork"

5.2 BSSID Pinning (Detailed) ~3 min

Full walkthrough in section 2.4 above. The key is adding <BSSIDList> to the exported XML profile.

Complete profile XML structure with BSSID pinning highlighted:

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
  <name>CTS-A</name>
  <SSIDConfig>
    <SSID>
      <name>CTS-A</name>
    </SSID>
  </SSIDConfig>
  <connectionType>ESS</connectionType>
  <connectionMode>auto</connectionMode>
  <MSM>
    <security>
      <authEncryption>
        <authentication>WPA3SAE</authentication>
        <encryption>AES</encryption>
        <useOneX>false</useOneX>
      </authEncryption>
    </security>
    <!-- ADD THIS BLOCK FOR BSSID PINNING -->
    <connectivity>
      <BSSIDList>
        <BSSID>[AP_BSSID_HERE]</BSSID>
      </BSSIDList>
    </connectivity>
  </MSM>
</WLANProfile>

Verify It Worked

After importing the modified profile, run netsh wlan show profile name="CTS-A" and verify the BSSID list appears in the output. Then reconnect: netsh wlan connect name="CTS-A"

5.3 Disable WiFi Sense / Auto-Connect to Open Networks ~1 min

Windows can auto-connect to suggested open hotspots and share WiFi passwords with contacts. Disable this.

# Disable auto-connect to suggested hotspots (Registry)
PS> Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" -Name "AutoConnectAllowedOEM" -Value 0 -Type DWord

# Also check: Settings > Network & Internet > Wi-Fi
# Turn OFF "Connect to suggested open hotspots"
# Turn OFF "Connect to networks shared by contacts"

5.4 Disable 802.11r Fast Roaming ~2 min

802.11r (Fast BSS Transition) is designed for multi-AP roaming. In a single-AP environment it's unnecessary and can be exploited.

# Check if fast roaming is enabled on the WiFi adapter
PS> Get-NetAdapterAdvancedProperty -Name "Wi-Fi" | Where-Object {$_.DisplayName -match "roam|802\.11r|bss"}

# Disable if present (property name varies by driver)
PS> Set-NetAdapterAdvancedProperty -Name "Wi-Fi" -DisplayName "802.11r" -DisplayValue "Disabled"

# Alternative: open Device Manager > Network Adapters >
# [WiFi adapter] > Properties > Advanced tab
# Look for "Roaming Aggressiveness" -- set to Lowest

5.5 Update WiFi Drivers ~5 min per machine

Intel AX201, AX211, and BE201 are common WiFi adapters in modern desktops/laptops. Updated drivers may include security fixes and better WPA3 support.

# Check current WiFi driver version
PS> Get-NetAdapter -Name "Wi-Fi" | Select-Object Name, DriverVersion, DriverDate

# Check for Intel driver updates
# Download Intel Driver & Support Assistant from:
# https://www.intel.com/content/www/us/en/support/detect.html
# Or update via Device Manager > Network Adapters > Update Driver

5.6 Enable Windows Firewall Rules for WiFi ~3 min

Ensure the Windows Firewall classifies the WiFi network as "Private" (not Public) and that inbound rules are appropriate.

# Check current network profile
PS> Get-NetConnectionProfile

# Set to Private if it shows "Public"
PS> Set-NetConnectionProfile -InterfaceAlias "Wi-Fi" -NetworkCategory Private

# Verify firewall is enabled for all profiles
PS> Get-NetFirewallProfile | Select-Object Name, Enabled

# Block all inbound by default (allow exceptions)
PS> Set-NetFirewallProfile -Profile Private -DefaultInboundAction Block -DefaultOutboundAction Allow

5.7 Group Policy: Restrict New WiFi Connections ~5 min

Prevent users from connecting to new WiFi networks without admin approval. Requires Windows Pro/Enterprise.

# Open Local Group Policy Editor
PS> gpedit.msc

# Navigate to:
# Computer Configuration > Administrative Templates >
# Network > Windows Connection Manager
#
# Enable: "Prohibit connection to non-domain networks
#          when connected to domain authenticated network"
#
# Also check:
# Computer Configuration > Administrative Templates >
# Network > Network Connections
# Enable: "Prohibit access to properties of a LAN connection"
#   (prevents users from changing network settings)

Windows Home Limitation

If any desktops run Windows Home, Group Policy Editor (gpedit.msc) is not available. Use registry edits instead, or consider upgrading to Pro.

6 Remote Monitoring Station (Phase 2) PHASE 2 ▶

Phase 2 -- Setup After Initial Field Investigation

This section outlines the plan for a persistent monitoring station. Do the field investigation first (Kali Forensic Guide), then set this up for ongoing surveillance.

Hardware Setup

Base Machine	DESKTOP-CTS-ROBERT -- repurposed as monitoring station
Boot OS	Kali Linux from SSK SSD (boot from USB/external drive)
Internal NIC	Connects to CTS-A for network/internet access
Monitor Adapter	ALFA AWUS036AXM in monitor mode on channel 157 (or attack channel)
Placement	USB extension cable routes adapter to hidden/discreet location

Remote Access -- ZoHo Assist

# Download ZoHo Assist unattended agent for Linux
$ wget https://assist.zoho.com/install/zohoassist-unattended-agent.deb

# Install
$ sudo dpkg -i zohoassist-unattended-agent.deb

# Configure unattended access with Robert's ZoHo account
# Follow the on-screen prompts to link to your account

# Enable auto-start on boot
$ sudo systemctl enable zohoassist
$ sudo systemctl start zohoassist

VPN -- ProtonVPN

# Install ProtonVPN CLI
$ sudo apt install -y protonvpn-cli

# Login and connect
$ protonvpn-cli login
$ protonvpn-cli connect --fastest

# Auto-connect on boot
$ protonvpn-cli config --autoconnect enable

Physical Security

Screen lock: Configure auto-lock after 1 minute of inactivity
Strong password on the Kali user account
BIOS password to prevent USB boot tampering
Disable boot from other USB in BIOS (only allow the SSK SSD)

# Set screen lock timeout (XFCE)
$ xfconf-query -c xfce4-screensaver -p /lock/enabled -s true
$ xfconf-query -c xfce4-screensaver -p /lock/saver-activation/delay -s 1

# Set strong user password
$ passwd

Auto-Start Monitoring Service

Create a systemd service that starts monitor mode and airodump capture on boot.

# Create the monitoring script
$ sudo tee /opt/wifi-monitor.sh <<'SCRIPT'
#!/bin/bash
# WiFi monitoring auto-start script
IFACE="wlan1"
CHANNEL="157"
CAPTURE_DIR="/opt/captures"
DATE=$(date +%Y-%m-%d_%H%M)

mkdir -p "$CAPTURE_DIR"

# Enable monitor mode
airmon-ng start "$IFACE"
MON_IFACE="${IFACE}mon"

# Start capture (rotates every hour, 100MB max per file)
airodump-ng "$MON_IFACE" \
  --channel "$CHANNEL" \
  --write "$CAPTURE_DIR/capture_${DATE}" \
  --write-interval 30 \
  --output-format pcap,csv
SCRIPT

$ sudo chmod +x /opt/wifi-monitor.sh

# Create systemd service
$ sudo tee /etc/systemd/system/wifi-monitor.service <<'SERVICE'
[Unit]
Description=WiFi Channel Monitor
After=network.target

[Service]
Type=simple
ExecStart=/opt/wifi-monitor.sh
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target
SERVICE

# Enable and start
$ sudo systemctl daemon-reload
$ sudo systemctl enable wifi-monitor.service

Capture Rotation (Prevent Disk Fill)

# Add cron job to clean captures older than 7 days
$ echo "0 3 * * * find /opt/captures -name '*.pcap' -mtime +7 -delete" | sudo crontab -

# Check disk usage periodically
$ df -h /opt/captures

Benefits of This Setup

24/7 monitoring without being physically present
Can detect if attacker changes channels
Captures evidence in real-time
Hidden in plain sight as Robert's normal desktop
Remote access via ZoHo Assist from anywhere

7 IoT & Peripheral Device Security DO SOON ▶

Device	WPA3 Status	Action
Canon Printers (50:03:CF)	Connected as WPA3	Update firmware for latest security patches
Vivint SmartHub (84:EB:3E)	Likely WPA2-only	Move to separate SSID/VLAN if possible
SIP Phones (3x)	Needs firmware update	See section 2.2 -- firmware + WPA3 config
Scanner (38:1A:52)	Connected as WPA3	Verify firmware is current

Recommendation: Separate IoT SSID

If the Peplink B-ONE supports multiple SSIDs (check admin panel), create a dedicated IoT network:

SSID: CTS-IOT (or similar)
Security: WPA2-Personal (for devices that can't do WPA3)
Channel: Different from CTS-A if possible
VLAN: Isolated from the main network -- IoT devices can reach the internet but not internal resources
Client isolation: Enabled (IoT devices don't need to talk to each other)

This lets you run CTS-A as WPA3-only while IoT devices stay connected on the separate network.

Canon Printer Firmware

Access the Canon printer web interface at http://[printer_ip] and check for firmware updates. Canon's WiFi implementation has had known vulnerabilities in older firmware versions.

8 Incident Response Checklist REFERENCE ▶

Step-by-step if the attack resumes, changes channels, or a new attack vector appears.

Critical: Do NOT Power Cycle the AP

Power cycling erases the AP event log. The log is evidence. Change channels, change settings, but do not reboot unless absolutely necessary.

Check current channel -- Peplink admin panel > Status > Wireless
If attack is on current channel -- change channel immediately to any clean channel (not 157)
Start airodump-ng on the attack channel to capture evidence
Note timestamp, channel, affected devices -- write it down or screenshot
Screenshot everything -- AP admin panel, airodump output, client error messages
Check for rogue APs -- airodump-ng: multiple BSSIDs for CTS-A = evil twin
If you find the physical device:
- Photograph it in place before touching it
- Note the exact location, any connections (power, ethernet, antenna)
- Note make/model/serial if visible
- THEN retrieve it
Preserve all .pcap files -- these are forensic evidence
Document chain of custody -- who found it, when, who has it now
Do NOT reconnect the device to power or network -- preserve its state

Evidence Preservation Priority

Order of importance: AP event log > pcap captures > screenshots > photographs of device > device itself. The digital evidence is more valuable than the hardware.

9 Quick Reference Card FIELD USE ▶

Immediate Actions -- Priority Order

For use on tablet in the field. Each action is self-contained.

#	Action	Time	Status
1	Lock AP to channel 149, remove 157	2 min	DONE
2	Enable PMF Required on Peplink	1 min	DONE
3	Update SIP phone firmware + set WPA3	15 min	TODO
4	BSSID pin CTS-A on all Windows desktops	15 min	TODO
5	Remove extra WiFi profiles on all desktops	10 min	TODO
6	Disable WPS on Peplink	1 min	TODO
7	Change Peplink admin password	1 min	TODO
8	Evaluate WPA3-only mode	10 min	EVALUATE
9	Update WiFi drivers on all desktops	25 min	SOON
10	Set up monitoring station (Phase 2)	1+ hr	PHASE 2

Emergency Commands

If attack resumes -- change channel immediately:

# Peplink admin > Network > SSID > Radio Settings > Channel
# Pick any channel NOT 157. Save and apply.

Start monitoring the attack channel:

$ sudo airmon-ng start wlan1
$ sudo airodump-ng wlan1mon --channel 157 --essid CTS-A -w /tmp/evidence

Quick BSSID pin (PowerShell as Admin):

PS> netsh wlan export profile name="CTS-A" folder=C:\temp
# Edit XML: add <BSSIDList><BSSID>[AP_MAC]</BSSID></BSSIDList>
PS> netsh wlan delete profile name="CTS-A"
PS> netsh wlan add profile filename="C:\temp\Wi-Fi-CTS-A.xml"
PS> netsh wlan connect name="CTS-A"