Wireless penetration test Switzerland
Wireless pentest in Switzerland: WPA, Bluetooth, IoT wireless
Wireless networks are often the weakest link in the corporate perimeter. Swiss companies typically maintain three to five parallel wireless domains: corporate WiFi, guest WiFi, IoT WiFi, Bluetooth peripherals and increasingly 5G private networks. We deliver CREST-certified wireless penetration tests on-site at your Swiss location.
What is a wireless penetration test?
A wireless penetration test assesses the security of wireless networks and devices for vulnerabilities an attacker within radio range could exploit. The test typically covers four domains: corporate WiFi (WPA2 / WPA3 Enterprise with 802.1X), guest and event WiFi (often WPA2 PSK or captive portal), IoT wireless (Zigbee, Z-Wave, BLE, LoRaWAN) and Bluetooth peripherals (keyboards, headsets, asset trackers). Attack vectors include Evil Twin attacks, KRACK against WPA2, downgrade attacks against WPA3, weak PSKs, missing client isolation and insecure captive portal implementations. The output is a report with CVSS-rated findings, range mapping and prioritised remediation.
Attack vectors we assess
Evil Twin and rogue AP
Deploying a malicious access point with identical SSID. Employee devices connect automatically; credentials get captured. We check whether 802.1X server validation is correctly implemented and whether WPA3 Enterprise with server certificate validation is enforced.
KRACK and downgrade attacks
Key Reinstallation Attacks against WPA2 (CVE-2017-13077 ff.), WPA3 SAE downgrade to WPA2, Dragonblood attacks against WPA3 Personal. We test patch level of access points and client devices.
Weak PSKs and WPS
Offline cracking against capturable WPA2 PSK handshake (4-way handshake or PMKID). Brute force against enabled WPS PINs. Tests against typical Swiss SME setups with "CompanyName123!" PSKs.
Bluetooth and BLE attacks
BlueBorne, KNOB attack against Bluetooth Classic, pairing weaknesses against BLE devices, sniffing of Bluetooth keyboards, asset tracker spoofing. Relevant for pharma and logistics environments.
IoT wireless
Zigbee sniffing in smart-building setups, Z-Wave replay attacks, LoRaWAN join-request hijacking, unprotected ESP32 devices. Particularly relevant for industrial IoT and smart buildings.
Captive portal and guest WiFi
MAC spoofing to bypass authentication, missing client isolation between guests, weak TLS configuration on captive portal pages, session hijacking after authentication.
Methodology and execution
Reconnaissance
Passive capture of all visible wireless networks (2.4 GHz, 5 GHz, 6 GHz for WiFi 6E), Bluetooth devices (Classic + BLE), Zigbee, Z-Wave and LoRaWAN on relevant frequencies. Range mapping with heat map.
Active testing
Testing of identified vectors: Evil Twin setup, handshake capture, KRACK probing, BLE pairing tests, MAC spoofing against captive portals. All active tests are coordinated with your IT team and reception staff in advance.
Lateral movement
If access is gained: mapping of internal networks from the wireless vantage point, testing of WiFi-to-LAN segmentation, pivoting to production systems with documented remediation recommendation.
Reporting
CVSS-rated findings, heat map of attackable areas, specific configuration recommendations per access point model, roadmap for migration to WPA3 Enterprise or Zero Trust Network Access as long-term solution.
Frequently asked questions about wireless pentests
Answers to the questions IT and security leaders most often raise about wireless tests during scoping.
How much does a wireless pentest cost in Switzerland?
A wireless pentest in Switzerland costs between CHF 8,000 and CHF 14,000 for one corporate building (typically 5 days on-site). Multi-site tests or additional in-depth IoT wireless testing run from CHF 14,000 to CHF 22,000. Travel and accommodation in Switzerland are included in the package price.
Do the tests really need to be performed on-site?
Yes. Wireless tests require physical presence within radio range of the target networks. We recommend at least 2 days on-site to fully map radio coverage. Pure remote wireless tests make no technical sense and we do not offer them.
How do you ensure no employee devices are damaged?
Active tests are run with employee notification (anonymised) and in coordinated time windows. We use only non-destructive test tools and avoid denial-of-service attacks against productive wireless networks. If a connection drop occurs accidentally, self-reconnect without data loss is guaranteed.
Do you also test 5G private networks?
Yes, with limitations. Swiss 5G private networks (for example Swisscom Campus Network or Sunrise) are tested in coordination with the carrier. Tests cover network slicing isolation, eSIM authentication and air interface security. Prerequisite is written test authorisation from the carrier.
Which frequency bands can you test?
2.4 GHz and 5 GHz (WiFi 4/5/6), 6 GHz (WiFi 6E, released in Switzerland since 2022), 868 MHz (Z-Wave EU, LoRaWAN EU868), 2.4 GHz (Bluetooth, Zigbee), 433 MHz (industrial transmitters). 60 GHz (WiGig / WiFi 7 802.11be) on request.
What are common findings in Swiss SMEs?
Top three findings: weak WPA2 PSKs on guest or IoT networks (often "CompanyXY2024" or similar), missing 802.1X server certificate validation on corporate WiFi, missing client isolation on guest networks. We see these three findings in over 60 % of SME engagements.
Du weisst nicht, was Angreifer in deinem Netzwerk sehen. Wir schon.
30 Minuten. Ein CREST-zertifizierter Offensive-Experte zeigt dir, wo dein grösstes Risiko liegt. Kostenlos. Ohne Verpflichtung. Nur Fakten.
Kein Verkaufsgespräch — nur Erkenntnisse, die du morgen umsetzen kannst
30-Minuten-Videocall mit einem CREST-zertifizierten Offensive-Experten
Analyse basierend auf deiner tatsächlichen Infrastruktur, kein generisches Template
Kostenlose Analyse buchen
Drei kurze Fragen. Dann zeigen wir dir, wo du verwundbar bist.
Erhalten.
Wir melden uns innerhalb von 24 Stunden.