An Embedded Wireless Intrusion Detection System Architecture for Securing WPA2-Connected Medical Devices

Abstract

Wireless networks remain a cornerstone of modern embedded, medical, industrial, and Internet of Things (IoT) systems, valued for their flexibility, scalability, and ease of deployment. Although WPA3 has emerged as the latest security standard, Wi Fi Protected Access II (WPA2) continues to dominate in legacy and resource constrained devices due to hardware compatibility constraints and migration costs. However, WPA2 is vulnerable to multiple security threats, including deauthentication attacks, management frame spoofing, weak authentication schemes, and exploits such as the Key Reinstallation Attack (KRACK). These vulnerabilities undermine the reliability and confidentiality of wireless communications, particularly in embedded systems supporting critical applications. This research introduces a practical framework to enhance WPA2 security in embedded wireless systems without requiring hardware replacement. The approach integrates WPA3 inspired protections—such as IEEE 802.11w Protected Management Frames (PMF), enforced AES CCMP encryption, secure firmware and driver configurations, and strengthened authentication practices. Implementation is carried out on an embedded Linux platform using the ATWILC3000 Wi Fi module with an i.MX6ULL processor running Linux Kernel 4.1.15. Configuration and validation employ hostapd, wpa_supplicant, cfg80211, and Wireshark based packet analysis. Experimental results show that enabling PMF significantly improves resistance to spoofed deauthentication and disassociation attacks while preserving WPA2 compatibility. Enhanced encryption policies and secure configuration practices further bolster network resilience. These findings demonstrate that substantial security gains can be achieved in legacy WPA2 deployments through software level modifications and protocol hardening, thereby extending the secure operational lifespan of embedded wireless systems. This work offers a cost effective, practical methodology for strengthening WPA2 in embedded environments where full migration to WPA3 is not yet feasible.

Introduction

Wireless communication using Wi-Fi (IEEE 802.11) is widely used, with WPA2 being the most common security protocol. WPA2 provides encryption and authentication using AES-CCMP, but it still has major security weaknesses. Over time, many attacks have been identified, including deauthentication/disassociation attacks, KRACK, dictionary and brute-force attacks, PMKID attacks, Evil Twin attacks, and FragAttacks. A key issue is that WPA2 does not properly protect management frames, allowing attackers to disconnect users or impersonate networks. Weak passwords, legacy encryption (TKIP), and outdated firmware in embedded and IoT devices further increase vulnerability.

WPA3 was introduced to improve security with stronger encryption, forward secrecy, and mandatory protection of management frames. However, many embedded systems cannot easily upgrade to WPA3 due to hardware, cost, and compatibility limitations. As a result, improving WPA2 security through software-level solutions is an important research focus.

This study proposes enhancing WPA2 security in embedded Linux systems using WPA3-inspired features such as Protected Management Frames (IEEE 802.11w), enforced AES-CCMP encryption, and improved firmware and authentication configurations. The work is implemented on an embedded platform using the ATWILC3000 Wi-Fi module with an i.MX6ULL processor running Linux. Packet analysis tools like Wireshark are used to evaluate security improvements.

The literature review shows that while WPA2 improved earlier standards, it remains vulnerable in practice, especially in embedded and IoT systems with limited updates and resources. Existing solutions like intrusion detection systems and machine learning help, but a practical, cost-effective upgrade path for WPA2 is still needed. The proposed framework aims to strengthen WPA2 security without replacing existing hardware, improving resistance to spoofing, handshake attacks, and management frame exploits in real-world embedded environments.

Conclusion

Wireless communication technologies have become an essential part of modern digital infrastructure due to their flexibility, mobility, and ease of deployment. Wi-Fi is the most frequently used means of communicating data wirelessly in a fixed location.[1] IEEE 802.11 standard defines communication among networks at the MAC layer by exchanging three frames: viz, control frames, data frames, and management frames. [2] Among the various wireless security protocols developed for protecting Wi-Fi communications, Wi-Fi Protected Access II (WPA2) has remained one of the most extensively deployed standards for securing wireless local area networks (WLANs). WPA2 provides confidentiality, integrity, and authentication through the implementation of the IEEE 802.11i standard and the use of Advanced Encryption Standard Counter Mode Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). WPA 2 supports two modes of security viz “home User” and “Corporate User”. A pre-shared passphrase or passkey is used in home user mode, and Access points are manually configured for the authentication [3]. Despite its widespread adoption, WPA2 suffers from several security limitations and vulnerabilities that can compromise wireless communications. Over the years, researchers and security analysts have demonstrated multiple attacks against WPA2 networks, including deauthentication attacks, disassociation attacks, dictionary-based password cracking, Evil Twin attacks, PMKID attacks, and the Key Reinstallation Attack (KRACK). One of the major weaknesses of traditional WPA2 implementations is the lack of mandatory protection for management frames, allowing attackers to spoof deauthentication or disassociation frames and force wireless clients to disconnect from legitimate networks. Such attacks can significantly affect the reliability and availability of wireless communication systems, especially in embedded and mission-critical environments such as medical devices and industrial control systems. To address the growing security concerns in wireless networks, the Wi-Fi Alliance introduced WPA3 which addresses the inherent vulnerabilities of previous protocols by implementing more robust cryptographic algorithms and enhanced authentication protocols, thereby mitigating risks such as dictionary attacks and ensuring forward secrecy. [4] However, the migration from WPA2 to WPA3 is challenging for many embedded and legacy systems due to hardware limitations, firmware compatibility issues, computational constraints, and increased deployment costs. As a result, a large number of embedded wireless devices continue to operate using WPA2-based infrastructure. In many real-world applications, especially in embedded Linux systems, replacing wireless hardware to support WPA3 is not economically or technically feasible. Therefore, improving the security of existing WPA2 deployments through software-level enhancements and protocol hardening techniques has become an important area of research. This research focuses on enhancing WPA2 security in embedded wireless systems by incorporating selected WPA3-inspired security mechanisms without requiring major hardware modifications. The proposed approach includes the implementation of Protected Management Frames (PMF) based on IEEE 802.11w, enforcement of AES-CCMP encryption, secure firmware and driver configuration, and strengthened wireless authentication practices. The implementation and analysis presented in this research are performed using the ATWILC3000 Wi-Fi module integrated with the i.MX6ULL processor running Linux Kernel 4.1.15. The Linux wireless stack components, including cfg80211, hostapd, and wpa_supplicant, are configured and analysed to study the feasibility of implementing enhanced security mechanisms in resource-constrained embedded systems. Wireshark-based packet analysis is used to validate the behaviour of management frame protection and to observe the differences between standard WPA2 communication and enhanced WPA2 security configurations. The primary objective of this research is to develop a practical and cost-effective framework for improving WPA2 security in embedded wireless environments while maintaining compatibility with existing hardware platforms. By implementing PMF and strengthening wireless security configurations, this work aims to reduce the susceptibility of WPA2 networks to spoofing and management frame attacks. The study also evaluates the effectiveness of these enhancements in improving the resilience, reliability, and overall security posture of embedded wireless systems. II. BACKGROUND AND LITERATURE REVIEW Wireless communication technologies based on the IEEE 802.11 standards have become the foundation of modern wireless networking systems. As wireless communication became more common, securing wireless transmissions against unauthorized access and attacks became a major research concern. Wireless network security is conventionally achieved through cryptographic protocols at multiple layers in the network stack, including IPSecurity, Wi-Fi Protected Access, and Secure Sockets Layer [5]. The development of wireless security protocols evolved from Wired Equivalent Privacy (WEP) to Wi-Fi Protected Access (WPA) and eventually to Wi-Fi Protected Access II (WPA2), which became the industry standard for wireless security after the ratification of IEEE 802.11i in 2004. WPA2 introduced major improvements over WEP and WPA by implementing stronger authentication and encryption mechanisms. The protocol primarily relies on the IEEE 802.11i security framework and uses AES-CCMP encryption to ensure confidentiality, integrity, and authentication of wireless traffic. WPA2 operates in two modes: WPA2-Personal, which uses a Pre-Shared Key (PSK), and WPA2-Enterprise, which uses IEEE 802.1X authentication with authentication servers. Although WPA2 significantly improved wireless security compared to earlier standards, several vulnerabilities and implementation weaknesses were discovered over time. One of the most significant WPA2 vulnerabilities is the Key Reinstallation Attack (KRACK), discovered by Mathy Vanhoef in 2017. KRACK exploits weaknesses in the WPA2 four-way handshake procedure by manipulating retransmitted handshake messages, causing cryptographic key reinstallation and nonce reuse. This allows attackers to replay, decrypt, and in some cases forge packets within wireless communications. The vulnerability affected millions of Wi-Fi devices, particularly embedded and IoT systems that lacked timely firmware and software updates. Apart from KRACK, wireless networks remain vulnerable to several management frame attacks such as deauthentication and disassociation attacks. Traditional WPA2 implementations do not protect management frames, allowing attackers to spoof deauthentication packets and force legitimate users to disconnect from wireless networks. These attacks are widely used in denial-of-service scenarios and in advanced attacks such as Evil Twin attacks and Multi-Channel Man-in-the-Middle attacks. Recent studies have shown that such attacks continue to affect both WPA2 and WPA3 environments under certain conditions. The presence of rogue access points is also a vulnerability. It broadcasts the legitimate SSID, allowing the legitimate device to connect to the fake access point with a legitimate pre-Shared Key.[2] Once the key is obtained, anyone could enter the network. To address management frame vulnerabilities, IEEE introduced the IEEE 802.11w amendment, commonly known as Protected Management Frames (PMF) or Management Frame Protection (MFP). PMF provides integrity and authentication protection for selected management frames, thereby reducing the effectiveness of spoofed deauthentication and disassociation attacks. Research studies have shown that PMF significantly improves wireless network resilience, particularly in embedded and IoT environments where denial-of-service attacks can critically affect system reliability. However, several studies also indicate that PMF alone is not sufficient to eliminate all wireless security threats. Researchers have identified weaknesses in management frame handling and demonstrated attacks capable of bypassing certain PMF protections under specific implementation conditions. Studies on WPA2 and WPA3 management frame vulnerabilities have revealed that improper implementation of PMF can still expose wireless systems to denial-of-service attacks. Another major concern in WPA2 deployments is the continued use of legacy encryption protocols such as TKIP. Although WPA2 supports AES-CCMP, many legacy systems still maintain backward compatibility with TKIP for older devices. Security researchers and industry organizations strongly discourage the use of TKIP because of its known cryptographic weaknesses and susceptibility to replay and packet injection attacks. Modern wireless security recommendations encourage exclusive use of AES-CCMP in WPA2 deployments. Embedded systems and IoT devices face unique security challenges that set them apart from traditional computing platforms. Many of these devices run on older operating system kernels and outdated firmware, and they often have limited processing power and memory. Because of these constraints, they can go for long periods without receiving critical security updates. This makes them appealing targets for attackers, especially those using wireless exploits. Research into IoT wireless security shows that delays in firmware updates and incomplete adoption of Protected Management Frames (PMF) leave many devices vulnerable to well-known threats such as KRACK, FragAttacks, and multi-channel man-in-the-middle attacks. Several recent research efforts have focused on improving wireless security through intrusion detection systems, machine learning techniques, and enhanced wireless monitoring. Wireless intrusion detection systems have been proposed to detect attacks such as deauthentication flooding, beacon flooding, and rogue access point behavior in WPA2 and WPA3 networks. Zhang et al. [6] proposed using the MAC filtering mechanism where a smart client can differentiate between legitimate and non-legitimate frames. Machine learning approaches are also being explored for adaptive wireless security monitoring and anomaly detection in IEEE 802.11 networks. While WPA3 offers stronger protections—such as Simultaneous Authentication of Equals (SAE), mandatory PMF, and forward secrecy—many embedded systems struggle to adopt it fully due to hardware and firmware limitations. As a result, improving the security of existing WPA2-based systems has become a practical and cost-effective focus for many organizations. Current best practices include enabling PMF wherever possible, enforcing AES-CCMP encryption, patching known vulnerabilities in wireless supplicant software, and ensuring firmware integrity. Together, these measures can significantly improve the security posture of legacy devices without requiring expensive hardware replacements. The present research builds upon these findings by focusing on the implementation of WPA3-inspired security mechanisms within WPA2-based embedded Linux systems. The proposed framework specifically targets embedded hardware platforms using the ATWILC3000 Wi-Fi module integrated with the i.MX6ULL processor running Linux Kernel 4.1.15. By implementing PMF, secure wireless configuration practices, and enhanced driver and firmware security mechanisms, this work aims to provide a practical and cost-effective approach for improving WPA2 security without requiring complete hardware replacement. III. VULNERABILITIES AND SECURITY CHALLENGES IN WPA2 NETWORKS Wi-Fi Protected Access II (WPA2) was introduced as a major improvement over previous wireless security mechanisms such as Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WPA2 enhanced wireless security through the use of IEEE 802.11i standards, AES-CCMP encryption, and improved authentication mechanisms. Despite these advancements, WPA2 networks remain vulnerable to multiple security threats and implementation weaknesses that continue to affect embedded systems, enterprise networks, IoT devices, and wireless communication infrastructures. Over time, researchers and cybersecurity analysts have identified several attack vectors capable of compromising the confidentiality, integrity, and availability of WPA2-protected networks. One of the most common vulnerabilities in WPA2 networks is the deauthentication attack. In traditional IEEE 802.11 networks, management frames such as deauthentication and disassociation frames are transmitted without cryptographic protection. As a result, attackers can spoof these management frames and force legitimate wireless clients to disconnect from an access point. Deauthentication attacks are widely used in denial-of-service attacks and are frequently combined with credential-harvesting attacks such as Evil Twin attacks.[7] Since WPA2 does not mandate protection of management frames, these attacks remain highly effective in networks where Protected Management Frames (PMF) are not enabled. Another major WPA2 vulnerability is the Key Reinstallation Attack (KRACK), discovered by Mathy Vanhoef in 2017. KRACK exploits weaknesses in the WPA2 four-way handshake process by forcing victims to reinstall previously used encryption keys. During retransmission of handshake messages, attackers manipulate nonce values and replay packets, resulting in nonce reuse and weakened encryption security. For a KRACK attack to succeed, the hacker needs to be close to the target. The proximity is necessary because the target and the hacker have to share the same Wi-Fi network. [8] This vulnerability allows attackers to decrypt network traffic, replay packets, and potentially inject malicious data into wireless communications. WPA2 networks are also vulnerable to dictionary and brute-force attacks due to weak Pre-Shared Keys (PSKs). In WPA2-Personal mode, network security heavily depends on the strength of user-defined passwords. Attackers can capture the WPA2 four-way handshake and perform offline dictionary attacks to recover weak passwords. Since the handshake process itself is not encrypted, attackers can repeatedly attempt password combinations without directly interacting with the access point. Weak passwords and poor credential management practices therefore remain one of the primary causes of WPA2 compromise.[9] PMKID attacks represent another significant weakness in WPA2 networks. In these attacks, attackers capture the Pairwise Master Key Identifier (PMKID) directly from the access point without requiring a connected client. The captured PMKID can then be used for offline password cracking attacks. PMKID attacks simplify wireless credential attacks because attackers no longer need to wait for a legitimate client to reconnect or perform a deauthentication attack to capture handshake data. [10] This method became increasingly popular after tools such as Hashcat and hcxdumptool introduced automated PMKID capture and cracking capabilities. Another serious security threat is the Evil Twin attack. In this attack, attackers create a rogue access point that imitates a legitimate wireless network by copying the same SSID, channel configuration, and security settings. Victims unknowingly connect to the rogue access point, allowing attackers to intercept traffic, steal credentials, or launch further attacks.[11] Evil Twin attacks are commonly combined with deauthentication attacks to force users away from legitimate networks. Embedded and IoT systems are particularly vulnerable because many devices automatically reconnect to previously known networks without validating the authenticity of the access point. Management frame vulnerabilities are further exploited through beacon flooding and association flooding attacks. In beacon flooding attacks, attackers transmit large numbers of fake beacon frames to overwhelm wireless clients and confuse network discovery mechanisms. Association flooding attacks attempt to exhaust access point resources by continuously sending association requests. These attacks reduce network availability and can significantly degrade wireless performance in embedded and industrial environments. Since many low-resource embedded devices lack advanced intrusion detection capabilities, they are especially susceptible to such attacks. [12] The continued use of legacy encryption mechanisms such as TKIP also contributes to WPA2 insecurity. Although WPA2 supports AES-CCMP encryption, many devices retain TKIP compatibility for backward support with older hardware. TKIP relies on outdated cryptographic mechanisms and is vulnerable to replay attacks, packet injection, and key recovery attacks. Modern wireless security guidelines strongly discourage the use of TKIP and recommend exclusive use of AES-CCMP. WPA3 completely removes TKIP support because of these security weaknesses. Embedded wireless systems face additional challenges because they often operate with outdated Linux kernels, unpatched firmware, and limited processing capabilities. Resource-constrained devices frequently prioritize low power consumption and cost reduction over security implementation. As a result, many embedded systems continue to operate with vulnerable drivers, incomplete PMF support, and outdated supplicant implementations. [13] Furthermore, firmware updates in embedded environments are often infrequent or entirely absent, increasing long-term exposure to wireless attacks. Another emerging concern is the rise of FragAttacks (Fragmentation and Aggregation Attacks), which exploit weaknesses in Wi-Fi frame fragmentation and aggregation mechanisms. FragAttacks affect multiple Wi-Fi security protocols, including WPA2 and WPA3, and can allow attackers to inject malicious packets into wireless networks under certain conditions. Although firmware patches can mitigate these attacks, many embedded systems remain vulnerable because of delayed firmware update cycles. [14] Wireless attacks are getting more complicated these days, and it feels like sticking with the usual WPA2 setup just doesn’t cut it for keeping modern embedded systems safe. Those vulnerabilities we talked about earlier really point out how we need something extra to build up resilience in wireless connections, but without having to jump straight to WPA3 all at once. I think things like Protected Management Frames or PMF could make a difference, along with making sure AES-CCMP encryption is enforced properly, and then there’s strengthening the firmware to avoid tampering. Improving how authentication works on wireless networks seems

References

[1] https://www.lifewire.com/what-is-wi-fi-2377430 [2] Taskin, M. (2008) WEP Post Processing Algorithm for Robust 802.11 WLAN Implementation. Science Direct: Computer Communication Journal 31, 3405-3409. [3] Najar, Z. and Mir, R. (2021) Wi-Fi: WPA2 Security Vulnerability and Solutions. Wireless Engineering and Technology, 12, 15-22. doi: 10.4236/wet.2021.122002. [4] Vidhan Dilip Gambhire, Sushant Ramchandra Gade, Sandhya Kaprawan, Aniket Gupta University Department of Information & Technology (MSC. Cybersecurity), University of Mumbai. Wireless Wi-Fi Access Point Security: An Analysis of WPA, WPA2, WPS, and WPA3. [5] A. S. Abrar, N. Patwari, and S. K. Kasera, “Quantifying Interference-Assisted Signal Strength Surveillance of Sound Vibrations,” IEEE Transactions on Information Forensics and Security, vol. 16, p. 2018, Dec. 2020, doi: 10.1109/tifs.2020.3045316 [6] Zhang, Y. and Sampalli, S. (2010) Client- based Intrusion Prevention System for 802.11 Wireless LANs, WiMob2010. Proceedings of the 6ht International Conference IEEE 2010 on Wireless and Mobile Computing, Networking and Communication, Niagara Falls, 11-13 October 2010, 100-107. [7] Lounis, K., Ding, S.H.H., Zulkernine, M. (2022). Cut It: Deauthentication Attacks on Protected Management Frames in WPA2 and WPA3. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_16 [8] What is a Krack Attack? | Fortinet [9] Alfaro, J.G., Cuppens, F., Cuppens-Boulahia, N. (2007). Management of Exceptions on Access Control Policies. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_9 [10] Distributed WPA PSK strength auditor [11] Shufeng Li, Mingyu Cai, Robert Edwards, Yao Sun, Libiao Jin, Research on encoding and decoding of non-binary polar codes over GF(2m), Digital Communications and Networks, Volume 8, Issue 3, 2022 [12] \"[Front cover],\" 2021 8th International Conference on Electrical and Electronics Engineering (ICEEE), Antalya, Turkey, 2021, pp. c1-c4, doi: 10.1109/ICEEE52452.2021.9415962. [13] Manesh Thankappan, Helena Rifà-Pous, Carles Garrigues, Multi-Channel Man-in-the-Middle attacks against protected Wi-Fi networks: A state of the art review, Expert Systems with Applications, Volume 210, 2022 [14] FragAttacks: Security flaws in all Wi-Fi devices [15] How to Build a Real-Time Intrusion Detection System with Python and Open-Source Libraries

Copyright

Copyright © 2026 K. Vani, M. Thanushhri. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.