Resources Webinar

Wireless is the Last Mile of Attack

 

Secure facilities continue to face wireless activity that operates beyond the reach of traditional physical and cybersecurity tools.

Recent findings—from wireless exploitation incidents at the UN, to the global impact of Pegasus, to the emergence of the Nearest Neighbor Attack—illustrate how small devices can create outsized risks in controlled spaces.

Modern portable electronics broadcast constantly, even when users believe they are off. These emissions can expose sensitive movement patterns, enable device-to-device compromise, or open pathways into areas not designed to tolerate wireless activity. Understanding these signals is essential for maintaining control within restricted environments.

What You’ll Learn

This briefing provides practical insight into escalating RF-driven risks, including:

  • How the Nearest Neighbor Attack leverages proximity-based wireless behavior
  • What recent UN wireless threat events reveal about vulnerabilities in sensitive facilities
  • Lessons from Pegasus and similar surveillance tooling
  • How unauthorized RF devices enter restricted areas unnoticed
  • What wireless activity patterns indicate about insider behavior
  • Gaps in traditional security frameworks when RF is not monitored
  • Approaches for identifying, assessing, and responding to unauthorized wireless presence

Who Should Attend

This session is designed for professionals responsible for protecting sensitive or controlled spaces, including:

  • Military and government security leadership
  • SCIF and restricted-area managers
  • Counterintelligence and insider threat teams
  • Cybersecurity and physical security personnel
  • Facility and operations leaders overseeing high-security environments

Speakers

  • Justin Fry: CMO, Bastille
  • Dr. Brett Walkenhorst: CTO, Bastille
  • Rodney Alto: Security Advisor (Ex-CIA/ODNI)

Video Transcript

Introduction

Justin Fry: Thank you so much for your interest in our webinar, Wireless is the Last Mile of Attack. My name is Justin Fry. I’m the CMO here at Bastille.

Our speakers today: Dr. Brett Walkenhorst is the Bastille CTO. Brett is the former director of the Software-Defined Radio Lab at Georgia Tech and works closely with all our government and enterprise customers.

Rodney Alto brings decades of leadership as a former senior intelligence executive at the Central Intelligence Agency and at the Office of the Director of National Intelligence. Rodney currently serves as a public sector strategy and security advisor for companies including Goldman Sachs, Google, and Bastille.

Thank you so much for your interest in the event today. Now over to Brett.

Story 1: The Nearest Neighbor Attack

Dr. Brett Walkenhorst: Good. Thanks, Justin. And thanks to Rodney for being with us today. We’ve got some interesting topics to discuss. These are all relevant to the “last mile”—how attackers can project power from a distance, including wireless elements of an attack.

We’ve got two major stories to talk about today. The first is the Nearest Neighbor Attack. I’ll go through the details of that, and Rodney and I will discuss a little bit as we go along. Then, Rodney is going to head up the discussion of wireless threats at the UN with a recent story of a SIM farm. We’ll wrap that up with a discussion of Pegasus and some questions and answers.

So, I’ll get us started with the Nearest Neighbor Attack. Overall, there’s been a long timeline of the development of wireless attacks since the early 20th century, when Marconi, the father of radio, was subjected to a hack by a contemporary. Today, we have AI-powered attacks, COTS (Commercial Off-The-Shelf) hardware, and widely available software that enables teenagers in their mothers’ basements to conduct wireless attacks very efficiently.

Let’s start off with how the Nearest Neighbor Attack works.

In late 2024, a Russian APT (Advanced Persistent Threat) was conducting an attack against a target in the US. From across the ocean, they were attempting to penetrate this target’s network. Their initial efforts were over public-facing services on the internet. They were attempting to obtain credentials from which they could infiltrate the network, compromise data, take control, and achieve whatever objectives they had.

They were successful in that initial attempt in harvesting credentials using a password-spraying attack. However, they weren’t able to go further because the defenders had Multi-Factor Authentication (MFA) implemented on those ports.

So, they got creative. They began to look through open-source information to determine what organizations were nearby the target they were trying to penetrate. As you can imagine, that’s not too hard to do; you can go on Google Maps and find what the next-door organization is.

They then pursued these adjacent organizations—next door, across the street, two streets down. Having successfully penetrated some of these neighboring organizations, whose networks were presumably less secure, they moved laterally. They found multiple dual-homed devices that they could leverage the wireless NIC (Network Interface Controller) on.

Imagine a laptop connected to Ethernet that also has a wireless card. They could appropriate that card and use it as a client to connect to the Wi-Fi network of the primary target.

In this case, it wasn’t really much of an attack. They had the credentials from the first step. All they had to do was grab something close enough that could connect to the Wi-Fi network of their target using those same credentials. As is common, the Wi-Fi was not protected with MFA, so the attackers were able to penetrate at that point.

The Redefinition of Proximity One of the main points of interest here is that the idea of proximity has been redefined. We’ve often thought that you need to have physical proximity to conduct a wireless attack. But proximity is defined by network reach, not just by physical distance. All I need is connectivity to some device that is physically close enough to my target for me to appropriate that device.

Therefore, your perimeter probably incorporates your neighbors. Your perimeter is bigger than you think.

Defending Against Nearest Neighbor The first step is bringing visibility to the attack surface. We do that through a system like Bastille’s Airspace Defense solution. We use a multi-channel, high-bandwidth sensor array that scans the RF spectrum to look for wireless packets, extract metadata, and localize every device emitting wirelessly in that area.

With this view, you can identify when wireless devices are behaving in a way that is concerning. For example, when we locate a Wi-Fi client that is outside of the physical perimeter of the facility connecting to the network for the first time, that’s a big red flag.

Other defensive strategies include:

  • Inventory Management: Maintaining an up-to-date inventory of all wireless devices.
  • Network Access Control (NAC): Limiting access until authentication is established.
  • MFA for Wireless: While it increases friction, it would have worked in this scenario.

Rodney Alto: I’d offer a couple of comments. Our adversaries’ tradecraft is persistently evolving and is only constrained by their creativity. The perimeter of the network has dramatically expanded. Visibility is the key to defense. Much like you actively monitor your perimeter fence around a data center, you need to actively monitor the wireless domain.

Story 2: Wireless Threats at the UN (SIM Farms)

Rodney Alto: Let’s jump in. We’re going to talk about the SIM Farm threat that occurred in the New York City area in September, coincident with the UN General Assembly.

The Threat The US Secret Service identified a SIM farm of approximately 300 SIM servers with 100,000 active SIM cards. Think of those SIM cards working with a server as functionally representing a cell phone. These devices were intentionally placed into electronic “safe houses”—abandoned apartments or commercial spaces in New Jersey, Connecticut, and New York City.

They were all within 35 miles of the UN and had the capacity to generate up to 30 million text messages per minute.

To put that in context: they could have theoretically messaged every person in the United States within a 10 to 15-minute window.

The Opportunity for Attack If they were to truly turn that on, we would have created a Denial-of-Service (DoS) attack for the entire telecommunications network in the New York area. I am talking about all phone calls, 911 emergency response, and police response. Our infrastructure would have been overwhelmed in minutes, similar to what we observed on 9/11.

It also enabled:

  • Covert communication for nefarious actors/terrorists.
  • Criminal activities that didn’t want to be traced.
  • Eavesdropping and remote operations targeting diplomatic communications at the UN.

Discovery and Takedown The US Secret Service has a newly formed Advanced Threat Interdiction Unit. As part of an advance for the President or senior officials, they pre-deploy and baseline the area. Through inter-agency coordination, they identified this event. They saw things particularly associated with “swatting” events of key government officials and were able to build a signature profile that led them to this infrastructure.

Who was behind it? This was a well-planned, well-coordinated event. All indications are that this is a nation-state actor, a foreign government, or a criminal organization of significant magnitude. This wasn’t some kid in a basement.

Fortunately, the US Secret Service, working with partners, disabled this infrastructure before the adversary could activate it. However, we have seen similar events happen more recently in Europe. The technology is not new; it is simply server farms and SIM cards brought together in a creative way.

The Invisible Spectrum This brings us back to the wireless spectrum. There are over 50 different RF protocols operating likely in your facility today. Our adversaries know this. We have great camera systems, locks, and guards, but we are simply not doing enough with RF visibility and real-time monitoring.

Dr. Brett Walkenhorst: Thanks, Rodney. You mentioned scaling. With 100,000 SIMs, you have legitimate access to a network with global reach. Whether you use that resource to disrupt communications, commit fraud, or conduct “smishing” (SMS phishing) campaigns, the impact is massive.

This attack surface is invisible, but it doesn’t have to stay that way. We just have to have the right tools in place.

Future Threats: Data Centers & Pegasus

Dr. Brett Walkenhorst: Briefly, looking at what’s coming next. We see a significant build-out of AI-focused data centers. These are often “dark data centers,” fully automated with minimal human interaction. That automation relies on wireless capabilities, expanding the attack surface.

There was an example of an attack we came across at Bastille where we saw a hotspot routinely coming into a data center and connecting to a client in a rack. They would connect and talk for about 60 minutes. Meanwhile, this cell phone, which powers this mobile hotspot, has cellular connectivity to the cloud.

This is an example where something simple can bypass all the security infrastructure of a sophisticated organization simply by configuring a device within a rack to connect to a hotspot.

Pegasus Spyware There is also a concern about spyware software, such as the Pegasus toolkit. This is a “zero-click” attack tool—it can be installed on a device with zero user interaction. Once the payload is installed, the attacker has access to everything: hardware, software, firmware, camera, microphone, and positions.

Recently, capabilities from Pegasus were discovered in the hands of a Russian APT targeting a Mongolian government website. This implies these capabilities are propagating beyond just nation-states and becoming more widely available.

Q&A

Justin Fry: Thank you, Rodney and Brett. Fascinating presentation. We have time for a few questions.

Q: How hard do you think the Nearest Neighbor attack is to replicate?

Dr. Brett Walkenhorst: I think each step of the chain wasn’t that hard. The recipe is out there now. It’s inevitable that we’re going to see similar styles of attacks. You don’t have to be a nation-state to conduct that attack; it is within the realm of the possible for a sophisticated hacker.

Rodney Alto: I would agree. The entry costs to conduct these operations have come down dramatically.

Q: What lessons from Pegasus are applicable to safeguarding sensitive AI training environments?

Dr. Brett Walkenhorst: The biggest lesson is that smartphones are not as secure as we’d like to think. For highly sensitive applications like AI data centers, we should be very concerned about what devices are allowed to come into those spaces.

Rodney Alto: We have to be intentional about where we allow cell phones. You likely need to make decisions on not allowing cellular devices inside certain locations. The key to that is an active monitoring posture to confirm no unauthorized devices are present.

Justin Fry: Thank you both so much. To learn more, please visit bastille.net. We’ll be sending out a recording later this week. Thank you, Rodney. Thank you, Brett.

We’d love to show you around

Learn how Bastille can help you prepare you for today’s ever-growing wireless threat landscape, and schedule a demo and we’ll be in touch shortly.