By Published on

Security problems with two active network interfaces

You may have already wondered: if common laptops have both Wi-Fi and Ethernet network interfaces present, does this create a security risk in a business environment?

The risk meant is this use case: you are connected to the company LAN via a cable and in the same time you are connected to the coffee shop's wifi nearby (because they are very close to you and you are used to go there and use their wifi).

Maybe you have also heard someone saying that Ethernet interface has always a priority over wifi so as soon as you connect to Ethernet, the wifi connection goes down.

Is it really so and what's the danger, if any?

While the priority thing could be true because OS typically prefers the quickest route (based on network service order) it does not mean that wifi gets automatically disconnected.

For sure not if not taken care of manually or automatically, e.g. using Active Directory GPO configuration. But the default settings both for a MS Windows 11 desktop and AD is "allow both to coexist".

The right security question:

is not “which interface wins,” but what happens when both are active and whether that creates an automatic bridge between a trusted LAN and an untrusted network.

The problem is in possible internal routing between the Ethernet and wifi interfaces.

The issue of two active network interfaces will become a real security hole only if:

OS or user creates a bridge

e.g., Windows “Network Bridge”, macOS Internet Sharing,

malware installs a soft AP, proxy, or forwarding service

  • turning the laptop into a gateway,

the corporate LAN trusts the endpoint too much

no segmentation, no real access control to systems on LANs,

the endpoint is compromised and can exfiltrate data over the second interface

e.g., LAN in, Wi‑Fi out,

MS Windows firewall with default rules will not prevent outbound traffic and will not stop the exfiltration (its main task is to block inbound traffic).

So without bridging or forwarding, the two networks remain logically isolated.

Could it still be dangerous?

Not really because our line of defense is not at the network level anymore, truly separating internal and external environment is not possible today.

The end-point device must be by default considered non-trusted ("zero trust" doctrine) and thus must be managed with enforceable policies, subnets/VLANs, limited privileges, antimalware and central monitoring.

If we don't apply zero trust principles in general then we have bigger problems than having two network interfaces active on an endpoint device.