I Wardrove Game On Expo 2026. Here’s What the RF Said.
I went to Game On Expo 2026 in Phoenix with one goal: see what a gaming convention’s RF environment actually looks like from the ground. One Samsung S21, WiGLE running in my pocket, and a few hours of walking the floor.
I came home with 28,355 records. This is what they said.
| Record Type | Count |
|---|---|
| Total records | 28,355 |
| WiFi APs | 12,249 |
| BLE devices | 16,006 |
| BT Classic devices | 100 |
Before I get into what I found: I wasn’t connected to any network that wasn’t mine. I wasn’t exploiting anything I didn’t own. This is passive observation — the wireless equivalent of watching what radio stations are playing as you drive through a neighborhood. WiGLE logs what your phone hears. That’s it.
What my phone heard was alarming in a few specific ways.
The WiFi Landscape
The venue infrastructure was professionally managed. The core event networks — WM2026, SCN WiFi — used fast roaming (802.11r FT/PSK), which tells you a real network team deployed this. The corporate backbone (CORP, Exact-Corp, CHL-CORP, esw-corp) ran WPA2-Enterprise with 802.1X, the right choice for a multi-tenant facility.
Then there’s everything else.
The Operational Networks That Shouldn’t Be This Visible
This is the part that would keep a security team up at night. Running alongside the well-architected core were a set of clearly operational networks broadcast loudly across the entire floor:
| SSID | What It Is | Auth | Risk |
|---|---|---|---|
aramarkpos |
Aramark point-of-sale network (food / concessions) | WPA2-PSK | High |
Etix |
Ticketing system network | WPA2-PSK | High |
SCANNERS / Exact-Scanners |
Badge and entry scanning infrastructure | WPA2-PSK | High |
GS Admin |
Admin network — strongest signal captured (-44 dBm) | WPA2-PSK | High |
DrMC Streaming / DrMC Scorekeeping |
Live production and scorekeeping backup networks | WPA2-PSK | Medium |
CK_MGR / COS-MGMT |
Manager and management tier networks | WPA2-PSK | Medium |
NCAA Show |
Main show network, massive AP density across all channels | WPA2-PSK | Medium |
The pattern here is the same one I see in enterprise audits: the security investment went into the corporate backbone, and the operational tier got whatever was convenient. PSK on a POS network isn’t just a configuration choice — it means one compromised credential opens the entire payment processing segment to anyone in the building.
aramarkpos appeared on over 30 different channels across the venue floor. That’s not a network confined to the concession stands — that’s blanket coverage of the entire facility. A flat POS network with PSK authentication, broadcast at walking-through-a-crowd signal strength, is a textbook target for a real engagement.
The 13 WEP Networks
WEP was deprecated in 2004. It is trivially crackable with freely available tooling, typically in under a minute with a packet capture file. In 2026, at a professionally staffed event, there are 13 WEP-encrypted networks in the venue. All had hidden SSIDs — someone made a deliberate choice to conceal them but kept WEP enabled. That’s legacy hardware that hasn’t been touched in years, still running.
The Open Networks (1,086 APs)
Open guest networks are expected at a convention center — CoxWiFi, Exhibitor Internet, Complimentary. These are the standard venue pass-through deployments. What’s notable is the scale: over 1,000 AP records from open networks, meaning anyone who connected to a guest network had their traffic completely visible to anyone else on the same segment. At an event full of exhibitors demoing products, that assumption gets tested constantly.
The Good News: WPA3 Adoption
1,564 networks were running WPA3/SAE — more than I expected. GEC-Staff had both SAE and Management Frame Protection (MFPR/MFPC) enabled, which is the right configuration. That’s a vendor who did their homework.
The BLE Layer: A Gaming Expo in Data
The BLE scan tells you exactly what kind of event this was before you read a single sign. 16,006 BLE advertisement records, with the following top named devices:
| Device | Appearances | Notes |
|---|---|---|
| Quest 3S | 159 | Meta VR headsets in active use across the floor |
| Pokémon GO Plus / GO Plus+ | 52 | Expected at a gaming event |
| Tile | 49 | Asset trackers on exhibitor gear |
| JBL PartyBox Club 120 | 30 | Booth audio gear in BLE pairing mode |
| Seos | 12 | HID access control credentials — venue staff or exhibitors |
| YamahaAV | 12 | AV receiver in active BLE pairing state |
| LEDDMX-00-027F | 6 | DMX lighting controller in BLE discovery mode |
The Quest 3S count of 159 is the standout. That’s not 159 unique units — WiGLE logs each advertisement event, so a device moving through your scan range appears multiple times. But sustained visibility at that count means a significant cluster of headsets in close proximity for a meaningful period. Gaming expo confirmed.
A few findings worth flagging beyond the obvious gaming gear:
Seos (12 appearances): Seos is HID’s access control credential platform — the same standard used in corporate badge readers and hotel door locks. Someone was carrying Seos-enabled credentials in that room, almost certainly venue staff or a corporate exhibitor. Harmless in isolation, but notable that HID access control technology was passively detectable from the show floor.
LEDDMX-00-027F: A DMX lighting controller with BLE sitting in discovery mode. Production and stage lighting gear often has minimal authentication — this is exactly the kind of device that gets overlooked in venue security reviews.
Apple manufacturer ID (0x004c): 9,678 records. By an enormous margin, the most common BLE manufacturer in the entire scan was Apple. iPhones, AirPods, AirTags. That’s the modern crowd baseline — not a security concern, but useful for understanding attendee density and device distribution across the floor.
BT Classic: The Interesting 100
Classic Bluetooth is more revealing than BLE because discoverable devices broadcast their actual device names. 100 BT Classic records showed up, including:
- Samsung QMR / QBR / QMB Series (commercial signage displays): 11 records total. These are the large-format panels used for booth signage throughout the venue. Commercial Samsung displays have BT enabled by default and accept connections without a PIN on older firmware. Most vendors don’t update firmware on signage hardware.
- LG webOS TV QNED80TUC: 4 records. Commercial display, BT on, probably never touched since unboxing.
DESKTOP-01AK9OJandTHEATERKE-ACER: Windows machines broadcasting their hostnames over BT. Default naming conventions on deployed machines suggest they weren’t hardened before deployment. In a more aggressive engagement, these would be your first lateral pivot candidates.- OsmoPocket3-C049: A DJI camera in BT discovery mode. Press or content creation crew on the floor.
The Channel Distribution
For anyone managing wireless at a dense event, the top channels by AP count:
| Channel | AP Count | Band |
|---|---|---|
| 157 | 1,115 | 5 GHz |
| 6 | 1,021 | 2.4 GHz |
| 44 | 1,018 | 5 GHz |
| 1 | 947 | 2.4 GHz |
| 36 | 945 | 5 GHz |
| 11 | 677 | 2.4 GHz |
The 5 GHz distribution is healthy — most of the density is up in the band where there’s more spectrum to work with. The 2.4 GHz channels follow the standard 1/6/11 non-overlapping split. The venue’s network team deployed a proper managed wireless system with reasonable channel planning. The security posture just doesn’t match the deployment quality.
What This Actually Means
A passive wardriving pass with a consumer phone isn’t a security audit. I want to be precise about that. I’m seeing what’s broadcasted, not what’s accessible. PSK on aramarkpos is only a problem if someone has the passphrase — maybe they’re rotating it per event with a complex key. I don’t know that.
What I do know: the information available from the floor of Game On Expo 2026, without connecting to anything, without any specialized hardware — just a phone and a free app — includes the complete map of operational network segmentation, the hostnames of deployed Windows machines, the access control credential standard in use by venue staff, the production AV and lighting infrastructure, and the specific ticketing and POS vendors handling financial transactions on the floor.
That’s a reconnaissance profile. A real attacker uses exactly this data to plan a targeted engagement: which networks are high value, which run legacy authentication, which devices have discoverable identities.
Segment operationally sensitive networks. Rotate PSKs per event. Consider whether those SSIDs need to be broadcast at all. And get someone to audit your signage hardware firmware — it’s almost certainly been forgotten.
The Toolchain
For anyone wanting to replicate this kind of passive survey: WiGLE WiFi Wardriving on Android is free and captures exactly this dataset. The exported CSV includes MAC, SSID, auth type, channel, frequency, RSSI, GPS coordinates, altitude, and timestamps — everything needed to reconstruct a complete RF picture of an environment.
All analysis in this post was done in Python with nothing more than the standard csv module and collections.Counter. The data does the work. You don’t need specialized tooling to get actionable signal from a wardriving export.
Need a wireless security assessment?
I help teams understand their RF attack surface before someone else does. From event venues to enterprise campuses, passive surveying reveals what your network diagrams don’t.