Domain 4: Security Operations Module 28 of 61

Wireless and Mobile Device Security

Security+ Domain 4 — Security Operations A — Secure Computing 14–18 minutes

What the Exam Is Really Testing

In most organizations, employees walk out the door every day carrying devices that have full access to corporate email, file shares, and internal applications. Some of those devices belong to the company. Many do not. They connect to coffee shop Wi-Fi, hotel networks, and cellular hotspots — all outside IT's control.

Wireless and mobile devices extend the network perimeter beyond your physical control — and every unmanaged device is a potential breach vector.

The exam wants you to know which wireless protocols are secure, which are broken, how enterprise authentication keeps individual users accountable, and how organizations maintain control over devices they may not even own.

Wireless Security Protocols

Wireless encryption has evolved through several generations. The exam expects you to know what is current, what is deprecated, and why.

WEP (Wired Equivalent Privacy)

WEP is broken. Completely. It uses RC4 encryption with static keys and a 24-bit initialization vector (IV) that repeats frequently. An attacker with freely available tools can crack WEP in minutes.

If you see WEP on the exam, the answer is always: replace it.

WPA (Wi-Fi Protected Access)

WPA was a stopgap improvement over WEP. It introduced TKIP (Temporal Key Integrity Protocol), which dynamically changes keys per packet. Better than WEP, but TKIP itself has known vulnerabilities.

WPA with TKIP is considered deprecated.

WPA2

WPA2 uses AES-CCMP encryption and is the baseline for secure wireless in most environments. Two modes exist:

  • WPA2-Personal (PSK) — Uses a pre-shared key. Suitable for home and small office. Vulnerable if the passphrase is weak.
  • WPA2-Enterprise — Uses 802.1X authentication with a RADIUS server. Each user has unique credentials. The enterprise standard.

WPA3

WPA3 is the current standard and addresses key weaknesses in WPA2:

  • SAE (Simultaneous Authentication of Equals) — Replaces the PSK four-way handshake, making offline dictionary attacks impractical
  • Forward secrecy — Even if a key is compromised, past sessions cannot be decrypted
  • Protected Management Frames — Required, preventing deauthentication attacks
  • 192-bit security suite — Available in WPA3-Enterprise for high-security environments

Enterprise Wireless Authentication

802.1X Framework

802.1X is the IEEE standard for port-based network access control. In wireless, it works like this:

  1. Supplicant — The client device requesting access
  2. Authenticator — The wireless access point (does not make the decision)
  3. Authentication server — The RADIUS server that validates credentials

The access point passes authentication requests to RADIUS. It does not store or validate credentials itself.

EAP (Extensible Authentication Protocol)

EAP is the framework that defines how authentication happens within 802.1X. Common EAP methods include:

  • EAP-TLS — Uses certificates on both client and server. Most secure. Requires PKI infrastructure.
  • PEAP — Creates a TLS tunnel, then authenticates with username/password inside the tunnel. Most common in enterprises.
  • EAP-TTLS — Similar to PEAP but supports more inner authentication methods.
  • EAP-FAST — Cisco proprietary, uses Protected Access Credentials (PACs).

For the exam: EAP-TLS with mutual certificate authentication is the strongest. PEAP is the most commonly deployed in enterprise environments.

Wireless Attacks and Defenses

  • Evil twin — A rogue access point mimicking a legitimate SSID. Defense: 802.1X with server certificate validation, wireless intrusion detection.
  • Deauthentication attack — Sending forged deauth frames to disconnect clients. Defense: WPA3 with Protected Management Frames, or 802.11w.
  • Rogue access point — An unauthorized AP connected to the corporate network. Defense: Wireless intrusion prevention systems (WIPS), NAC.
  • War driving — Scanning for wireless networks from a vehicle. Defense: Strong encryption, hidden SSIDs (minimal value), proper authentication.
  • Jamming — Flooding the RF spectrum to deny service. Defense: Spectrum analysis, frequency hopping, physical security of the RF environment.

Mobile Device Management

Mobile devices create unique security challenges because they leave the building, connect to untrusted networks, and often belong to the employee rather than the company.

Deployment Models

  • BYOD (Bring Your Own Device) — Employee-owned. Highest flexibility, highest risk. Requires strong policy and containerization.
  • COPE (Corporate-Owned, Personally Enabled) — Company owns the device but allows personal use. Better control than BYOD.
  • CYOD (Choose Your Own Device) — Employee chooses from a list of approved devices. Company owns and manages.
  • Corporate-owned — Full company ownership and control. Most restrictive, most secure.

MDM, MAM, and UEM

  • MDM (Mobile Device Management) — Controls the entire device: enforces encryption, passwords, remote wipe, app restrictions, GPS tracking.
  • MAM (Mobile Application Management) — Controls only corporate applications and data, not the entire device. Better for BYOD where employees resist full device control.
  • UEM (Unified Endpoint Management) — Manages all endpoint types (mobile, desktop, IoT) from a single platform. The convergence of MDM, MAM, and traditional endpoint management.

Mobile Security Controls

  • Containerization — Creates a separate encrypted space on the device for corporate data. Personal and corporate data never mix. If the employee leaves, only the container is wiped.
  • Remote wipe — Erases the device remotely if lost or stolen. Full wipe or selective wipe (container only).
  • Geofencing — Defines geographic boundaries. Devices can be restricted or trigger alerts when they leave approved areas.
  • Screen lock enforcement — Requires PIN, password, or biometric authentication. Configures auto-lock timeout.
  • Application whitelisting/blocklisting — Controls which apps can be installed on managed devices.
  • Push notification for updates — Ensures devices stay current with OS and application patches.

Pattern Recognition

When you see wireless or mobile questions, look for these patterns:

  • WEP or WPA with TKIP in a scenario = the vulnerability is the protocol itself
  • Enterprise wireless = 802.1X + RADIUS + EAP method
  • BYOD concerns = containerization and MAM, not full device control
  • Lost/stolen device = remote wipe capability through MDM
  • Strongest wireless authentication = EAP-TLS with mutual certificates
  • WPA3 advantage over WPA2 = SAE prevents offline dictionary attacks

Trap Patterns

Watch for these distractors:

  • "Hide the SSID" — SSID hiding provides negligible security. It is trivially discovered by sniffing probe requests.
  • "MAC filtering" — MAC addresses are easily spoofed. This is not a meaningful security control.
  • "Stronger passphrase for PSK" — When the scenario describes an enterprise, the answer is 802.1X, not a better password.
  • "Install antivirus on mobile devices" — While useful, this does not address the core management challenge of mobile security.

Scenario Practice

Question 1

A company discovers that employees are connecting to a wireless network with the same SSID as the corporate network, but the access point is located in a coffee shop across the street.

What type of attack is this?

A. Rogue access point
B. Evil twin
C. Jamming
D. Bluesnarfing

Answer & reasoning

Correct: B

An evil twin is a malicious access point that mimics a legitimate network's SSID to trick users into connecting. The attacker can then intercept all traffic.

A rogue AP is an unauthorized device on the corporate network. Jamming denies service. Bluesnarfing targets Bluetooth, not Wi-Fi.

Question 2

An organization implements BYOD and needs to protect corporate email and documents without controlling employees' personal photos and apps.

What is the BEST approach?

A. Require full MDM enrollment with remote wipe capability
B. Deploy MAM with containerization for corporate data
C. Prohibit all personal devices and issue corporate phones
D. Require employees to install antivirus on personal devices

Answer & reasoning

Correct: B

MAM with containerization protects corporate data in an isolated container without controlling personal content. This balances security with employee privacy in a BYOD environment.

Full MDM is too invasive for BYOD. Prohibiting personal devices eliminates BYOD entirely. Antivirus alone does not protect corporate data.

Question 3

A security administrator needs to implement the strongest possible wireless authentication for a government facility.

Which solution should be recommended?

A. WPA2-Personal with a 20-character passphrase
B. WPA3-Enterprise with EAP-TLS and mutual certificate authentication
C. WPA2-Enterprise with PEAP and username/password
D. WPA3-Personal with SAE

Answer & reasoning

Correct: B

WPA3-Enterprise with EAP-TLS provides the strongest combination: WPA3's enhanced encryption with mutual certificate-based authentication eliminates password-based vulnerabilities entirely.

PSK modes (even with long passphrases) lack individual accountability. PEAP with passwords is strong but not the strongest option. WPA3-Personal is residential-grade.

Key Takeaway

The bottom line:

Wireless security is about the authentication method, not just the encryption protocol. Mobile security is about managing data, not just managing devices.

Before answering wireless and mobile questions, ask:

  • Is the encryption protocol current or deprecated?
  • Is authentication individual (802.1X) or shared (PSK)?
  • Who owns the device, and what level of control is appropriate?
  • Is the solution protecting corporate data without overreaching into personal use?

The right answer matches the security control to the ownership model and the risk.

Next Module Module 29: Asset Management and Configuration Control