Chapter 13 - Wireless and Mobile Security

Question 1

Cellular

Answer 1

Cellular networks provide connectivity for mobile devices like cell phones by dividing geographic areas into “cells” with tower coverage allowing wireless communications between devices and towers or cell sites.

Question 2

Bluetooth

Answer 2

Bluetooth, which operates in the 2.4 GHz range, is primarily used for low-power, short-range (typically 5-30 meters) connections that do not have very high bandwidth needs.

Question 3

Radio Frequency Identification (RFID)

Answer 3

RFID is a relatively short-range wireless technology that uses a tag and a receiver to exchange information. RFID may be deployed using active tags, which have their own power source and always send signals to be read by a reader; semi-active tags, which have a battery to power their circuits but are activated by the reader; or passive tags, which are entirely powered by the reader.

Question 3

Geolocation

Answer 3

Geolocation uses GPS to determine where a device is located. Geolocation is used for location-aware authentication, geofencing, and many other functions.

Question 4

Evil Twin

Answer 4

An Evil Twin is a malicious illegitimate access point that is set up to appear to be a legitimate trusted network. Once a client connects to the Evil Twin, the attacker will typically provide Internet connectivity so that the victim does not realize that something has gone wrong.

Question 5

Rogue Access Point

Answer 5

Rogue Access Points are APs added to your network either intentionally or unintentionally. Once they are connected to your network, they can offer a point of entry to attackers or other unwanted users.

Question 6

Bluejacking

Answer 6

Bluejacking attacks send unsolicited messages to Bluetooth-enabled devices.

Question 7

Bluesnarfing

Answer 7

Bluesnarfing is unauthorized access to a Bluetooth device, typically aimed at gathering information like contact lists or other details the device contains.

Question 8

Disassociation

Answer 8

Disassociation describes what happens when a device disconnects from an access point. Many wireless attacks work better if the target system can be forced to disassociate from the access point that it is using when the attack starts. That will cause the system to attempt to reconnect, providing an attacker with a window of opportunity to set up a more powerful evil twin or to capture information as the system tries to reconnect.

Question 9

Jamming

Answer 9

Jamming will block all the traffic in the range or frequency it is conducted against. Since Jamming is essentially wireless interference, Jamming may not always be intentional.

Question 10

Sideloading

Answer 10

Sideloading is the process of transferring files to a mobile device, typically via a USB connection, a MicroSD card, or via Bluetooth in order to install applications outside of the official application store.

Question 11

Jailbreaking

Answer 11

Jailbreaking takes advantage of vulnerabilities or other weaknesses in a mobile device’s operating system to conduct a privilege escalation attack and root the system, providing the user with more access than is typically allowed.

Question 12

Site Survey

Answer 12

Site Surveys involve moving throughout the entire facility or space to determine what existing networks are in place and to look at the physical structure for the location options for your access points.

Question 13

Heatmap

Answer 13

A Heatmap shows where wireless signal is, how strong it is, and what channel or channels each access point or device is using.

Question 14

WPA2- Personal

Answer 14

WPA2- Personal, also called WPA2-PSK, uses a pre-shared key and allows clients to authenticate without an authentication server infrastructure.

Question 15

WPA2-Enterprise

Answer 15

WPA2-Enterprise relies on a RADIUS authentication server as part of an 802.1X implementation for authentication. Users can thus have unique credentials and be individually identified.

Question 16

WPA3-Personal

Answer 16

WPA3-Personal provides additional protection for password-based authentication, using a process known as simultaneous authentication of equals (SAE). SAE replaces the pre-shared keys used in WPA2 and requires interaction between both the client and the network to validate both sides. WPA3-Personal also implements perfect forward secrecy, meaning that the traffic sent between the client and network is secure even if the client’s password has been compromised (this works because of constantly changing encryption keys).

Question 17

WPA3-Enterprise

Answer 17

WPA3-Enterprise continues to use RADIUS but improves the encryption and key management features built into the protocol, and provides greater protection for wireless frames.

Question 18

Extensible Authentication Protocol (EAP)

Answer 18

EAP is used by 802.1X as part of an authentication process when devices are authenticating to a RADIUS server. There are many EAP variants because EAP was designed to be extended.

Question 19

What are some of the most common/important EAP variants?

Answer 19

1. Protected EAP (PEAP): Authenticates servers using a certificate and wraps EAP using a TLS tunnel to keep it secure. Devices on the network use unique encryption keys, and TKIP is implemented to replace keys on a regular basis.
2. EAP-Flexible Authentication via Secure Tunneling (EAP-FAST): Cisco-developed protocol that improved on vulnerabilities in the LEAP protocol. EAP-FAST is focused on providing faster reauthentication while devices are roaming. EAP-FAST works around the public key exchanges that slow down PEAP and EAP-TLS by using a shared secret key for reauthentication.
3. EAP-Transport Layer Security (EAP-TLS): Implements certificate-based authentication as well as mutual authentication of the device and network. It uses certificates on both client and network devices to generate keys that are then used for communication.
4. EAP-Tunneled Transport Layer Security (EAP-TTLS): Extends EAP-TLS, and unlike EAP-TLS, it does not require that client devices have a certificate to create a secure session. This removes the overhead and management effort that EAP-TLS requires to distribute and manage endpoint certificates while still providing TLS support for devices.

Question 20

BYOD

Answer 20

BYOD places the control in the hands of the end user since they select and manage their own device. In some BYOD models, the organization may use limited management capabilities, such as the ability to remotely wipe email or specific applications.

Question 21

CYOD

Answer 21

In CYOD models, the organization pays for the device and typically for the cellular plan or other connectivity. The user selects the device, sometimes from a list of preferred options, rather than bringing whatever they would like to use.

Question 22

COPE (Corporate Owned, Personally Enabled)

Answer 22

In a COPE model, the device is company-owned and managed. COPE recognizes that users are unlikely to want to carry two phones and thus allows reasonable personal use on corporate devices.