Exercises: Wireless Security

These exercises move from protocol recall to wireless design judgment. Difficulty is marked ⭐ (recall/ application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

Work in your own notebook, lab, or a private repository. Where an exercise asks you to "score," "audit," or "design," the reasoning matters more than landing on one official answer. Use documentation values only (meridianbank.example, RFC1918/TEST-NET addresses); never test against a network you do not own or are not authorized to assess.

Part A — Protocol recall and comparison ⭐

1.† In one sentence each, state the defining cipher/handshake and the verdict (use, avoid, or remove) for WEP, WPA, WPA2, and WPA3.

2. Why does the length of a WEP passphrase have essentially no effect on how quickly the key can be recovered? Name the specific protocol weakness responsible.

3.† A small Meridian branch runs WPA2-Personal with the passphrase MeridianBank. Explain the exact attack that threatens this network, where it happens (on the network or offline), and the two preventive controls available — noting which is far stronger.

4. Define SSID. Is it a secret? State one reason "hiding" the SSID (disabling broadcast) is a weak control, and one practical problem it can cause.

5. What single property of WPA3-Personal's SAE handshake makes it resistant to offline dictionary attacks, and what additional protection (also found in Chapter 5's TLS material) does SAE provide?

6.† Match each term to its definition: (a) pre-shared key; (b) EAP; (c) 802.1X; (d) RADIUS; (e) Enhanced Open. Definitions: (i) a port-based access-control standard with three roles; (ii) the protocol an authenticator uses to ask a central server to verify a user; (iii) one passphrase shared by all devices on a network; (iv) an extensible container that can carry many authentication methods; (v) encryption for password-free ("open") networks.

Part B — Enterprise wireless and EAP ⭐⭐

7. Name the three roles in the 802.1X model and, in one phrase each, what each does during an authentication. Which role makes the actual accept/reject decision?

8.† Meridian deploys WPA2-Enterprise with PEAP, reusing employees' Active Directory passwords. Six months later, an attacker in a branch parking lot harvests several employees' AD passwords over WiFi. (a) What client misconfiguration almost certainly enabled this? (b) Why is the impact worse than "they got onto our WiFi"? (c) Give the single strongest fix and one acceptable fallback.

9. Compare EAP-TLS and PEAP for Meridian's staff WiFi: for each, state what the user presents, what the server presents, the main deployment cost, and the main risk. Which would you recommend as the default, and why?

10.† Explain, with reference to the shared-passphrase problems, three concrete operational advantages Meridian gains by moving its staff WiFi from WPA2-Personal to WPA-Enterprise. For each advantage, name a specific bad outcome under PSK that Enterprise prevents.

Part C — Rogue APs, evil twins, and deauth (analyze this) ⭐⭐

11. Distinguish a rogue access point from an evil twin by what defines each. Give one realistic example of each at a Meridian branch, and state which is typically the higher-impact finding and why.

12.† Your WIDS produces the following (illustrative) alert summary for a Meridian branch. All BSSIDs are example values; the authorized AP for Meridian-Staff is AP-00:11:22.

time      ssid             bssid          signal  note
09:14:02  Meridian-Staff   AP-00:11:22    -41 dBm  (authorized)
09:31:50  Meridian-Staff   XX-AB:CD:EF    -38 dBm  (unknown radio)
09:31:51  <deauth flood>   src=AP-00:11:22 (spoofed?)  847 frames in 10s
09:32:30  Meridian-Staff   XX-AB:CD:EF    -37 dBm  (unknown radio, clients associating)

(a) Name the two distinct attacks visible here and the relationship between them. (b) Which single line is the highest-fidelity evil-twin indicator, and what rule fired it? (c) What control, had it been enabled, would have neutralized the 09:31:51 line? (d) Recommend the first containment step.

13. A deauthentication flood, by itself, only knocks devices offline. Explain the two reasons an attacker sends one anyway, and name the standard (and the WPA generation that mandates it) that defeats the technique.

14.† A well-meaning teller, frustrated by a WiFi dead spot, brings a consumer access point from home and plugs it into a wall jack in the break room so their corner gets signal. (a) Classify what they have created and rate its risk (likelihood × impact, 1–5) with justification. (b) List the specific dangers this introduces. (c) Name two controls — one detective, one preventive — that address it, and tie each to a chapter concept.

15. Write a short detection rule in pseudocode (or Sigma-style prose) that fires when a beacon advertises a known-corporate SSID from a BSSID not on the authorized allowlist. State what telemetry it needs and one reason it might false-positive (and how you'd tune that out).

Part D — Bluetooth and NFC ⭐⭐

16. Why is Bluetooth risk usually rated lower than WiFi risk for the same organization? Name the single most important factor, and the 2017 vulnerability class that proves "lower" is not "zero."

17.† Meridian's branches use Bluetooth-capable card readers in the cardholder-data path. List three proportionate controls for these devices and explain why a compromised Bluetooth card reader is specifically a PCI-DSS concern, not just an IT one.

18. A customer worries that someone could "steal their credit card by walking past with a phone" (NFC skimming). Write a two-to-three-sentence response that is honest about both why the direct risk is low and where a real NFC cloning risk does exist.

Part E — Write the policy / design the architecture ⭐⭐–⭐⭐⭐

19.† Write the policy. Draft a five-to-eight-bullet wireless security policy snippet for Meridian that an auditor could check against. Cover, at minimum: permitted/prohibited protocols, staff authentication, guest isolation, IoT/operational segmentation, management-frame protection, and rogue-AP handling.

20. ⭐⭐⭐ Design it. Design the branch wireless for a different organization: a 40-bed community hospital. It needs staff clinical devices, guest/patient WiFi, and biomedical IoT (infusion pumps, monitors) that cannot be patched often. Produce a labeled diagram (SSIDs → segments), specify the protocol and authentication for each, and state the single most important firewall rule between segments. How does the hospital's risk weighting differ from Meridian's? (Connect to the CIA re-weighting idea.)

21. Harden it. Below is a (constructed) branch wireless configuration with several problems. List every finding with a severity, then write the corrected configuration.

SSID: Meridian-Staff     security: WPA2-Personal  psk: "branch2021"   vlan: shared-with-guest
SSID: Meridian-Guest     security: WEP            psk: "guestguest"   vlan: shared-with-guest
SSID: Meridian-Printers  security: open           --                  vlan: shared-with-guest
PMF (802.11w): disabled       WIDS: none

22.† Design the segmentation. Meridian wants guest WiFi in branch lobbies. In words or a simple diagram, specify the complete set of firewall rules for the guest segment (what it may and may not reach), and explain why "internet only, deny all internal" is the entire security of guest WiFi.

Part F — CTF-style challenge ⭐⭐⭐

23.† The parking-lot mystery. Over three days, a Meridian branch reports: (Day 1) several staff tablets "randomly disconnecting" from WiFi in the afternoon; (Day 2) one teller says a WiFi login page "looked different" and asked for her password again, which she entered; (Day 3) the SOC sees that teller's account used from an unrecognized location. Reconstruct the most likely attack chain in order, naming the technique at each step, the wireless control that should have stopped each step, and the one control that — even if everything else failed — would have limited the damage. Then state what telemetry would have caught the attack earliest.

Part G — Interleaved & forward-looking ⭐⭐

24. (Interleaved with Ch. 6.) Meridian's wireless design relies on putting each SSID on its own VLAN with default-deny between segments. Explain how this is the same control as the network segmentation from Chapter 6, and why a wireless network makes "everything inside the branch is trusted" an especially dangerous assumption.

25. (Interleaved with Ch. 4.) EAP-TLS replaces a wireless password with mutual X.509 certificate authentication. Using the cryptography vocabulary from Chapter 4, explain why "there is no password to phish or crack" is true for EAP-TLS, and what an attacker would instead need to steal to impersonate a user.

26. (Interleaved with Ch. 1.) Recall the risk equation $\text{Risk}=\text{Likelihood}\times \text{Impact}$. Score these three Meridian wireless findings (1–5 each) and rank them: (a) a branch still running WEP on a barcode scanner segment; (b) guest WiFi shares a VLAN with teller workstations; (c) Bluetooth left discoverable on a conference-room speakerphone. Justify each rating in a phrase.

27. ⭐⭐⭐ (Forward-looking.) This chapter prefers WPA3 partly for forward secrecy and offline- attack resistance. Chapter 35 will discuss "harvest-now, decrypt-later" threats to cryptography. Write two sentences predicting why forward secrecy in a wireless protocol is relevant to that future threat, and what it protects that a non-forward-secret protocol would not.

Part H — Conceptual & calculation ⭐–⭐⭐

28. A WPA2-Personal network uses a truly random 8-character passphrase from a 95-character set. Roughly how many possibilities is that (order of magnitude), and is the security here in the protocol or the passphrase? Contrast with the same length under WEP.

29.† Explain why an attacker cannot detectably be stopped from capturing a WPA2-Personal handshake, and why this pushes the defender entirely toward prevention (passphrase strength, or abandoning PSK). Which recurring theme from Chapter 1 does this illustrate?

30. True or false, with one sentence of justification each: (a) "Disabling SSID broadcast makes a network secure against a determined attacker." (b) "WPA3 makes segmentation unnecessary." (c) "A rogue AP is only a problem if it is malicious." (d) "Protected Management Frames stop the classic deauthentication attack." (e) "Contactless payment skimming yields a reusable card number."

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group, your instructor, or your home lab.