AP Cybersecurity 4.1: Device Vulnerabilities & Attacks
Topic 4.1: Device Vulnerabilities & Attacks
Four device types, eight malware categories, seven exploitation vectors, and the High/Moderate/Low risk framework applied to devices — everything you need to identify, classify, and assess device-level threats on the AP exam.
• Classify the four CED device types (server, personal computer, handheld/mobile, embedded/IoT) and explain why embedded devices are uniquely difficult to defend
• Identify all eight malware types by mechanism: virus (user activation), worm (self-spreading), Trojan/RAT (disguised), ransomware (encryption + payment demand), spyware (tracks actions), keylogger (logs keystrokes), logic bomb (conditional trigger), rootkit (OS-level invisibility)
• Explain the seven CED device exploitation vectors and which vulnerability each targets (unpatched software, weak auth, no BIOS/UEFI protection, autorun, open ports, no firewall, no anti-malware)
• Apply the High/Moderate/Low risk framework to device vulnerabilities using the CED illustrative examples
• Distinguish fileless malware from file-based malware: fileless lives in RAM and uses legitimate programs already on the device
Topic 4.1 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 4.1.A.1 | Server computers: provide services to other computers (DNS, DHCP, FTP); more processing power and storage than personal computers in enterprise environments | Section 2 — Device Types |
| 4.1.A.2 | Personal computers: designed for one person (work or recreation); includes desktops, laptops, notebooks | Section 2 — Device Types |
| 4.1.A.3 | Handheld/mobile computers: smaller than PCs, battery-powered; includes tablets, smartphones, smartwatches | Section 2 — Device Types |
| 4.1.A.4–A.5 | Embedded computers: part of a machine; specific instruction sets; slower, cheaper, minimal storage. IoT devices are everyday embedded computers (cars, circuit breakers, IV pumps, washing machines) | Section 2 — Device Types |
| 4.1.B.1–B.2 | Malware: malicious software that damages/destroys devices or grants adversary access. Used as a tool within a larger attack plan. Eight types: virus, worm, Trojan/RAT, ransomware, spyware, keylogger, logic bomb, rootkit | Section 3 — Malware Types |
| 4.1.B.3 | Fileless malware: lives in RAM; uses legitimate programs already on the device; does not exist as a file → harder to detect with file-based scanning | Section 3 — Fileless Malware |
| 4.1.C.1 | Unpatched software: adversaries exploit known vulnerabilities → crash system, view user actions, enable/disable services/components (webcam, microphone), take control, steal/destroy data | Section 4 — Exploitation Vectors |
| 4.1.C.2 | Weak authentication: adversaries guess or social-engineer passwords | Section 4 — Exploitation Vectors |
| 4.1.C.3 | No BIOS/UEFI protection: adversary boots into recovery mode for elevated privileges; loads own OS from external drive; alters/creates user profiles; changes passwords | Section 4 — Exploitation Vectors |
| 4.1.C.4 | Autorun enabled: adversary loads malware onto external drive → device runs malware automatically when drive is inserted | Section 4 — Exploitation Vectors |
| 4.1.C.5 | Open ports: adversaries can connect to a device through open ports | Section 4 — Exploitation Vectors |
| 4.1.C.6 | No firewall or misconfigured firewall: adversaries send malicious data to disrupt or take control of devices | Section 4 — Exploitation Vectors |
| 4.1.C.7 | No anti-malware software: devices more vulnerable to malware installation attempts | Section 4 — Exploitation Vectors |
| 4.1.D.1 | Device risk comes from unauthorized access or malware enabling: impersonation, remote control, ransomware encryption, or data wiping. Risk level depends on criticality of device/services/data. | Section 5 — Risk Assessment |
| 4.1.D.2 | High risk: potentially compromising sensitive data or critical operations. Example: email server with unpatched critical vulnerability | Section 5 — Risk Levels |
| 4.1.D.3 | Moderate risk: weak authentication or less-likely-to-be-exploited vulnerabilities. Example: water treatment IoT pumps with username/password but no MFA | Section 5 — Risk Levels |
| 4.1.D.4 | Low risk: vulnerabilities that, if exploited, would have little impact. Example: employee laptop with Telnet port 23 open | Section 5 — Risk Levels |
Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 1.C Evaluate likelihood/impact • 1.D Document risks
Answer independently. No notes.
- A hospital has pacemakers embedded in patients, IV pumps on the ward, and MRI scanners in radiology. What device type are these, and why does the CED identify embedded devices as a unique security challenge compared to personal computers?
- Ransomware encrypts a device’s files and demands payment. A worm spreads from device to device without human interaction. Both are malware. What is the key behavioral difference between them, and which CIA property does each primarily violate?
- A water treatment plant’s IoT pump controllers can be accessed remotely with username and password, but do not require MFA. Rate this High, Moderate, or Low risk per the CED, and identify which CED illustrative example matches this scenario exactly.
Answers: (1) Embedded computers (4.1.A.4–A.5) — they have specific instruction sets, minimal storage, are slower and cheaper, and often can’t run security software; many can’t be patched without operational disruption. (2) Ransomware = single-device, encrypts files, violates Availability; Worm = self-spreads to other devices, violates Availability across multiple systems. (3) Moderate risk (CED 4.1.D.3) — this is the exact CED illustrative example: water treatment plant IoT pumps with username/password but no MFA.
- 4.1.1 — Learning Objectives (3 min)
- 4.1.2 — Four Device Types (8 min)
- 4.1.3 — Eight Malware Types (12 min)
- 4.1.4 — Seven Exploitation Vectors (10 min)
- 4.1.5 — Device Risk Assessment (8 min)
- 4.1.6 — Worked Scenarios & CFUs (10 min)
- 4.1.7 — Common Mistakes (3 min)
- 4.1.8 — Key Terms & FAQ (4 min)
14.1.1 — Learning Objectives
- Identify and classify the four CED device types: server, personal computer, handheld/mobile, and embedded/IoT (4.1.A)
- Identify all eight malware types by name and mechanism, including fileless malware (4.1.B)
- Explain the seven device exploitation vectors and which vulnerability each adversary technique targets (4.1.C)
- Apply the High/Moderate/Low risk framework to device vulnerabilities using CED criteria and illustrative examples (4.1.D)
- Explain why embedded/IoT devices present unique security challenges compared to general-purpose computers
24.1.2 — Four Device Types (LO 4.1.A)
The CED classifies computing devices into four categories. Device type affects attack surface, patching capability, and what defenses are feasible.
The CED dedicates extra attention to embedded devices because they connect digital security failures to real-world physical consequences. Exam scenarios often feature IoT devices in critical infrastructure (water treatment, power grid, medical equipment) where the impact of a compromise goes far beyond data theft. Key characteristics to remember: specific instruction sets, minimal storage, cannot easily run detection tools, often can’t be patched without operational disruption.
A security analyst states: “Embedded devices in critical infrastructure are the lowest priority for patching because they are slow, cheap, and handle simple tasks.” Which statement correctly identifies the error?
34.1.3 — Eight Malware Types (LO 4.1.B)
Malware is malicious software that damages or destroys a device or network, or allows an adversary access to a device and its data. The CED identifies eight types — each with a distinct mechanism and typical use in an adversary’s attack plan.
| Malware Type | Mechanism | Key CED Fact | CIA Violated |
|---|---|---|---|
| Virus | Must be activated by a user executing or opening a file | Requires human action to trigger — it does not spread on its own | Varies by payload |
| Worm | Spreads from computer to computer without human interaction | Self-replicating — no user action required after initial infection | Availability (spreads, consumes resources) |
| Trojan / RAT | Malware embedded in apparently harmless software. RAT (Remote Access Trojan) provides adversary remote access to the target system | Disguised as something legitimate — user installs it voluntarily | Confidentiality + control |
| Ransomware | Encrypts device files, presents payment demand with promise of decryption key | Typically has a fixed payment window — pay or lose files permanently | Availability (can’t access files) |
| Spyware | Tracks user actions and sends information back to adversary | Passive surveillance — operates silently in background | Confidentiality |
| Keylogger | Logs keystrokes (can be software or hardware) and sends data to adversary | Usernames and passwords are commonly extracted from keylogger data | Confidentiality |
| Logic Bomb | Triggers only when specific conditions are met (time/date, OS version, character set, etc.) | Lies dormant until conditions are satisfied — may be planted by insiders | Varies by payload (often Availability) |
| Rootkit | Gets into the operating system itself; controls nearly every aspect of the system including making itself invisible to detection | Most sophisticated type — OS-level persistence makes detection and removal extremely difficult | All three CIA (total compromise) |
Which of the following statements about malware are TRUE according to the AP CED?
I. A virus requires a user to execute or open a file to activate it, while a worm spreads from computer to computer without human interaction.
II. Fileless malware stores its code in files that are hidden from the operating system, making them invisible to anti-malware scans.
III. A rootkit gets into the target computer’s operating system and can make itself invisible to detection.
Match each scenario to the malware type it describes.
44.1.4 — Seven Exploitation Vectors (LO 4.1.C)
The CED identifies seven specific ways adversaries exploit device vulnerabilities. Each maps to a specific weakness and a specific defense (covered in Topic 4.3).
A security instructor states: “Installing anti-malware software on all devices eliminates the risk from all malware types, because anti-malware software detects and removes all malicious code on a device.” Which statement correctly identifies the error?
54.1.5 — Device Risk Assessment (LO 4.1.D)
The CED applies the same High/Moderate/Low framework from Units 2 and 3 to device vulnerabilities, but introduces three specific illustrative examples you should know exactly.
| Risk Level | CED Definition | CED Illustrative Example | Why That Level |
|---|---|---|---|
| High (4.1.D.2) | Potentially compromising sensitive data or critical operations | Email server with unpatched critical vulnerability | Email server = critical service + sensitive data; unpatched critical vuln = easy, high-impact exploit; all users exposed |
| Moderate (4.1.D.3) | Weak authentication or vulnerabilities less likely to be exploited | Water treatment IoT pump controllers with username/password but no MFA | Critical infrastructure but requires valid credentials to reach; authentication exists; MFA gap reduces but doesn’t eliminate risk |
| Low (4.1.D.4) | Vulnerabilities that, if exploited, would have little impact | Employee laptop with Telnet port 23 open | Single non-critical device; Telnet requires network access to exploit; impact is limited to one laptop |
The water treatment plant example (Moderate) surprises students who expect it to be High. The key: it has authentication (username/password), so exploitation requires valid or guessed credentials. The vulnerability is the absence of MFA, not complete lack of authentication. Contrast with the email server (High): a known critical vulnerability with a patch available means exploitation requires only skill, not valid credentials. On the AP exam, always identify both the vulnerability and the authentication/access requirements when rating risk.
A hospital’s network-connected MRI scanner runs firmware from 2019 that the vendor no longer supports with security patches. The scanner processes patient imaging data and connects to the internal medical records network. Using CED 4.1.D criteria, what is the risk level and primary justification?
64.1.6 — Worked Scenarios
An adversary gains physical access to an unattended laptop in a conference room. The laptop has no BIOS password. The adversary inserts a USB drive and boots the laptop into recovery mode. Which exploitation vector from CED 4.1.C does this represent, and what can the adversary accomplish that they could NOT do if a BIOS password was set?
Fill in the correct term for each blank.
1. An adversary plants malware that will only activate when the date is January 1, 2027. This is a .
2. Malware that gets into the operating system itself and can make itself invisible to antivirus scans is a .
3. An adversary uses malware that captures every character a user types and sends those characters to a remote server, enabling extraction of passwords. This is a .
4. Malware that lives only in RAM and uses legitimate programs already on the device is called malware.
5. Malware that silently monitors a user’s actions on a computer and sends information back to an adversary — without encrypting files or granting remote control — is .
Which of the following statements about device exploitation vectors are TRUE per the CED?
I. An adversary with physical access to a device that has no BIOS password can boot into recovery mode, load their own OS from an external drive, and change or create user accounts without knowing existing passwords.
II. Autorun must be explicitly enabled by the manufacturer and cannot be disabled by users or administrators.
III. Adversaries can leverage open ports to connect to a device, making firewall configuration that closes unused ports an important device-level defense.
A security textbook states: “The Telnet port (port 23) open on an employee’s laptop represents a High risk because Telnet transmits credentials in plaintext, allowing adversaries to intercept passwords.” How does the CED framework classify this specific scenario, and what error does the textbook make?
Ranking these from highest to lowest risk using CED 4.1.D criteria, which ordering is correct?
!Common AP Exam Mistakes — Topic 4.1
| Mistake | Why It’s Wrong | What to Do Instead |
|---|---|---|
| Rating embedded/IoT devices as low priority because they are “simple” | Embedded devices in critical infrastructure (pacemakers, water treatment, power grid) have catastrophic failure impacts. Simplicity does not mean low risk. | Risk = criticality + data + services. Simple device + critical function = potentially High risk. |
| Confusing spyware with keyloggers | Spyware tracks and sends user actions broadly. A keylogger specifically logs keystrokes to extract credentials. Keylogger is a subset of spyware in common usage, but the CED treats them as distinct types. | Spyware = broad behavioral monitoring. Keylogger = specifically captures keystrokes for credential theft. |
| Thinking anti-malware detects fileless malware | Anti-malware scans files for signatures (CED 4.3.B.2). Fileless malware lives in RAM and has no files to scan — traditional file scanning cannot detect it. | Fileless malware = RAM-based, uses legitimate programs. File-scanning tools cannot detect it. |
| Rating “Telnet port open on an employee laptop” as High risk | The CED (4.1.D.4) uses this exact scenario as its Low risk illustrative example. Protocol insecurity (Telnet = plaintext) ≠ High risk. Impact on one non-critical laptop = limited. | Always apply CED criteria: vulnerability + likelihood + impact. Single non-critical endpoint = Low despite protocol weakness. |
| Assuming BIOS password attacks require knowing the existing OS password | A BIOS/UEFI attack (4.1.C.3) bypasses the OS entirely. The adversary boots their own OS from external media — the Windows login password is irrelevant. | No BIOS protection = OS-level passwords provide zero protection against physical access attacks. |
84.1.8 — Key Terms & FAQ
| Term | Definition | AP Exam Note |
|---|---|---|
| Malware | Malicious software that damages/destroys a device or allows adversary access | A tool within a larger attack plan, not the end goal itself |
| Virus | Malware requiring user activation (executing or opening a file) | Contrast with worm: virus needs a human, worm does not |
| Worm | Malware that spreads without human interaction | Self-propagating; can infect entire networks rapidly |
| Ransomware | Encrypts device files; presents payment demand with promise of decryption key | Availability violation; typically time-limited payment window |
| RAT | Remote Access Trojan — Trojan that gives adversary remote control of target system | Disguised as legitimate software (Trojan); provides ongoing access (RAT) |
| Rootkit | Sophisticated malware embedded in OS; can control the system including making itself invisible | Most difficult to detect and remove; OS-level persistence |
| Logic Bomb | Malware that triggers only when specific conditions are met (time, date, OS version, etc.) | Lies dormant; often planted by insiders; hard to detect before trigger |
| Fileless Malware | Malicious code in RAM that uses legitimate programs; has no file form | Cannot be detected by file-based anti-malware scanning |
| IoT Device | Everyday embedded computer (transportation, medical, infrastructure, appliances) | Often cannot run security software; minimal storage; hard to patch |
| BIOS / UEFI | Basic Input/Output System / Unified Extensible Firmware Interface — firmware that initializes hardware at boot | No password = adversary can boot own OS from external drive, bypassing all OS security |
-
Can a worm also be ransomware?
Yes — malware types are not mutually exclusive. Real-world malware often combines characteristics. WannaCry (2017) was ransomware that spread like a worm. However, on AP exam questions, each scenario description will make one type clearly primary. If a malware description says “spreads from computer to computer without human interaction,” the answer is worm regardless of what payload it delivers. If it says “encrypts files and demands payment,” the answer is ransomware. Focus on the mechanism described.
-
Why is the water treatment plant Moderate risk instead of High given the physical danger?
The CED (4.1.D.3) applies its framework based on what the vulnerability is, not just what the target is. The IoT pumps require valid credentials (username/password) to access — an adversary must first obtain or guess those credentials. The vulnerability is the absence of MFA, which makes this harder to exploit than an unpatched server with a known exploit. High risk (4.1.D.2) involves potentially compromising sensitive data or critical operations with fewer barriers to exploitation. Moderate risk acknowledges the critical nature but recognizes that authentication is present.
-
What is the difference between a keylogger and spyware?
Spyware (4.1.B.2) broadly tracks a user’s actions on a computer and sends information to an adversary — it can capture browsing history, application usage, file access, screenshots, and more. A keylogger (4.1.B.2) is specifically focused on logging keystrokes and sending that data to the adversary; its primary value is extracting usernames and passwords. The CED treats these as distinct malware types. In a scenario, look for: tracks actions generally = spyware; captures keystrokes specifically = keylogger.
Students submit before leaving.
- Name all four CED device types. For embedded/IoT devices specifically, explain two reasons why they are more difficult to secure than personal computers. (AP Skill: Analyze Risk)
- A bank employee downloads what appears to be a legitimate PDF viewer. The installer silently installs software that lets an adversary remotely access and control the employee’s computer at any time. Name the malware type(s) involved and explain the mechanism. (AP Skill: Analyze Risk)
- List all seven CED device exploitation vectors (4.1.C.1–C.7). For each, state in one phrase what the adversary takes advantage of. (AP Skill: Analyze Risk)
- Why can’t traditional anti-malware software detect fileless malware? Be specific about how anti-malware works and what makes fileless malware different. (AP Skill: Analyze Risk)
- Apply the CED risk framework to each scenario and justify: (a) A hospital’s DNS server has a known unpatched vulnerability. (b) Smart thermostats in an office building can be accessed remotely via default username/password. (c) A developer’s laptop has FTP port 21 open but the developer rarely uses FTP. (AP Skill: Analyze Risk)
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.
+Continue Learning
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]