AP Cybersecurity 1.3: Best Practices for Public Networks
Topic 1.3: Best Practices for Public Networks
Adversary skill levels and motivations, evil twin attacks, jamming, war driving — and the three specific individual protections every user needs when connecting to public Wi-Fi.
• Classify adversaries as low-skilled or high-skilled based on tool origin and vulnerability type — not based on damage caused
• Identify evil twin, jamming, and war driving by mechanism, CIA property violated, and attack phase
• Apply the three individual protections (verify SSID, avoid open networks, VPN) to scenario questions
• Explain why no individual-level protection can stop a jamming attack
• Recognize homoglyph substitution in SSID names as the evil twin detection technique
Topic 1.3 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 1.3.A.1 | Low-skilled adversaries rely on tools created by others; exploit known vulnerabilities. High-skilled adversaries create/modify tools; can discover zero-day vulnerabilities. | Section 2 |
| 1.3.A.2 | Adversary motivations include: greed, recognition, dedication to a cause, revenge, politics, beliefs | Section 2 |
| 1.3.B.1 | Evil twin: adversary sets up WAP with SSID similar/identical to target network; victims unknowingly connect; adversary captures traffic | Section 3 |
| 1.3.B.2 | Jamming: adversary floods area with EM signal in wireless frequency range; prevents legitimate traffic = DoS attack | Section 3 |
| 1.3.B.3 | War driving: adversary detects wireless beacons while mobile to map networks and find signal leakage outside buildings | Section 3 |
| 1.3.C.1 | Verify the wireless network name matches exactly the network you intend to join | Section 5 |
| 1.3.C.2 | Avoid joining unprotected wireless networks (no password/authentication required) | Section 5 |
| 1.3.C.3 | Consider using a VPN, which encrypts all traffic so intercepted data is not immediately readable | Section 5 |
Source: AP Cybersecurity CED, Effective Fall 2026. AP Skills: 1.A Identify threats/attacks • 2.A Identify security controls
Answer independently before the lesson. No notes.
- At a coffee shop, you see two networks: “CafeWifi” (requires password) and “CafeWifi_Free” (open). Which is more likely to be an evil twin, and what is the one thing you should do before connecting to either?
- An adversary uses a $30 device and freely available software to set up a rogue access point at an airport. A nation-state hacker writes custom zero-day exploit code. Which is low-skilled and which is high-skilled? What distinguishes them?
- Your laptop’s Wi-Fi is suddenly unable to connect anywhere in a building, even though other devices connected before you arrived. Name the attack type and explain why this is classified as a DoS attack.
Answers: (1) CafeWifi_Free is more suspicious; ask staff for the exact network name. (2) Rogue AP operator = low-skilled (uses tools created by others); nation-state = high-skilled (creates own tools, discovers zero-days). (3) Jamming — it makes the wireless resource unavailable to authorized users = DoS.
- 1.3.1 — Learning Objectives (3 min)
- 1.3.2 — Adversary Classification (8 min)
- 1.3.3 — Three Wireless Attack Types (10 min)
- 1.3.4 — Evil Twin Attacks in Depth (8 min)
- 1.3.5 — Individual Protections (8 min)
- 1.3.6 — Defense Coverage Matrix (5 min)
- 1.3.7 — Worked Scenarios & CFU (6 min)
- 1.3.8 — Key Terms & FAQ (4 min)
11.3.1 — Learning Objectives
- Identify adversary types by skill level (low-skilled vs. high-skilled) and explain how skill level affects risk assessment (1.3.A)
- Identify and distinguish evil twin, jamming, and war driving attacks — including mechanism, CIA impact, and classification (1.3.B)
- Apply the three CED individual protections (verify SSID, avoid open networks, use VPN) to wireless threat scenarios (1.3.C)
- Match each protection to the attack type(s) it addresses and explain why no individual protection stops jamming
- Analyze a wireless attack scenario and select the correct defense using the CED framework
21.3.2 — Adversary Classification: Skill Levels and Motivations
Before examining specific attacks, you need to understand who conducts them. The CED classifies adversaries along two dimensions: skill level and motivation. Both affect the types of attacks they attempt and the defenses that can stop them.
Skill level is determined by tool origin and vulnerability type, not by the damage caused or the target chosen. A low-skilled adversary deploying a sophisticated tool built by others can cause massive harm. A question describing significant damage does not imply a high-skilled adversary.
Adversary Motivations
The CED (1.3.A.2) identifies six motivations adversaries may have: greed (financial gain), recognition (status, proving skill), dedication to a cause (ideological, political, social), revenge (personal or professional), politics, and beliefs. Understanding motivation helps predict which targets are at risk and how persistent an adversary will be.
A security instructor states: “An adversary who caused a $2 million ransomware attack must be high-skilled because of the magnitude of damage they caused.” Which statement correctly identifies the error?
31.3.3 — Three Wireless Attack Types
Wireless networks transmit data via radio waves that extend beyond physical walls — creating attack opportunities that don’t exist on wired networks. The CED identifies three attacks you must know precisely.
A student writes: “A jamming attack is when an adversary creates a fake wireless access point to flood a network with traffic, causing a denial of service.” Which part contains an error?
Which of the following statements about wireless attacks are TRUE?
I. An evil twin attack allows an adversary to capture a victim’s network traffic by setting up a WAP with a similar or identical SSID.
II. A jamming attack prevents legitimate wireless communication by flooding an area with EM signals in the wireless frequency range.
III. War driving allows an adversary to modify data on a wireless network by intercepting packets in transit.
Match each scenario to the wireless attack type it describes.
41.3.4 — Evil Twin Attacks in Depth
The evil twin is the most dangerous wireless attack for individual users because it enables credential theft at scale with minimal skill. Understanding the step-by-step anatomy makes it concrete and memorable.
Setup
The adversary configures a device — often a laptop or cheap portable router — to broadcast a WAP with an SSID matching or resembling a legitimate network. In the CED scenario, the adversary named it “Sunshine Wi-Fi” when the real network was “Guest Wi-Fi.”
Lure
Victims see the evil twin in their available network list. If the SSID matches one they’ve joined before, their device may auto-connect without user action. If it’s slightly different but plausible, users may select it manually without scrutinizing the name.
Interception
All traffic flowing through the evil twin passes through the adversary’s device. Packet capture tools record everything: web requests, login forms, session tokens, chat messages. Any data transmitted without encryption is visible in plaintext.
Exploitation
The adversary extracts credentials from captured traffic. In the CED scenario: the adversary logs in as the victim, changes the streaming service password, and locks the victim out. The attack is complete.
Evil twin networks are almost always open (no password) by design — the adversary wants frictionless connections. This is why the CED warns against joining unprotected networks: no password means no assurance about who is operating it. Homoglyph substitution (replacing “l” with “I”, “0” with “O”) makes SSID spoofing visually convincing at a glance.
Sort the following steps of an evil twin attack into the correct chronological order. Click a card to select it, then click the bucket where it belongs.
51.3.5 — Individual Protections (CED 1.3.C)
The CED identifies three specific actions individuals can take to protect themselves from wireless attacks. These are personal-level defenses, not enterprise controls. AP exam questions about wireless defense in Unit 1 focus on these three.
Place the correct term from the bank into each blank.
1. Before connecting to any wireless network, verify that its exactly matches the name of the network you intend to join.
2. Avoid joining wireless networks that require no password or authentication.
3. Using a encrypts all traffic so that intercepted data is not immediately readable.
4. A vulnerability undocumented by the vendor — meaning the vendor has had zero days to prepare a fix — is called a .
5. A jamming attack is classified as a attack because it makes the wireless network unavailable to authorized users.
A user at an airport connects to an open public Wi-Fi network and logs into their bank account. An adversary on the same network captures the user’s banking credentials. Which control would have been most effective at preventing the credential theft?
61.3.6 — Defense Coverage Matrix
The three individual protections address different attack types. Understanding which protection works against which attack is a high-frequency AP exam pattern.
| Protection | Evil Twin | Jamming | War Driving |
|---|---|---|---|
| Verify SSID exactly (1.3.C.1) | ✓ Yes — prevents connecting to impersonating network | ✗ No — EM interference affects all networks | ✗ No — war driving is passive; doesn’t connect to your device |
| Avoid open networks (1.3.C.2) | ✓ Yes — most evil twins are open by design | ✗ No — jamming affects protected and open networks equally | ✗ No — war driving detects all networks regardless of protection |
| Use a VPN (1.3.C.3) | ✓ Yes — encrypts data even if connected to an evil twin | ✗ No — if the connection is jammed, there’s no traffic to encrypt | ✗ No — VPN doesn’t prevent beacon detection |
All three individual protections address evil twin most effectively. No individual action can stop a jamming attack — it operates at the physical radio layer and requires organizational responses (signal shielding, frequency hopping, wired backup). If an exam question asks what an individual can do to stop jamming, the correct answer is: nothing at the individual level. If the answer choices include a VPN or SSID verification, they are all wrong for jamming.
Which of the following statements about defending against wireless attacks are TRUE?
I. Verifying the exact network name before connecting can prevent a user from joining an evil twin network.
II. Using a VPN prevents a jamming attack from disrupting the user’s wireless connection.
III. Avoiding open (unprotected) wireless networks reduces the risk of an adversary capturing unencrypted traffic.
71.3.7 — Worked Scenarios
A cybersecurity blog states: “War driving is particularly dangerous because it allows adversaries to intercept private data being transmitted over a wireless network in real time.” What is wrong with this claim?
1. “HotelGrand_Lobby” — requires password 🔒
2. “Hotel Grand Free WiFi” — open 🔓
3. “HoteIGrand_Lobby” — requires password 🔒
Mariana asks the front desk, confirms the real network is “HotelGrand_Lobby,” connects to it, and activates her VPN before browsing.
Which network is most likely the evil twin, and which statement best explains why Mariana’s actions demonstrate all three CED individual protections?
!Common AP Exam Mistakes — Topic 1.3
| Mistake | Why It’s Wrong | What to Do Instead |
|---|---|---|
| Classifying adversaries by damage caused | “The attack caused $2M in damage, so they must be high-skilled.” Damage magnitude tells you nothing about skill level. | Look for tool origin (created vs. borrowed) and vulnerability type (known vs. zero-day). |
| Claiming war driving intercepts data | War driving is passive beacon scanning — no data in transit is captured or modified. | Classify war driving as Reconnaissance only. Any answer attributing data theft to war driving is wrong. |
| Saying VPN stops jamming | A VPN encrypts traffic, but jamming cuts the wireless connection entirely. No connection = no VPN tunnel to encrypt anything. | No individual-level action stops jamming. Never select a VPN or SSID check as a jamming defense. |
| Assuming HTTPS alone makes public Wi-Fi safe | HTTPS encrypts the content of web traffic but doesn’t prevent an evil twin from capturing metadata, redirecting to lookalike pages, or exploiting non-HTTPS traffic. | HTTPS is necessary but not sufficient on public Wi-Fi. Layer with VPN and SSID verification. |
| Confusing jamming mechanism with evil twin | Students write “jamming creates a fake access point” — that’s an evil twin. Jamming floods a frequency with EM signals. | Jamming = EM interference. Evil twin = fake WAP with spoofed SSID. These are completely different mechanisms. |
81.3.8 — Key Terms & FAQ
| Term | Definition | AP Exam Note |
|---|---|---|
| Evil Twin | Rogue WAP with SSID matching a legitimate network, used to intercept victim traffic | Adversary captures traffic; victims may auto-connect |
| Jamming | EM signal flood in wireless frequency range preventing legitimate communication = DoS | No individual-level defense exists |
| War Driving | Passive scanning for wireless beacons while mobile to map networks and find signal leakage | Does NOT intercept data; belongs to Reconnaissance phase |
| SSID | Service Set Identifier — the name of a wireless network | Verify it exactly matches; watch for homoglyphs |
| VPN | Virtual Private Network — encrypts all traffic between device and remote server | Makes intercepted data “not immediately readable” (CED phrasing) |
| Zero Day | Undocumented vulnerability; vendor has had zero days to prepare a patch | Exploited by high-skilled adversaries |
| Low-Skilled | Uses tools created by others; exploits known vulnerabilities | Damage caused does NOT determine skill level |
| High-Skilled | Creates or modifies tools; discovers zero-day vulnerabilities | Can bypass patched systems with novel techniques |
| Unprotected Network | Wireless network requiring no password or authentication to join | Evil twins are almost always open by design |
-
Can a VPN stop an evil twin attack entirely?
Not entirely, but it removes most of the danger. If you connect to an evil twin while using a VPN, the adversary can see that traffic is flowing through their access point, but the contents of that traffic are encrypted inside the VPN tunnel. They cannot read your credentials or session data. The CED uses the phrase “not immediately readable” — meaning decryption is impractical for most adversaries, not theoretically impossible. Verifying the SSID first is still important because connecting to an evil twin even with a VPN may expose your device to other risks.
-
Why is war driving in the Reconnaissance phase rather than a direct attack?
War driving collects information without taking action against any system. The adversary is building a map: which networks exist, where their signals reach, what encryption they use, whether any are open. This information is then used to plan a targeted attack later — identifying which building has an unencrypted access point reachable from the parking lot, for example. War driving itself does not compromise any CIA property, which is why it belongs to Reconnaissance rather than the Initial Access or Taking Action phases.
-
Is there anything an individual can do about jamming?
At the individual level, no. Jamming operates at the physical radio frequency layer — it is a hardware-level attack that software on your device cannot counter. Individual protections (verify SSID, avoid open networks, VPN) all assume a working wireless connection exists. When jamming cuts the connection, none of these protections can help. Organizational responses exist — frequency hopping (FHSS), wired backup connections, signal monitoring — but these are enterprise controls, not individual actions. On the AP exam, never select an individual protection as a defense against jamming.
Students submit before leaving. Target 70%+ on Q1–3.
- An adversary uses a $30 router and free software to set up an evil twin at an airport. A separate adversary writes custom zero-day exploit code targeting airport networks. Classify each by skill level and explain the single factor that distinguishes them. (AP Skill: Analyze Risk)
- Name all three wireless attack types the CED requires, classify each by CIA property violated, and identify which one belongs to the Reconnaissance phase of a cyberattack. (AP Skill: Analyze Risk)
- A user at a library sees two available networks: “LibraryPublic” (open) and “LibraryPubllc” (requires password). Which is likely the evil twin and why? What should the user do before connecting to either? (AP Skill: Analyze Risk)
- A student claims: “Using a VPN on public Wi-Fi protects you from jamming attacks.” Is this true or false? Explain why using the CED framework. (AP Skill: Mitigate Risk)
- Apply all three CED individual protections to this scenario: you need to use Wi-Fi at a coffee shop to access your bank account. Explain exactly what you would do and which protection each action represents. (AP Skill: Mitigate Risk)
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.
+Continue Learning
Practice what you learned, then move to the next topic in Unit 1:
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]