1.4 Lab: Operation HotSpot | Wireless Threat Investigation | AP Cybersecurity

AP Cyber Hub Unit 1 1.1 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.2 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.3 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.4 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.5 ▼ Lesson Ex 1 Ex 2 Lab Quiz

Unit 1 • Lesson 1.4 • Lab

Operation HotSpot — Wireless Threat Investigation

Three wireless attack scenarios. One compromised organization. Your job: identify the attack, trace the failure, and prescribe the defense.

30 pts total ~45 min 3 stations No hints

Score 0 / 30

Scenario Brief

Ridgeline Financial Group — Three Wireless Incidents

Real-World Anchor: Multiple incidents, 2022—2024

Evil twin attacks at corporate hotels have compromised executive laptops at financial firms. KRACK-style WPA2 vulnerabilities allowed MITM interception of internal communications on improperly patched networks. Bluetooth sniffing at industry conferences has harvested credentials and session tokens from unaware attendees. All three techniques were used in documented incidents against financial services organizations.

You are the security analyst at Ridgeline Financial Group. Over a three-week period, three separate wireless incidents were reported. Each involves a different attack vector. Analyze the evidence, identify the attack type, determine the failed control, and recommend the correct defense. The three stations are independent — they are not a coordinated campaign.

Lab Protocol: No hints available. You have completed Exercise 1 (wireless threat classification) and Exercise 2 (wireless security advisor). Apply that knowledge independently here.

Station 1 of 3

Evil Twin Attack — 10 pts

The Airport Lounge Compromise

A Ridgeline VP returned from a business trip with her laptop exhibiting anomalous behavior. The following IT ticket and network logs were filed.

IT Helpdesk Ticket #2024-0892

DATE: November 4, 2024 09:15 EST REPORTER: Karen Voss, VP Institutional Sales SUMMARY: Laptop acting strangely after travel. Browser saving odd credentials. DESCRIPTION: Connected to "Ridgeline-Corp-WiFi" at JFK airport lounge on Nov 2. Network appeared identical to office network. Connected without issue. Accessed internal CRM and email for ~90 minutes. On return, IT noticed browser credential cache contained entries for internal.ridgeline.com with username/password in plaintext. VPN was NOT active during connection.

Network Forensics Log

SSID captured: Ridgeline-Corp-WiFi BSSID at office: AA:BB:CC:11:22:33 BSSID at airport: F4:E2:C6:99:12:AB (UNKNOWN DEVICE) Signal at airport: -42 dBm (unusually strong) Auth type: Open (no WPA2 handshake) Traffic observed: HTTP credential capture to 185.220.101.47 VPN status: DISCONNECTED throughout session

S1-Q1 — What type of wireless attack does this evidence describe? 2 pts

AA KRACK (Key Reinstallation Attack) exploiting a WPA2 handshake vulnerability to decrypt encrypted traffic.

BAn evil twin attack — a rogue access point broadcasting the same SSID as a legitimate network to intercept unencrypted traffic from users who connect to it.

CA deauthentication (deauth) flood that forced the user off the real network, followed by credential harvesting from a cached session.

DA Bluetooth MITM attack that intercepted keyboard input while the VP used her laptop at the airport lounge.

S1-Q2 — What was the PRIMARY failed control that allowed this attack to succeed? 2 pts

AThe laptop did not have endpoint detection and response (EDR) software installed to flag unusual network behavior.

BThe corporate CRM used HTTP rather than HTTPS, allowing credentials to be transmitted in plaintext over the network.

CThe VPN was not active — all traffic was unencrypted and unprotected, allowing the evil twin to intercept credentials in transit.

DThe airport lounge network did not have a firewall capable of detecting rogue access points on its infrastructure.

S1-Q3 — Which remediation would MOST directly prevent this attack from succeeding in the future? 3 pts

✍ Predict First

ADeploy wireless intrusion detection (WIDS) in all offices to detect rogue access points broadcasting corporate SSIDs.

BEnforce a mandatory always-on VPN policy that activates automatically on any non-corporate network, encrypting all traffic regardless of which access point the device connects to.

CRequire employees to use cellular hotspots instead of public Wi-Fi when traveling, eliminating exposure to untrusted access points entirely.

DTrain employees to verify the BSSID of any Wi-Fi network they connect to before entering credentials.

S1-Q4 — The attacker used an open (non-WPA2) network. Why is this significant from a detection standpoint? 3 pts

AOpen networks are illegal in most jurisdictions, so the attacker was taking a significant legal risk that would have been flagged by airport security systems.

BOpen networks are easier to detect using wireless scanning tools because they lack the WPA2 handshake signature — a security-aware device or network monitor would flag an SSID broadcasting without encryption as anomalous.

COpen networks force the laptop to use a different DNS resolver, which would have triggered an alert in the corporate SIEM even without VPN enforcement.

DOpen networks are indistinguishable from WPA2 networks to end users, which is why this attack bypassed all corporate security controls.

Station 2 of 3

WPA2 Vulnerability — 10 pts

The Conference Room MITM

Two weeks later, the security team detected anomalous traffic patterns on the internal wireless network during a board meeting. The following SIEM alert and packet analysis were captured.

SIEM Alert #2024-1047

ALERT: WPA2 4-way handshake replay detected LOCATION: Conference Room B, Floor 12 TIME: November 14, 2024 14:22—14:58 EST AFFECTED: 3 devices (board member laptops) AP FIRMWARE: v2.1.4 (Last updated: March 2022) PATCH STATUS: CVE-2017-13077 NOT patched (KRACK)

Packet Analysis Summary

TECHNIQUE: Key Reinstallation Attack (KRACK) METHOD: Replayed message 3 of 4-way handshake to reset session key to zero/known value RESULT: Session encryption effectively broken for 36 minutes DATA EXPOSED: Board presentation (PDF), internal VoIP audio fragments ATTACKER POS: Estimated within 15 meters (physical proximity required)

S2-Q1 — KRACK works by replaying handshake messages. What does this allow the attacker to do? 2 pts

AGuess the WPA2 pre-shared key (password) through repeated handshake attempts until a match is found.

BForce the client device to reinstall an already-used encryption key, resetting the nonce and allowing the attacker to decrypt, replay, or forge packets within the session.

CInject malicious firmware into the wireless access point by exploiting a buffer overflow in the 4-way handshake protocol.

DBlock legitimate users from completing the WPA2 handshake, forcing them to fall back to WEP encryption which the attacker can then crack.

S2-Q2 — The AP firmware had not been updated since March 2022. CVE-2017-13077 (KRACK) was patched by all major vendors by late 2017. What does this tell you about Ridgeline's patch management program? 3 pts

AThe patch management program is functioning correctly — KRACK was a low-severity CVE and deferring the patch for five years was within acceptable risk tolerance.

BNetwork infrastructure (APs, switches, routers) is excluded from the patch management scope, which is standard practice since firmware updates risk causing outages.

CThe patch management program has a critical gap — network infrastructure is being treated as set-and-forget hardware rather than software-managed systems requiring regular security updates.

DThe 2022 update was the most recent available from the vendor, indicating the AP model has reached end-of-life and no further patches are possible.

S2-Q3 — Even if KRACK decrypts the WPA2 session, what additional control could have protected the board presentation data? 2 pts

✍ Predict First

AUsing WPA3 instead of WPA2, which uses a different handshake protocol (SAE) that is not vulnerable to KRACK-style key reinstallation.

BApplication-layer encryption — HTTPS for web-based document sharing, TLS for email, and end-to-end encrypted VoIP — so that even if the wireless layer is decrypted, the application data remains encrypted.

CRequiring physical token-based authentication before any wireless device can join the corporate network.

DDisabling wireless entirely in the board room and using only wired Ethernet connections for sensitive meetings.

S2-Q4 — The attacker had to be within 15 meters. Why does physical proximity matter for this attack, and what does it imply about the threat model? 3 pts

APhysical proximity is required to overpower the legitimate AP's signal strength — the attacker needs a stronger signal to ensure client devices prefer the rogue AP over the real one.

BKRACK requires the attacker to intercept and replay specific WPA2 handshake frames in real time, which requires being within wireless range of the target. This means the attacker must be physically present — inside the building, in an adjacent space, or in a vehicle outside — narrowing the threat model to insider threats or targeted physical access scenarios.

CPhysical proximity is required because WPA2 handshake packets are directionally beamed between the client and AP — only devices physically between them can intercept the specific frames needed for the replay.

DPhysical proximity is required to prevent the attack from being detected — at longer ranges, the replay timing degrades and the SIEM is more likely to flag the anomalous handshake behavior.

Station 3 of 3

Bluetooth Attack — 10 pts

The Conference Badge Compromise

A Ridgeline analyst attended an industry conference. Three days later, a credential stuffing attempt was detected against the internal VPN portal using the analyst's credentials. The following forensic timeline was reconstructed.

Forensic Timeline

Nov 19, 09:00: Analyst arrives at FinTech Summit, pairs Bluetooth headset Nov 19, 10:15: Unknown BT device (MAC: 7C:49:EB:AA:FF:01) scans analyst device Nov 19, 11:40: BT OBEX file push attempt (declined by device) Nov 19, 13:30: Successful BT MITM session initiated (bluejacking vector) Nov 19, 13:30—14:20: 50 min session: keyboard input captured via BT HID spoofing Nov 19, 14:22: Analyst types VPN credentials while checking remote access Nov 22, 03:14: Credential stuffing attempt on VPN portal from 91.108.4.0/24

S3-Q1 — The attacker used Bluetooth HID spoofing to capture keyboard input. What does HID stand for and why is it particularly useful for credential theft? 2 pts

AHigh-Intensity Detection — a Bluetooth security mode that increases signal strength for better range, which the attacker exploited to extend the capture distance beyond the normal 10-meter limit.

BHuman Interface Device — the Bluetooth profile used by keyboards and mice. Spoofing an HID device allows an attacker's device to receive keystrokes as if it were the paired keyboard, capturing everything the target types including passwords.

CHost Intrusion Detection — a security agent that runs on the endpoint. The attacker compromised the HID agent to disable monitoring during the credential capture window.

DHardware ID — a unique device identifier that the attacker cloned to impersonate the analyst's laptop and intercept Bluetooth pairing requests from corporate authentication servers.

S3-Q2 — The analyst's Bluetooth was in discoverable mode at the conference. What is the specific risk of leaving a device in discoverable mode in a crowded public environment? 3 pts

ADiscoverable mode increases battery consumption significantly, which could have caused the device to shut down and lose session data.

BDiscoverable mode broadcasts the device name and MAC address to all nearby Bluetooth scanners, enabling attackers to identify the device model, enumerate supported profiles, and attempt pairing or profile-specific exploits without the user's knowledge.

CDiscoverable mode automatically accepts incoming file transfers (OBEX push), which is why the attacker was able to deliver a malicious file to the analyst's device at 11:40.

DDiscoverable mode transmits the device's current GPS coordinates to nearby devices, which the attacker used to track the analyst's movements during the conference.

S3-Q3 — Which control would have had the greatest impact on preventing this specific attack? 2 pts

✍ Predict First

ARequire multi-factor authentication (MFA) on the VPN portal, so the stolen credentials alone would not grant access.

BDisable Bluetooth or set it to non-discoverable mode when attending public events or in any environment outside the corporate office.

CDeploy a mobile device management (MDM) solution to remotely wipe the analyst's device after the credential theft was detected.

DUse a Bluetooth signal jammer in the conference area to prevent any Bluetooth communications during sensitive events.

S3-Q4 — The credential stuffing attempt came from IP range 91.108.4.0/24 three days after the conference. What does this timeline suggest about the attacker's operation? 3 pts

AThe three-day delay indicates the attacker was a script kiddie who needed time to look up how to use the stolen credentials against a VPN portal.

BThe attacker likely sold the captured credentials on a dark web marketplace, and a separate buyer conducted the credential stuffing attempt three days later from a different infrastructure.

CThe three-day gap reflects deliberate operational security (OPSEC) — the attacker waited for the conference attendees to return to their offices and resume normal access patterns before attempting to blend in with legitimate VPN traffic.

DThe delay was caused by the credential data needing to be decrypted from the Bluetooth capture format before it could be used in the stuffing attack.

AP Exam Tip: Wireless security questions on the AP Cybersecurity exam test three things: attack identification from evidence (BSSID mismatch = evil twin; handshake replay = KRACK; BT discoverable = sniffing target), matching attacks to the correct defense layer (VPN for evil twin; patch management for KRACK; non-discoverable mode for Bluetooth), and defense in depth reasoning (what protects data EVEN IF the first control fails). Expect scenario-based MCQ that require all three reasoning steps.

Extension Challenge: Write a one-page Wireless Security Policy for Ridgeline Financial Group that addresses all three attack vectors from this lab. Your policy should include: (1) a mobile device section covering Bluetooth and public Wi-Fi rules, (2) a network infrastructure section covering patch management and AP monitoring, and (3) a remote access section covering VPN requirements. Each section should reference the specific attack it mitigates and the control that addresses it.

out of 30 points

← Exercise 2 Quiz →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com