Chapter 78 Β· Examples
Securing Wireless and Mobile β Worked Examples
A rogue AP discovered by site survey, a BYOD data breach at device trade-in, a spectrum analyzer finding the hidden interference source, a deauthentication DoS at a conference, and a complete BYOD vs. COPE decision for a healthcare organization.
Example 1: Site Survey Discovers a Rogue Access Point
An organization's IT team is investigating reports of slow wireless performance in the east wing of their office building. They launch a site survey using a third-party wireless survey tool, walking through the affected areas with a laptop.
What the Survey Finds
The survey tool reveals 14 visible wireless access points. Twelve are the organization's own managed access points. Two are unknown. One of the unknowns is clearly from the neighboring tenant on the same floor β its signal is weak and its SSID is the neighboring company's name. The other unknown is different: strong signal, located within the east wing, SSID named "Corp_Guest_Ext," and appearing to be on the same channel as two of the organization's primary access points.
The heat map shows severe performance degradation in exactly the area where this unknown access point has strong signal. The channel conflict is directly causing the performance issues.
Investigation and Response
The IT team uses the BSSID (the AP's MAC address) captured by the survey tool to trace the physical location. They find a consumer-grade wireless router plugged into a network jack under a desk in the east wing. An employee had brought it from home because their work area had weak signal. The employee had no malicious intent β but the router created an unmanaged, unsecured network access point on the organizational network with no authentication, no encryption enforcement, and no firewall.
The rogue AP is removed. The legitimate coverage issue it was attempting to solve is addressed by repositioning a managed access point and increasing its transmit power slightly. The channel conflict is resolved. Performance in the east wing improves immediately. IT adds rogue AP detection to their quarterly site survey checklist.
Site surveys detect rogue access points that bypass organizational security controls. A well-intentioned employee's fix for poor coverage created an unmanaged network entry point. Regular surveys catch these issues before they become persistent security gaps.
Example 2: BYOD Data Exposure at Device Trade-In
A mid-size consulting firm implements a BYOD policy. Employees enroll their personal phones with the MDM platform, which installs a work profile containing corporate email, documents, and the client portal application. The MDM manages the work profile; personal data is outside organizational control.
The Incident
An analyst upgrades to a new phone. They do the trade-in at a carrier store on a Saturday, handing over their old phone after doing a factory reset through the phone's settings menu. They don't notify IT or go through any offboarding procedure. The work profile β which contained client contracts, financial projections, and confidential engagement data β was on the old phone. The factory reset wiped the personal partition but the MDM work profile data behavior depended on the MDM enrollment. Because enrollment was terminated when the phone reset, and the MDM remote wipe was never triggered, the client data may have persisted in the work profile container before the reset, and without MDM confirmation the wipe is unverifiable.
What Should Have Happened
The firm's BYOD policy should have required employees to notify IT before disposing of or trading in an enrolled device. The offboarding procedure: (1) IT triggers a remote wipe of the work profile from the MDM console, confirmed as successful; (2) the employee receives confirmation that corporate data has been removed; (3) the device is then safe for disposal or trade-in.
Without this procedure, the firm has no way to confirm that client data was actually removed from hundreds of employee-owned devices as employees upgrade phones over time. The MDM remote wipe capability is the control; the procedure is what ensures it is used.
BYOD data protection requires explicit offboarding procedures for device disposal and trade-in. The MDM remote wipe capability is worthless if it is never triggered. Policy must define when and how the wipe is initiated, confirmed, and documented.
Example 3: Spectrum Analyzer Finds the Hidden Interference Source
A law firm's conference room experiences persistent wireless connectivity problems during video calls. The IT team uses a third-party wireless survey tool and finds no channel conflicts, no neighboring networks on conflicting channels, and adequate signal strength throughout the room. All access points appear normal. The problem persists.
Switching to a Spectrum Analyzer
A technician brings a spectrum analyzer into the conference room during a typical business morning. The analyzer shows a large burst of interference in the 2.4 GHz band approximately every 30β45 seconds, lasting about 3 seconds each time. The interference pattern does not match any 802.11 Wi-Fi transmission β it is broadband noise, not structured Wi-Fi frames.
The technician identifies the pattern as consistent with a microwave oven operating nearby. Investigation finds a staff kitchen on the other side of the conference room wall. The microwave is heavily used during the workday for reheating lunches. Its magnetron generates broadband interference in the 2.4 GHz band whenever it runs, and the interference is strong enough to disrupt Wi-Fi connections in the adjacent conference room.
Resolution
The access point serving the conference room is reconfigured to operate exclusively on 5 GHz channels. The microwave's interference is only in the 2.4 GHz band; 5 GHz operation is unaffected. The problem is resolved. A standard wireless survey tool could never have identified this because it only shows 802.11 devices β the microwave is invisible to it. Only the spectrum analyzer revealed the actual RF noise source.
When standard wireless survey tools show no problems but interference persists, a spectrum analyzer is the right next step. It reveals non-Wi-Fi interference sources β microwaves, baby monitors, cordless phones, Bluetooth β that are invisible to tools that only analyze 802.11 traffic.
Example 4: Deauthentication Attack at a Corporate Conference
A technology company holds its annual sales kickoff at a conference venue. 200 sales staff are connected to the venue's Wi-Fi for presentations, live demos, and CRM access. An hour into the event, devices across the room begin repeatedly disconnecting from Wi-Fi. Every few seconds, phones, laptops, and tablets drop their connections. The presentations stall. The demos fail. The IT team at the venue can see the access points are functioning normally β signal is good, the network is up β but clients keep disconnecting.
The Attack
A disgruntled former employee is sitting in the hotel lobby with a laptop running a wireless deauthentication attack tool. The tool broadcasts forged IEEE 802.11 deauthentication frames addressed to every connected client, continuously. The frames are accepted as legitimate by clients (because the 802.11 management frame specification, before 802.11w, did not require authentication of these frames). Every client receives a "you have been disconnected" message from what appears to be the legitimate access point and drops its connection. The attacker does not need to be authenticated on the network β sending deauthentication frames requires only that the attacker be within Wi-Fi range.
Defense and Lesson
The venue's access points do not support 802.11w (Management Frame Protection). The attack cannot be stopped until the attacker leaves or is physically located and removed.
The lesson: 802.11w, supported by WPA3 and optionally configurable on WPA2, authenticates management frames including deauthentication frames. A forged deauthentication frame from an attacker fails the authentication check and is ignored by clients. Organizations hosting or attending events at venues should check whether the wireless infrastructure supports management frame protection, and should consider their own mobile hotspot or 5G connectivity as backup for critical presentations.
Wi-Fi deauthentication attacks require no authentication and can disrupt all connected clients from a distance using freely available tools. Defense requires 802.11w (management frame protection) β available in WPA3 and configurable in WPA2-capable access points.
Example 5: BYOD vs. COPE β A Healthcare Organization's Decision
A regional hospital network is evaluating mobile device policy for its 800 nurses and clinical staff who use mobile devices for patient documentation, medication administration scanning, and communication. The IT and compliance teams analyze BYOD vs. COPE.
BYOD Analysis
Appeal: No hardware cost for the hospital; staff already have phones they know how to use; convenient.
Problems in a healthcare context:
β Patient data (PHI) on employee-owned devices creates HIPAA compliance complexity β what happens when the employee leaves? When they sell their phone?
β MDM can manage the work profile, but staff may resist invasive MDM enrollment on their personal phones
β If an employee resigns abruptly, the hospital must trigger a remote wipe before corporate data is misused β but on a personal device, the employee may unenroll before that happens
β Minimum OS version requirements may exclude staff with older personal phones
COPE Decision
The hospital chooses COPE. The organization purchases a standardized device for each clinical staff member β a model chosen for compatibility with their clinical software suite and known for strong security update support. Staff may use the device for personal purposes, but the hospital retains full ownership and control.
Benefits realized:
β All devices are on the current OS version (the hospital controls the fleet)
β MDM enforces full-device encryption, automatic screen lock after 30 seconds (critical for devices left at nursing stations), and remote wipe
β When staff leave, IT simply retrieves the device β no negotiation about personal data on a personally-owned phone
β HIPAA compliance is cleaner: the hospital owns and controls every device that ever touches PHI
The hardware cost is offset by the compliance certainty and the elimination of BYOD data protection risk.
In regulated environments like healthcare where device control and data protection have compliance and legal implications, COPE's full organizational ownership often justifies the hardware cost. BYOD's privacy tensions and limited control over personal devices create risk that is difficult to fully manage with MDM alone.