---
title: "AP Cybersecurity 1.3: Public Network Best Practices"
description: "Learn evil twin, jamming, and war driving attacks for AP Cybersecurity 1.3. Understand adversary types, VPNs, and how to protect data on public Wi-Fi."
canonical: "https://fiveable.me/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP"
type: "study-guide"
subject: "AP Cybersecurity"
unit: "Unit 1 – Introduction to Security"
lastUpdated: "2026-06-18"
---

# AP Cybersecurity 1.3: Public Network Best Practices

## Summary

Learn evil twin, jamming, and war driving attacks for AP Cybersecurity 1.3. Understand adversary types, VPNs, and how to protect data on public Wi-Fi.

## Guide

## TLDR
[Public Wi-Fi](/ap-cybersecurity/key-terms/public-wi-fi "fv-autolink") at places like coffee shops, airports, and hotels is convenient but easy for attackers to exploit. This topic covers who the attackers are (sorted by skill and motivation), the main wireless attacks (evil twin, jamming, and [war driving](/ap-cybersecurity/key-terms/war-driving "fv-autolink")), and the practical steps you can take, like verifying network names, relying on encryption, and using a VPN, to protect your data on networks you do not fully control.

## Why This Matters for the AP Cybersecurity Exam

This topic builds your ability to think like a defender, which is exactly what [AP Cybersecurity](/ap-cybersecurity "fv-autolink") asks of you. You need to identify the type of [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") behind an attack, recognize specific wireless attacks from a description, and recommend protective actions for someone using public Wi-Fi. Questions may present a scenario and ask you to name the attack, classify the adversary, or choose the best mitigation. Being able to match the threat to the right defense, and to explain the limits of each defense, is the core skill here.

## Key Takeaways

- [Adversaries](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97 "fv-autolink") are classified by skill: low-skilled attackers use tools others made that exploit known vulnerabilities, while high-skilled attackers build or modify tools and can find zero days.
- Common motivations include greed, desire for recognition, dedication to a cause, revenge, and politics or beliefs.
- Three wireless attacks to know: evil twin (fake access point with a copycat [SSID](/ap-cybersecurity/key-terms/ssid "fv-autolink")), jamming (a [denial of service](/ap-cybersecurity/key-terms/denial-of-service) that floods the frequency), and war driving (scanning an area for wireless networks).
- An evil twin cannot read traffic protected by an encrypted [protocol](/ap-cybersecurity/key-terms/protocol "fv-autolink") like [HTTPS](/ap-cybersecurity/key-terms/https "fv-autolink").
- Verifying that the network name exactly matches the one you intend to join defeats most evil twin attempts.
- A VPN encrypts your traffic to the VPN provider, but the VPN provider can still see that traffic.

## Classifying Adversaries by Skill Level

In cybersecurity, adversaries (the people or groups carrying out attacks) get grouped by how skilled they are, and that matters because it changes what they are capable of doing to you.

### Low-Skilled Adversaries

Low-skilled adversaries do not write their own attack tools. They buy or download tools that other people made, often from online marketplaces or forums. These tools target known vulnerabilities, meaning security flaws that have already been discovered and documented (and usually already patched, if the victim bothered to [update](/ap-cybersecurity/key-terms/update "fv-autolink")).

Picture someone downloading a ready-made Wi-Fi cracking app and pointing it at a router. They do not really understand how it works under the hood. They just press buttons. These attackers still cause real damage because their tools are cheap and easy to use.

### High-Skilled Adversaries

High-skilled adversaries are a different threat. They can:

- Build new attack tools from scratch
- Modify existing tools to adapt to new defensive techniques and tools
- Discover zero days, which are [vulnerabilities](/ap-cybersecurity/key-terms/vulnerability "fv-autolink") that nobody else knows about yet, not even the company that made the [software](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink")

A [zero day](/ap-cybersecurity/key-terms/zero-day "fv-autolink") is especially dangerous because there is no [patch](/ap-cybersecurity/key-terms/patch "fv-autolink") available. Defenders literally have "zero days" to prepare.

## Why Adversaries Attack

Skill level tells you what an attacker can do. Motivation tells you why they are doing it. Common motivations include:

- **Greed:** Stealing money, credit card numbers, or cryptocurrency
- **Desire for recognition:** Hacking something flashy to brag about it
- **Dedication to a cause:** Sometimes called "hacktivism," like attacking an organization the attacker thinks is acting unethically
- **Revenge:** A fired employee going after their old company
- **Politics or beliefs:** Targeting governments, election systems, or ideological opponents

A single attack can mix motivations. Someone might attack a company for both money and political reasons. Knowing the motive helps defenders predict who is likely to be targeted and what the attacker is after.

## Types of Wireless Cyberattacks

Wireless networks have specific weaknesses that wired networks do not. Three attacks are essential to know: evil twin, jamming, and war driving.

### Evil Twin Attacks

In an [evil twin attack](/ap-cybersecurity/key-terms/evil-twin-attack), the attacker sets up their own [wireless access point](/ap-cybersecurity/key-terms/wireless-access-point) (WAP), which is the device that broadcasts a Wi-Fi signal. They give it a [service set identifier](/ap-cybersecurity/key-terms/service-set-identifier) (SSID), the network name you see in your Wi-Fi list, that looks identical or nearly identical to a real network. The attacker's network is the "evil twin."

Say you are at a coffee shop where the real network is `Coffee WiFi`. An attacker sets up a network called `Coffee WiFi` (same name) or `Coffee_Free_WiFi` (close enough to fool you). You connect, thinking it is legitimate, and now your traffic flows through the attacker's device, letting them capture what you send.

There is one big limit on this attack: encrypted protocols still protect your data. If you are browsing a site using HTTPS (the [lock](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc "fv-autolink") icon in your browser), the attacker can see that you are connecting to that site but cannot read the actual content. That is a key reason HTTPS matters so much on public Wi-Fi.

### Jamming Attacks

A [jamming attack](/ap-cybersecurity/key-terms/jamming-attack "fv-autolink") is the brute-force option. The attacker floods an area with a strong electromagnetic (EM) signal in the same frequency range the wireless network uses. This drowns out the legitimate traffic between the access point and the users, so nobody can connect.

Jamming is an example of a [denial of service](/ap-cybersecurity/key-terms/denial-of-service "fv-autolink") (DoS) attack. DoS attacks do not steal your data; they block you from using a resource. Picture someone holding an air horn next to two people trying to have a conversation.

Because jamming can knock people off a network, an adversary might use it to push you off a secure network and toward an evil twin set up nearby.

### War Driving

War driving is more about [reconnaissance](/ap-cybersecurity/unit-1/ai-based-cybersecurity-attacks/study-guide/f3ZMXhsLGaHVUDgQUpge "fv-autolink") than a direct attack. An adversary drives or walks around an area scanning for wireless network beacons (the signals access points broadcast to announce themselves). When they detect a signal, they can gather:

- The type of wireless network in use
- How far the signal reaches, especially if it leaks outside the building it is supposed to serve

Why does this matter? If a company's Wi-Fi signal reaches into the parking lot, an attacker can sit nearby and try to break in without ever stepping inside. War driving builds a map of targets the attacker can return to later.

## Protecting Your Data on Public Wi-Fi

Knowing the attacks is half the battle. The other half is what you actually do when you are about to connect to free Wi-Fi.

### Verify the Network Name Exactly

This is the simplest and most ignored step. Before joining a Wi-Fi network, confirm the SSID exactly matches the network you intend to join. If the official network is `LAX-FreeWiFi`, do not connect to `LAX_Free_WiFi` just because it shows up in your list.

How do you check? Ask an employee, look for posted signage, or check the official website. This single habit defeats most evil twin attacks because the attacker is counting on you not paying attention.

### Think About What Data You Are Exposing

Most modern internet protocols are encrypted by default, so even on an unencrypted Wi-Fi network (one without a [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") or with weak security), much of your traffic is protected.

But not everything is encrypted. DNS queries are a good example. Every time your device looks up a website's [IP address](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink"), that query is often sent in plaintext. Someone watching the network may be able to see which sites you are visiting, even if they cannot read what you do there.

So the practical question becomes: how sensitive is what I am about to do? Checking the weather on open Wi-Fi is probably fine. For something more sensitive, you may want to wait for a network you trust or add extra protection.

### Use a VPN

A virtual private network (VPN) encrypts all of your device's traffic and routes it through the VPN provider's system before it goes out to the internet. From the perspective of anyone watching the local Wi-Fi (an evil twin attacker, the venue, or your service provider), the traffic looks like encrypted gibberish heading to the VPN.

This is strong protection on public Wi-Fi. The local attacker cannot see your DNS queries, cannot see which sites you visit, and cannot capture data from unencrypted apps you are using.

There is a catch, though: the VPN provider can see your traffic. You are not making your traffic invisible; you are shifting trust from the local network to the VPN company. A reputable VPN provider matters, because a sketchy one could end up being worse than the network you were trying to avoid.

### Quick Comparison of Defenses

| Defense | Protects against | Limit |
|---|---|---|
| Verifying SSID | Evil twin attacks | Doesn't help if you mistype or rush |
| Relying on HTTPS/encryption | Traffic capture on open networks | Doesn't protect DNS queries or unencrypted apps |
| Using a VPN | Most local network snooping | VPN provider sees your traffic |

None of these defenses is perfect on its own. The strongest approach is layering them: verify the network name, stick to encrypted protocols, and use a trusted VPN for anything sensitive. That combination makes you a much harder target.

## How to Use This on the AP Cybersecurity Exam

### Identifying the Attack

When a question describes a scenario, look for the signature clue:

- A copycat or identical network name that captures traffic points to an evil twin.
- A flood of signal that blocks all access and prevents connection points to jamming, which is a type of denial of service.
- Scanning or detecting networks while moving around an area points to [war driving](/ap-cybersecurity/key-terms/war-driving).

### Classifying the Adversary

Match the description to skill level. Buying or downloading existing tools that exploit known flaws means a [low-skilled adversary](/ap-cybersecurity/key-terms/low-skilled-adversary). Building or modifying tools, or finding undocumented zero days, means a [high-skilled adversary](/ap-cybersecurity/key-terms/high-skilled-adversary). If the question gives a reason for the attack, connect it to a motivation like greed, recognition, a cause, revenge, or politics.

### Recommending Mitigations

When asked how a person can protect their data, tie the defense to the threat:

- Verify the network name to avoid evil twins.
- Consider the sensitivity of your data before joining an unencrypted network, especially because DNS queries may be exposed.
- Use a VPN to [encrypt](/ap-cybersecurity/unit-5/asymmetric-cryptography/study-guide/VwtcdE1OgUXoQu0fiDG2 "fv-autolink") traffic, but remember the VPN provider can still see it.

### Common Trap

Watch for questions that test the limits of a defense. An evil twin cannot read HTTPS-protected content, and a VPN does not hide your traffic from the VPN provider. The right answer often acknowledges what a defense does not do.

## Common Misconceptions

- **A VPN makes your traffic invisible to everyone.** It does not. A VPN shifts trust to the provider, and the VPN provider can still see your traffic.
- **An evil twin can read everything you do.** It cannot read traffic protected by an encrypted protocol like HTTPS, though it can see that you are connecting to a site.
- **Jamming steals data.** Jamming is a denial of service attack. It blocks access rather than capturing information.
- **Open or unencrypted Wi-Fi means all your data is exposed.** Most modern protocols are still encrypted, so much of your traffic stays protected, but unencrypted pieces like DNS queries can be visible.
- **Low-skilled adversaries are harmless.** They rely on tools made by others, but those tools exploit known vulnerabilities and can still cause serious damage.
- **War driving is the attack itself.** War driving is mainly reconnaissance, gathering information about wireless networks that can be used to plan a later attack.

## Related AP Cybersecurity Guides

- [1.1 Understanding Social Engineering](/ap-cybersecurity/unit-1/understanding-social-engineering/study-guide/TBmFY733Y9zYkD80i0py)
- [1.2 Suspicious Website Logins](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN)
- [1.5 Leveraging AI in Cyber Defense](/ap-cybersecurity/unit-1/leveraging-ai-in-cyber-defense/study-guide/uvMQfHoviL6tgFrEstZ8)
- [1.4 AI-Based Cybersecurity Attacks](/ap-cybersecurity/unit-1/ai-based-cybersecurity-attacks/study-guide/f3ZMXhsLGaHVUDgQUpge)

## Vocabulary

- **DNS queries**: Requests sent to resolve domain names into IP addresses, which can reveal the websites a user is visiting.
- **HTTPS**: A secure communication protocol that encrypts data transmitted between a user and a web server, protecting it from being read by unauthorized parties.
- **adversary**: An individual or entity that attempts to exploit vulnerabilities in systems, applications, or data to cause harm, steal information, or disrupt operations.
- **cyberattack**: A coordinated attempt by adversaries to disrupt, harm, steal, or destroy devices, networks, or data, typically executed through multiple phases.
- **denial of service**: A type of cyberattack that prevents legitimate users from accessing network resources or services.
- **encrypted**: Data that has been converted into a coded format to prevent unauthorized access or viewing.
- **evil twin attack**: A wireless cyberattack in which an adversary creates a fraudulent wireless access point with an SSID identical or similar to a legitimate network to trick users into connecting and capture their network traffic.
- **high-skilled adversaries**: Attackers with the capacity to create new malicious tools, modify existing ones, and discover undocumented vulnerabilities.
- **jamming attack**: A wireless cyberattack in which an adversary floods an area with a strong electromagnetic signal on the same frequency as a wireless network to prevent legitimate communication between the access point and users.
- **known vulnerabilities**: Security weaknesses in systems or software that have been identified and documented.
- **low-skilled adversaries**: Attackers who rely on existing malicious cyber tools purchased online to exploit known vulnerabilities.
- **malicious cyber tools**: Software or programs designed to compromise, damage, or gain unauthorized access to computer systems and networks.
- **network traffic**: The flow of data packets between devices on a network, including both inbound and outbound communications.
- **sensitive data**: Information that requires protection from unauthorized access, such as personal credentials, financial information, or private communications.
- **service set identifier**: The name of a wireless network that is broadcast by an access point to identify the network to potential users.
- **unencrypted Wi-Fi networks**: Wireless networks that do not use encryption to protect data transmitted between devices and the network.
- **virtual private network**: A service that encrypts all internet traffic from a user's device through a secure tunnel to the VPN provider's system.
- **war driving attack**: A wireless cyberattack in which adversaries detect wireless network beacons while driving or walking to gather information about networks and identify areas where wireless signals extend beyond physical buildings.
- **wireless access point**: A networking device that allows wireless devices to connect to a wired network and transmit data wirelessly.
- **wireless network**: A network that uses radio waves to connect devices without physical cables, allowing internet access through Wi-Fi.
- **wireless network beacon**: A signal broadcast by a wireless access point to advertise its presence and allow devices to discover and connect to the network.
- **zero days**: Undocumented or previously unknown vulnerabilities in software or systems that have not yet been patched or disclosed.

## FAQs

### What is an evil twin attack in AP Cybersecurity?

An evil twin attack is when an adversary sets up a fake wireless access point with an SSID that looks identical or very similar to a legitimate network, tricking users into connecting to it so the attacker can capture their traffic. However, the attacker cannot read traffic that is protected by an encrypted protocol like HTTPS.

### What is the difference between a jamming attack and a denial of service attack?

A jamming attack is a type of denial of service (DoS) attack in which an adversary floods an area with a strong electromagnetic signal in the same frequency range as a wireless network, preventing users from connecting to the access point. Rather than stealing data, jamming simply blocks access to the network.

### Does a VPN fully protect your data on public Wi-Fi?

A VPN encrypts all of your traffic and routes it through the VPN provider's system, which prevents a local attacker or service provider from viewing your data. However, the VPN provider itself can still see your traffic, so you are shifting trust to that provider rather than eliminating all risk.

### What is war driving in cybersecurity?

War driving is when an adversary drives or walks around an area scanning for wireless network beacons to detect available networks. If a signal is found, the attacker can gather information about the network type and identify areas where the signal extends beyond the physical building, which can be used to plan a later attack.

### What is the difference between low-skilled and high-skilled adversaries in AP Cybersecurity?

Low-skilled adversaries rely on attack tools created by others that exploit known vulnerabilities, while high-skilled adversaries can build or modify their own tools and discover zero days, which are previously undocumented vulnerabilities. Both types can cause real damage, but high-skilled adversaries pose a greater threat because their attacks can bypass existing defenses.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP#what-is-an-evil-twin-attack-in-ap-cybersecurity","name":"What is an evil twin attack in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"An evil twin attack is when an adversary sets up a fake wireless access point with an SSID that looks identical or very similar to a legitimate network, tricking users into connecting to it so the attacker can capture their traffic. However, the attacker cannot read traffic that is protected by an encrypted protocol like HTTPS."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP#what-is-the-difference-between-a-jamming-attack-and-a-denial-of-service-attack","name":"What is the difference between a jamming attack and a denial of service attack?","acceptedAnswer":{"@type":"Answer","text":"A jamming attack is a type of denial of service (DoS) attack in which an adversary floods an area with a strong electromagnetic signal in the same frequency range as a wireless network, preventing users from connecting to the access point. Rather than stealing data, jamming simply blocks access to the network."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP#does-a-vpn-fully-protect-your-data-on-public-wi-fi","name":"Does a VPN fully protect your data on public Wi-Fi?","acceptedAnswer":{"@type":"Answer","text":"A VPN encrypts all of your traffic and routes it through the VPN provider's system, which prevents a local attacker or service provider from viewing your data. However, the VPN provider itself can still see your traffic, so you are shifting trust to that provider rather than eliminating all risk."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP#what-is-war-driving-in-cybersecurity","name":"What is war driving in cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"War driving is when an adversary drives or walks around an area scanning for wireless network beacons to detect available networks. If a signal is found, the attacker can gather information about the network type and identify areas where the signal extends beyond the physical building, which can be used to plan a later attack."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP#what-is-the-difference-between-low-skilled-and-high-skilled-adversaries-in-ap-cybersecurity","name":"What is the difference between low-skilled and high-skilled adversaries in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"Low-skilled adversaries rely on attack tools created by others that exploit known vulnerabilities, while high-skilled adversaries can build or modify their own tools and discover zero days, which are previously undocumented vulnerabilities. Both types can cause real damage, but high-skilled adversaries pose a greater threat because their attacks can bypass existing defenses."}}]}
```
