Threat Vectors and Attack Surfaces
Vector vs. attack surface, and the technical vectors
A threat vector is the route of one intrusion (one email, one open port, one rogue USB drive) while the attack surface is the aggregate of every such point an attacker could touch, and keeping that one/aggregate line straight is what objective 2.2 keeps testing. SY0-701 asks you to explain common threat vectors and attack surfaces, and CompTIA's own objective summary names the families in one breath: "message-based, unsecure networks, social engineering, file-based, voice call, supply chain, and vulnerable software vectors"[1]. Objective 2.2 sits in Domain 2, Threats, Vulnerabilities, and Mitigations, which is 22% of the scored exam[1], the second-heaviest domain, so this content is worth real study time. The overview drew the core line; this section makes it operational and walks every technical vector cell by cell.
The two terms are not interchangeable
A threat vector (attack vector) is the route of a single intrusion, one email, one open port, one rogue USB drive. The attack surface is the aggregate: every point an attacker could touch. NIST defines an attack surface as "the set of points on the boundary of a system, a system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from"[2] it. The exam's recurring framing follows from that definition: a vector is the how/where of one attack; the attack surface is the total exposure you are trying to shrink. Attack surface reduction is therefore not a single control but a discipline, close unused service ports, change default credentials, decommission unsupported software, disable unused Bluetooth/wireless radios, segment networks, and minimize accounts, and each removal eliminates whole vectors before they can be used. (The final section reuses this list as the exam-correct answer to a "BEST way to reduce the attack surface" item.) The figure below groups the vector families, technical, human, and supply-chain, modeled on CompTIA's own Objective 2.2 vector list.
Message, file, image, and voice vectors
These are delivery vectors, they carry a payload or a lure to a human or an application.
| Vector | What it is | Typical control |
|---|---|---|
| Message-based | Email, SMS, and instant messaging that deliver a link, attachment, or lure | Secure email gateway, link rewriting, anti-spam/anti-phishing filtering, user training |
| File-based | Malicious code inside a document, script, archive, or executable the user opens | Attachment sandboxing/detonation, application allowlisting, macro disablement |
| Image-based | Malicious payloads hidden in image files (steganography, malformed parsers) | Content disarm and reconstruction, file-type validation, patched image libraries |
| Voice call | Live or automated phone calls (the channel for vishing, voice phishing, defined under Human vectors below) | Caller-ID scrutiny, call-back verification, awareness training |
| Removable device | USB drives, external media used to introduce malware or exfiltrate data | Device-control/USB blocking policy, disabling autorun, port lockdown |
Note the exam pairing: a phishing email is a message-based vector even though the harm comes from a file-based attachment it carries, CompTIA may classify by the delivery channel or by the payload container depending on the stem's emphasis.
Network, software, and credential exposure vectors
These expand the attack surface by leaving something reachable that should not be.
- Unsecure networks: open or weakly secured wireless (no/weak encryption, rogue APs), flat wired LANs with no segmentation, and discoverable Bluetooth radios. The control is encryption plus segmentation plus disabling unneeded radios.
- Open service ports: every listening port is a potential entry point. NIST's Technical Guide to Information Security Testing and Assessment (SP 800-115)[3] frames network port and service identification as a core discovery technique precisely because exposed listening services are where attackers start; the mitigation is to inventory listening ports and firewall or close anything not required (never leave RDP/3389, SMB/445, or admin panels internet-facing).
- Default credentials: factory usernames/passwords left on routers, IoT, databases, and admin consoles are a one-step compromise. The control is to change every default before deployment.
- Vulnerable and unsupported software: software with a known, patchable flaw is a vector until you update it; unsupported (end-of-life) software is a standing vector because the vendor ships no patches at all, so a known CVE stays exploitable indefinitely. Replace it, or isolate and compensate with segmentation and virtual patching.
Human vectors: social engineering by channel and tell
Social engineering attacks the person, not the software flaw. It exploits trust, urgency, authority, fear, and helpfulness to make a human take an action that bypasses technical controls. Because the exploit is the user, the primary controls are security awareness training plus process controls such as out-of-band verification of any payment or credential change, not a patch. SY0-701 expects you to name each technique by its channel and its tell-tale sign, so master the discriminators below rather than memorizing definitions in isolation. The figure below groups the techniques the same way this section does: by channel (which medium carried the lure), by the story the attacker tells, and by the site or content abused.
Channel-specific lures: phishing, vishing, smishing
The three are the same deception delivered over different channels, and the exam tests the channel word:
- Phishing: fraudulent email, usually bulk, with a spoofed sender and an urgent link to a fake login or a malicious attachment.
- Spear phishing: targeted phishing aimed at a named individual using researched personal detail (more convincing, lower volume). Whaling is spear phishing aimed at a high-value executive.
- Vishing: voice phishing over a phone call; the caller manufactures urgency or authority to extract data or trigger an action.
- Smishing: SMS/text phishing; a short link or a callback number in an unsolicited message.
The single distinguishing fact is the medium: email = phishing, voice = vishing, SMS = smishing. A question that says "received a text message" is smishing even if the lure content looks identical to a phishing email.
Pretext, impersonation, BEC, and brand impersonation
These describe the story the attacker tells, independent of channel:
- Pretexting: inventing a fabricated backstory or scenario ("I'm from IT and need to verify your password to fix your mailbox") that justifies the unusual request. Pretexting is the underlying technique many of the others ride on.
- Impersonation: posing as a specific trusted person (a colleague, a help-desk agent, an executive) to lower the target's suspicion.
- Brand impersonation: posing as a trusted company (spoofed logos, look-alike sites, fake support) rather than a specific person.
- Business email compromise (BEC): the high-payoff variant: an attacker spoofs or hijacks an executive or vendor email account and requests a wire transfer or a change to payment/banking details. The tell is a money-movement or invoice-change request that appears to come from leadership or a known supplier. The exam-correct control is out-of-band verification (call a known number) before acting, not a reply to the email.
Watering hole, typosquatting, and information manipulation
- Watering-hole attack: instead of attacking the target directly, the attacker compromises a legitimate third-party website the target group routinely visits, so the victims infect themselves when they browse a site they already trust. The tell is that a normally-trusted site begins serving malware.
- Typosquatting: registering look-alike domains (misspellings or homoglyphs of a real brand, e.g. a swapped or doubled letter) to catch users who mistype a URL, then serving a phishing page or malware. It is a form of URL hijacking and overlaps with brand impersonation.
- Misinformation and disinformation: manipulating decisions by spreading false content. Misinformation is false information spread without intent to deceive; disinformation is deliberately false content spread to mislead (an influence campaign). On SY0-701 the discriminator is intent: deliberate = disinformation. Both are recognized threat vectors because they shape human decisions and erode trust, and the control is awareness, source verification, and authoritative communication channels.
Supply chain and exam-pattern recognition
The last family in Objective 2.2 extends your attack surface beyond your own perimeter, and the section closes with the question shapes the exam actually uses so you can answer on recognition.
The supply chain is part of your attack surface
Every third party you trust, managed service providers (MSPs), hardware vendors, software suppliers, and open-source dependencies, is reachable as a vector because a compromise of any of them arrives through a trusted channel and installs with full trust. NIST's Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1)[4] frames this exactly: products and services can carry malicious functionality or vulnerabilities from poor development and manufacturing practices, and the risk must be managed across the whole supply chain.
- MSP: an MSP with broad remote access is a single point through which many of its customers can be breached at once; scope it into the attack surface with least-privilege access and monitoring.
- Vendor / supplier: a tampered hardware component or a malicious update pushed through a legitimate software supplier (a software-supply-chain attack) installs with trust the user never questions.
- Controls: vendor due-diligence and security attestations, contractual security requirements, least-privilege access for third parties, code signing and integrity verification of updates, and a software bill of materials (SBOM) so you know which dependencies you actually run.
Exam-pattern recognition for Objective 2.2
Vector questions cluster into a few repeatable shapes. Name the pattern and the answer follows.
Pattern 1: "Which social-engineering technique is this?" The stem describes a scenario and the options are technique names. Decide by the channel and the story: a phone call = vishing; a text = smishing; an email = phishing (targeted/personalized = spear phishing); a money/invoice-change request from a spoofed exec = BEC; a fabricated justification story = pretexting; a compromised trusted site = watering hole; a misspelled look-alike domain = typosquatting. The classic trap is choosing "phishing" for a voice or SMS scenario: match the medium word in the stem.
Pattern 2: "Which is the threat vector here?" The options mix a vector with an actor, a payload, or a control. Pick the route in. Remember the boundaries: the actor and motive (nation-state, hacktivist, insider) belong to Threat Actors and Motivations; the payload behavior after entry (ransomware, worm, trojan, rootkit) belongs to Malware and Malicious Activity; a flaw classification (buffer overflow, misconfiguration, race condition) belongs to Vulnerability Types; and the defensive control (segmentation, patching, hardening) belongs to Mitigation Techniques. A phishing email is the vector; the trojan it drops is malware, distinct exam topics.
Pattern 3: "BEST way to reduce the attack surface." The goal is fewer entry points, so the right answer is one of the attack-surface-reduction moves introduced in the opening section, closing ports, changing defaults, retiring unsupported software, disabling unused radios, segmenting, or minimizing accounts, each of which removes a vector. The discriminator the exam tests is removal versus detection: the wrong answer typically adds a detective layer (more logging), which is useful but does not shrink the surface because nothing is eliminated. NIST's Technical Guide to Information Security Testing and Assessment (SP 800-115)[3] underscores why inventorying and closing listening services is the highest-leverage move: those exposed ports are precisely where assessment (and attack) begins.
Pattern 4: third-party / supply-chain scenario. A stem says a breach reached the company through an MSP, a vendor update, or an open-source dependency. The correct framing is that the third party is part of your attack surface, and the exam-right controls are due diligence, least-privilege vendor access, signed/verified updates, and an SBOM, aligned with NIST SP 800-161 Rev. 1[4]. The wrong answer treats the vendor as out of scope because "we didn't run the vulnerable code ourselves."
Social-engineering techniques: channel and tell-tale sign
| Technique | Channel / medium | Tell-tale sign |
|---|---|---|
| Phishing | Email (bulk) | Generic lure, spoofed sender, urgent link to fake login |
| Spear phishing | Email (targeted) | Personalized to a named individual using researched detail |
| Vishing | Voice call | Caller invents urgency/authority to extract data or action |
| Smishing | SMS / text | Short link or callback number in an unsolicited text |
| Business email compromise (BEC) | Email (spoofed/hijacked exec or vendor) | Wire-transfer or invoice change request from 'leadership' |
| Pretexting | Any (phone, email, in person) | Fabricated backstory that justifies an unusual request |
| Impersonation / brand impersonation | Any; often web/email | Poses as a trusted person or company to lower suspicion |
| Watering hole | Compromised trusted website | A site the target group routinely uses now serves malware |
| Typosquatting | Look-alike domain / URL | Misspelled or homoglyph domain mimicking a real brand |
| Misinformation / disinformation | Social media, web, messaging | False (or deliberately deceptive) content shaping a decision |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- A vector is one route; the attack surface is every route summed
A threat vector (attack vector) is the specific route of a single intrusion: one phishing email, one open port, one rogue USB. The attack surface is the aggregate of every reachable entry point: each interface, port, service, account, device, and human. So the vector answers how this one attack got in, while the attack surface is the total exposure you work to shrink. The two terms are not interchangeable on the stem.
Trap Treating "attack vector" and "attack surface" as synonyms: the vector is one path, the surface is the sum of all of them.
- Classify a delivery vector by its channel or its payload container
Message-based vectors deliver lures or payloads over a messaging channel: email, SMS, or instant messaging; file-based vectors hide malicious code inside a document, script, archive, or executable the user opens; image-based vectors conceal payloads within image files via steganography or a malformed parser. The categories overlap deliberately: a phishing email (message-based) can carry a weaponized attachment (file-based), so classify by whichever the stem emphasizes: the delivery channel or the payload's container.
Trap Forcing a phishing email with a malicious attachment into one bucket, when it is both message-based delivery and a file-based payload; classify by what the stem emphasizes.
- Voice-call vectors enable vishing; removable media carries malware in or data out
A voice-call vector is the phone channel exploited for vishing. A removable-device vector (USB sticks and external media) both introduces malware and exfiltrates data, and is countered by device-control/USB-blocking policy, disabling autorun, and physically locking down ports. The removable-media risk is two-directional: it is as much a covert exfiltration path as an infection path.
Trap Treating a USB drive as only an inbound malware-infection risk, overlooking that the same removable media is a covert outbound data-exfiltration path.
- Unsecure-network vectors are fixed by encryption and segmentation, not just logging
Unsecure-network vectors include open or weakly encrypted wireless (including rogue APs and evil-twin APs), flat unsegmented wired LANs that let one foothold reach everything, and discoverable Bluetooth radios. Mitigate by closing the exposure itself: strong encryption (WPA2/WPA3), network segmentation, and disabling unneeded radios. Adding more logging is detective only: it watches the weakness without removing it.
Trap Answering "increase logging/monitoring" to reduce an unsecure-network vector: detection observes the exposure but does not shrink it.
- Every listening port is an entry point: inventory and close what isn't needed
An open (listening) service port is a potential entry point and the first place attackers and assessors probe during discovery. Inventory listening ports and firewall or close anything not required; never leave high-value services such as RDP (3389), SMB (445), or admin consoles directly internet-facing, since those are top targets for brute-force and worm propagation.
- Default credentials are a one-step compromise: change them before deployment
Factory-default usernames and passwords left on routers, IoT devices, databases, and admin consoles let an attacker in with a single publicly known value, and automated malware (e.g. Mirai) scans the internet for exactly these. The control is to change every default credential before the device goes into production: leaving a known default on a reachable device is a major, widely exploited risk.
- Patchable software is a temporary vector; unsupported software is a standing one
Vulnerable software with an available patch is a vector only until you update it. Unsupported (end-of-life) software is a standing vector: the vendor ships no patches at all, so a known CVE stays exploitable indefinitely, which is why the exam-correct treatment for EOL is replacement. When you can't replace it yet, isolate and compensate with segmentation and virtual patching.
Trap Answering "keep patching" for end-of-life software: the vendor issues no patches, so the fix is replacement (or isolation), not a patch that doesn't exist.
- Phishing, vishing, and smishing are the same con over different channels
The three differ only by delivery channel: phishing = fraudulent email, vishing = voice/phone call, smishing = SMS/text. The exam tests the medium word, so a text-message scenario is smishing even when the lure reads exactly like a phishing email. Match the term to the channel named in the stem, not to the content of the message.
Trap Calling a text-message scam "phishing" because the lure sounds email-like: the SMS channel makes it smishing.
5 questions test this
- An employee's corporate mobile phone receives a text message stating: 'ALERT: Your company VPN token expires today. Tap here to renew:…
- An attacker uses a VoIP service to place automated phone calls to hundreds of bank customers. The caller ID is spoofed to display the…
- An employee's corporate mobile phone receives a text message claiming to be from the IT help desk. The message warns that the employee's…
- An employee receives a text message on their corporate phone stating their benefits enrollment expires in one hour and providing a…
- An employee receives a text message on their personal mobile phone stating their corporate account has been compromised and they must…
- Spear phishing is targeted; whaling targets the executive
Spear phishing is phishing aimed at a named individual using researched personal detail, trading volume for higher conviction. Whaling is spear phishing specifically directed at a high-value executive (CEO, CFO). Bulk, generic, untargeted email is plain phishing: the discriminator is how specific and senior the target is.
Trap Labeling a targeted lure aimed at the CFO "spear phishing" when the senior-executive target makes it whaling.
3 questions test this
- A security analyst discovers that several highly personalized emails referencing upcoming board meeting topics were sent exclusively to the…
- A company's chief financial officer receives a personalized email appearing to come from the CEO, urgently requesting a wire transfer to…
- A company's chief financial officer receives an email that appears to be from the CEO. The message references a confidential acquisition…
- Pretexting supplies the fabricated backstory other attacks ride on
Pretexting invents a scenario or backstory that justifies an unusual request, for example posing as IT to "verify" a password. It is channel-agnostic and functions as a building block beneath many other social-engineering attacks rather than only as a standalone technique, so a stem that hinges on the believable cover story (not the delivery channel) is pointing at pretexting.
Trap Classifying an attack by its delivery channel when the stem turns on the fabricated cover story itself, which is what marks it as pretexting.
- Impersonation borrows a person's trust; brand impersonation borrows a company's
Impersonation poses as a specific trusted person (a colleague, the help desk, an executive) while brand impersonation poses as a trusted company using spoofed logos, look-alike sites, or fake support pages. Both work by borrowing existing trust to lower the target's suspicion; the discriminator is whether the disguise is an individual or an organization.
Trap Picking plain impersonation for a spoofed-logo fake support page, when posing as the company rather than a specific person makes it brand impersonation.
- BEC moves money via a spoofed exec or vendor: verify out-of-band
Business email compromise (BEC) spoofs or hijacks an executive or vendor email account to request a wire transfer or a change to payment/banking details. The tell is a money-movement or invoice/banking-change request appearing to come from leadership or a supplier; the exam-correct control is out-of-band verification (call a known number) never a reply to the email itself, which may be attacker-controlled.
Trap Replying to the suspicious email to confirm the wire request: if the account is hijacked, you are confirming with the attacker; verify on a separately known channel.
- A watering-hole attack poisons a site the targets already trust
A watering-hole attack compromises a legitimate third-party website the target group routinely visits, so victims infect themselves while browsing a site they already trust and the attacker never contacts them directly. Because the malware is served from a legitimate, hard-to-blacklist site, the tell is a normally-trusted site suddenly serving malware to a specific population.
Trap Reading a watering-hole attack as direct phishing, when the attacker never contacts victims and instead poisons a trusted site they choose to visit.
5 questions test this
- A threat intelligence team discovers that a professional association website frequently visited by defense industry employees has been…
- A security analyst discovers that a popular industry trade association website has been injected with malicious code. The code targets…
- A threat intelligence team discovers that attackers identified a niche industry conference website regularly visited by employees at a…
- A nation-state threat actor identifies that engineers at a defense contractor frequently visit a specific industry conference website. The…
- A threat intelligence team discovers that a niche technical forum frequently visited by employees of a specific energy company has been…
- Typosquatting registers look-alike domains to catch mistyped URLs
Typosquatting (a form of URL hijacking) registers misspelled or homoglyph domains that mimic a real brand to capture users who mistype an address, then serves a phishing page or drive-by malware. It overlaps with brand impersonation, so the discriminator is the deceptive domain name itself: a look-alike URL rather than a spoofed message or logo alone.
Trap Labeling a mistyped-URL look-alike domain as brand impersonation, when the deceptive domain name itself is the defining feature of typosquatting.
- Misinformation vs. disinformation turns entirely on intent
Misinformation is false information spread without intent to deceive (an honest error passed along); disinformation is deliberately false content spread to mislead, as in a coordinated influence campaign. On SY0-701 the single discriminator is intent: deliberate falsehood is disinformation. Both are recognized threat vectors because they steer human decisions, and the controls are awareness, source verification, and authoritative channels.
Trap Calling deliberately planted false content "misinformation": intentional deception makes it disinformation.
- Social engineering is countered by people and process, not a patch
Social engineering exploits the human (trust, urgency, authority, fear) rather than a software flaw, so the primary controls are security-awareness training plus process controls such as out-of-band verification of payment or credential changes. A technical fix like patching addresses a different problem; on a social-engineering stem the right answer is almost always training and verification procedure.
Trap Choosing "apply a patch" against social engineering: there is no software bug to patch; the exposure is human, so the answer is training and process.
- Supply chain extends your attack surface into trusted third parties
MSPs, hardware vendors, software suppliers, and open-source dependencies are part of your attack surface because compromising any of them reaches you through a trusted channel that installs with full trust. An MSP with broad remote access can breach many customers from one foothold, and a malicious update from a legitimate supplier installs without question: the trust that makes the relationship useful is exactly what the attacker rides in on.
Trap Scoping the attack surface to your own systems only, when trusted MSPs, suppliers, and dependencies reach you through channels that install with full trust.
7 questions test this
- A managed service provider distributes a routine software update to hundreds of client organizations. Analysts later discover that a threat…
- A trusted third-party accounting software vendor unknowingly distributes malware to all customers after an attacker compromises the…
- An organization's endpoint protection software begins exhibiting unusual behavior after a routine vendor-issued update. Investigation…
- During a physical inspection of new network switches procured from a third-party reseller, security engineers discover unauthorized…
- During a security audit, a government agency discovers that newly procured network switches contain modified firmware with an embedded…
- An organization discovers that a critical security appliance began exfiltrating data after applying the latest vendor-provided firmware…
- During a procurement audit, an organization discovers that network switches purchased from an unauthorized reseller contain firmware that…
- Manage supply-chain risk with due diligence, code signing, and an SBOM
Control supply-chain (MSP/vendor/supplier) risk with vendor due-diligence and security attestations, contractual security requirements, least-privilege access for third parties, code signing and integrity verification of updates, and a software bill of materials (SBOM) that enumerates exactly which dependencies you actually run. The SBOM is what lets you answer "are we affected?" fast when a dependency is found vulnerable.
Trap Reaching for a vulnerability scanner to answer "are we affected?" when an SBOM is what instantly enumerates which dependencies you actually run.
6 questions test this
- A company uses several open-source libraries in its customer-facing web application. After a critical vulnerability is disclosed in one…
- A security team learns that a critical vulnerability has been disclosed in a widely used open-source logging library. The team needs to…
- An organization wants to quickly identify which applications are affected whenever a new vulnerability is disclosed in an open-source…
- An organization uses hundreds of open-source libraries across its applications. After a critical zero-day is announced in a popular logging…
- A company purchases commercial software from multiple vendors for use in its enterprise environment. The security team wants to catalog all…
- A critical vulnerability is disclosed in a widely used open-source logging library. The security team must rapidly determine which…
- Reduce the attack surface by removing exposure, not by watching it
The most effective way to reduce an attack surface is to remove or harden entry points: close unused service ports, change default credentials, decommission unsupported software, disable unused Bluetooth/wireless radios, segment the network, and minimize accounts. Adding a detective layer such as more logging does not shrink the surface: it only observes it, so on a "BEST way to reduce the attack surface" item the answer is elimination, not detection.
Trap Picking "add monitoring/logging" as the best way to reduce the attack surface: detection watches exposure without eliminating it.
- Hardware implants and firmware tampering ride in below the OS
A hardware supply-chain compromise inserts unauthorized chips or modified firmware into a device during manufacturing or shipment, before it ever reaches the buyer. Because the implant lives below the OS, it evades antivirus and host IDS and mimics a legitimate component, so detection relies on physical inspection and firmware-integrity checks rather than software scanning, and buying from unauthorized resellers raises the risk.
Trap Trusting antivirus/EDR to catch a firmware implant: it operates beneath the OS, so software scanning can't see it; detection is physical and firmware-integrity based.
8 questions test this
- During an incoming hardware inspection, a security analyst discovers that newly purchased network switches contain firmware not matching…
- During a post-delivery inspection of new servers, a security team finds tiny unauthorized chips designed to resemble legitimate components…
- During a security audit, an analyst discovers unauthorized microchips soldered onto server motherboards received from a third-party…
- During a routine inspection, a security team discovers that newly delivered network switches contain firmware modifications not present in…
- During a physical inspection of new network switches procured from a third-party reseller, security engineers discover unauthorized…
- During a security audit, a government agency discovers that newly procured network switches contain modified firmware with an embedded…
- During a pre-deployment inspection, a security team discovers unauthorized microchips soldered onto newly purchased network switches. The…
- During a procurement audit, an organization discovers that network switches purchased from an unauthorized reseller contain firmware that…
- Dependency confusion wins by publishing a higher-versioned public look-alike
In a dependency-confusion attack the adversary publishes a malicious package to a public repository using the exact name of a victim's internal/private package but with a higher version number. The package manager's resolution logic prefers the higher version, so it fetches the attacker's public package instead of the intended internal one and executes its code during the build. The defense is scoping/namespacing internal packages and pinning trusted sources so a public higher version can't win.
Trap Assuming a private package always beats a public one of the same name: the resolver picks the higher version number, which the attacker simply sets larger.
4 questions test this
- An attacker discovers that a company uses an internal Python package named 'corp-auth-lib' in its build pipeline. The attacker publishes a…
- During a build process, a developer's package manager fetches a malicious package from a public repository instead of the intended internal…
- A development team discovers that their automated build pipeline fetched a malicious package from a public repository. The package shared…
- A security analyst discovers that an internal CI/CD pipeline fetched a malicious package from a public repository instead of the intended…
- Bluesnarfing silently steals data over Bluetooth; bluejacking only pushes messages
Bluesnarfing exploits a Bluetooth connection (often via the OBEX protocol on a discoverable device) to covertly copy data such as contacts, calendar entries, and emails without the owner's consent. Contrast bluejacking, which only pushes unwanted messages to a device and steals nothing; bluesnarfing exfiltrates data. The roughly 10-meter proximity requirement makes crowded public areas the typical setting, and disabling discoverability is the basic defense.
Trap Confusing bluesnarfing with bluejacking: bluejacking merely sends unsolicited messages, while bluesnarfing actually copies data off the device.
4 questions test this
- An employee's smartphone has contacts, calendar entries, and emails silently copied by an unknown nearby device. A forensic review confirms…
- A security team investigates a data theft incident where contacts, calendar entries, and emails were extracted from an employee's…
- An employee reports that their smartphone contacts and calendar entries were accessed by an unknown device while sitting in a public…
- During a trade show, an executive's smartphone has sensitive contacts and calendar entries exfiltrated. Forensic analysis confirms the…