[HIoT] Hacking Iot Certification Exam Guide, Exams of Technology

This specialized guide focuses on securing and testing Internet of Things (IoT) ecosystems. It covers IoT architectures, communication protocols, device vulnerabilities, firmware analysis, network exploitation, and mitigation strategies. Designed for security professionals working with connected devices, the guide emphasizes real-world attack scenarios and defensive techniques while aligning closely with IoT hacking certification exam objectives.

Typology: Exams

2025/2026

Available from 02/15/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 91

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
[HIoT] Hacking Iot Certification Exam Guide
Question 1. **What layer of the IoT architecture primarily consists of sensors and actuators that
gather physical data?**
A) Network layer
B) Application layer
C) Perception layer
D) Cloud layer
Answer: C
Explanation: The perception layer is responsible for interfacing with the physical environment
through sensors and actuators, converting analog signals into digital data for further processing.
Question 2. **Which of the following best describes the main difference between an embedded
system and a generalpurpose computer?**
A) Embedded systems have unlimited power supply.
B) Generalpurpose computers lack networking capabilities.
C) Embedded systems operate under strict constraints of power, memory, and processing.
D) Generalpurpose computers cannot run realtime operating systems.
Answer: C
Explanation: Embedded devices are designed for specific tasks and thus must work within
limited resources, unlike generalpurpose PCs that have abundant CPU, RAM, and storage.
Question 3. **In the OWASP IoT Top 10, which entry focuses on insecure network services that
expose devices to remote attacks?**
A) Insecure Firmware
B) Weak, Default, or HardCoded Passwords
C) Insecure Network Services
D) Lack of Physical Hardening
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b

Partial preview of the text

Download [HIoT] Hacking Iot Certification Exam Guide and more Exams Technology in PDF only on Docsity!

Question 1. What layer of the IoT architecture primarily consists of sensors and actuators that gather physical data? A) Network layer B) Application layer C) Perception layer D) Cloud layer Answer: C Explanation: The perception layer is responsible for interfacing with the physical environment through sensors and actuators, converting analog signals into digital data for further processing. Question 2. Which of the following best describes the main difference between an embedded system and a general‑purpose computer? A) Embedded systems have unlimited power supply. B) General‑purpose computers lack networking capabilities. C) Embedded systems operate under strict constraints of power, memory, and processing. D) General‑purpose computers cannot run real‑time operating systems. Answer: C Explanation: Embedded devices are designed for specific tasks and thus must work within limited resources, unlike general‑purpose PCs that have abundant CPU, RAM, and storage. Question 3. In the OWASP IoT Top 10, which entry focuses on insecure network services that expose devices to remote attacks? A) Insecure Firmware B) Weak, Default, or Hard‑Coded Passwords C) Insecure Network Services D) Lack of Physical Hardening Answer: C

Explanation: “Insecure Network Services” refers to services (e.g., Telnet, HTTP) running on the device without proper authentication or encryption, making them attack vectors. Question 4. When performing a hardware analysis, which tool is most suitable for measuring voltage levels on a PCB trace? A) Logic Analyzer B) Multimeter C) Bus Pirate D) JTAG debugger Answer: B Explanation: A multimeter can accurately measure DC voltage, continuity, and resistance on PCB traces, essential for confirming power rails and signal levels. Question 5. Which UART pin is responsible for transmitting data from the device to a host computer? A) VCC B) GND C) TX D) RX Answer: C Explanation: The TX (Transmit) pin sends serial data out of the device; the host’s RX pin receives it. Question 6. During JTAG debugging, what is the primary purpose of the TDI signal? A) Test Data In – carries data from the debugger into the target. B) Test Clock – synchronizes data transfer. C) Test Reset – resets the TAP controller.

B) FAT

C) SquashFS D) HFS+ Answer: C Explanation: SquashFS is a read‑only compressed file system widely used in embedded Linux images to reduce storage footprint. Question 10. When extracting firmware via a “chip‑off” method, what is the first physical step? A) Connect the device to Wi‑Fi and download OTA update. B) Desolder the flash memory chip from the PCB. C) Use JTAG to dump memory. D) Run binwalk on the device’s web interface. Answer: B Explanation: Chip‑off extraction involves physically removing (desoldering) the flash memory chip to read its contents with a programmer. Question 11. Which utility can be used to list printable strings inside a binary firmware image? A) dd B) strings C) chmod D) ping Answer: B Explanation: The strings command scans a binary for sequences of printable characters, often revealing hard‑coded credentials or URLs.

Question 12. In the context of firmware analysis, what does the term “JFFS2” refer to? A) A network protocol for IoT devices. B) A compressed archive format. C) A journaling flash file system used on NAND devices. D) A hardware debugging interface. Answer: C Explanation: JFFS2 (Journaling Flash File System version 2) is designed for flash memory, providing wear‑leveling and reliability for embedded devices. Question 13. Which architecture is most common for low‑power IoT microcontrollers? A) x B) ARM Cortex‑M C) PowerPC D) SPARC Answer: B Explanation: ARM Cortex‑M series offers a balance of low power consumption and sufficient processing capability, making it dominant in IoT chips. Question 14. When emulating firmware with QEMU, what is the primary purpose of providing a “kernel” image? A) To simulate the device’s physical sensors. B) To supply the operating system that the firmware expects to run on. C) To encrypt network traffic. D) To generate random passwords. Answer: B Explanation: QEMU needs a kernel (or compatible bootloader) to mimic the environment the firmware expects, allowing user‑space binaries to execute correctly.

Answer: B Explanation: If the broker permits anonymous connections, anyone can connect and publish, potentially injecting malicious payloads to all clients. Question 18. CoAP messages are typically transported over which transport protocol? A) TCP B) UDP C) HTTP D) SCTP Answer: B Explanation: CoAP (Constrained Application Protocol) is designed for low‑power devices and uses UDP to minimize overhead. Question 19. What type of attack exploits an insecure REST API that allows enumeration of device IDs without proper authorization? A) Cross‑Site Scripting (XSS) B) Insecure Direct Object Reference (IDOR) C) SQL Injection D) Buffer Overflow Answer: B Explanation: IDOR occurs when an attacker can directly access objects (e.g., device IDs) by manipulating parameters, bypassing access controls. Question 20. When performing mobile app reverse engineering, which tool can decompile an Android APK into readable Java source code? A) Wireshark B) Apktool

C) Metasploit D) Nmap Answer: B Explanation: Apktool disassembles an APK, reconstructing resources and Smali code, which can then be converted to near‑original Java for analysis. Question 21. Which of the following is a common insecure storage practice in IoT mobile applications? A) Storing credentials in Android’s Keystore. B) Encrypting data with AES‑256. C) Saving API keys in plain‑text SharedPreferences. D) Using hardware‑backed Secure Element. Answer: C Explanation: Plain‑text SharedPreferences are easily readable by other apps or a rooted device, exposing secrets. Question 22. In a Man‑in‑the‑Middle (MitM) attack on an IoT device’s HTTP traffic, which proxy tool is most frequently used? A) Burp Suite B) GDB C) OpenVAS D) Nessus Answer: A Explanation: Burp Suite intercepts and modifies HTTP/HTTPS traffic, making it ideal for testing IoT web interfaces. Question 23. What is the primary benefit of implementing Secure Boot on an IoT device?

Question 26. What does the term “botnet” refer to in the context of IoT security incidents? A) A network of authenticated users. B) A collection of compromised devices used for coordinated malicious activities. C) A secure communication protocol. D. A firmware update mechanism. Answer: B Explanation: Botnets consist of hijacked devices (including IoT) that can be commanded to launch DDoS attacks, send spam, or mine cryptocurrency. Question 27. Which IEC standard focuses on the security of industrial automation and control systems, often applicable to IoT gateways? A. IEC 61850 B. IEC 62443 C. IEC 61508 D. IEC 60730 Answer: B Explanation: IEC 62443 provides a comprehensive framework for cybersecurity in industrial control systems, covering device, network, and system levels. Question 28. In the context of power analysis attacks on IoT devices, what is being measured? A) Network latency. B) CPU clock speed variations. C) Electrical consumption patterns to infer secret data. D. Wi‑Fi signal strength. Answer: C

Explanation: Power analysis monitors current draw fluctuations during cryptographic operations, enabling extraction of secret keys. Question 29. When sniffing BLE traffic with a tool like Ubertooth, which channel is most commonly used for advertising packets? A) Channel 37 (2402 MHz) B) Channel 38 (2426 MHz) C) Channel 39 (2480 MHz) D) All three advertising channels are used equally. Answer: D Explanation: BLE defines three advertising channels (37, 38, 39). Devices rotate among them to improve discoverability and avoid interference. Question 30. Which of the following best describes a “hard‑coded” credential in firmware? A) A password generated at runtime. B) A credential stored in a secure element. C) A static username/password embedded directly in the binary. D) A credential retrieved from a cloud key‑management service. Answer: C Explanation: Hard‑coded credentials are static strings compiled into firmware, making them trivially discoverable via static analysis. Question 31. What is the primary purpose of a “watchdog timer” in an IoT device? A) To encrypt network traffic. B) To reset the system if software becomes unresponsive. C) To manage Bluetooth pairing. D) To store configuration files.

C) Source short address (NWK address) D) Cluster ID Answer: C Explanation: The short (16‑bit) network address identifies the source within the Zigbee PAN and appears in the MAC header. Question 35. Which of the following attacks exploits the lack of proper input validation in a device’s web management interface, allowing arbitrary command execution? A) Cross‑Site Request Forgery (CSRF) B) Command Injection C) Clickjacking D) DNS Spoofing Answer: B Explanation: Command injection occurs when unsanitized user input is passed to a system shell, enabling execution of attacker‑controlled commands. Question 36. What is the main advantage of using a Trusted Execution Environment (TEE) on an IoT processor? A) It increases clock speed. B) It isolates sensitive code and data from the main OS, protecting against software attacks. C) It provides Wi‑Fi connectivity. D. It reduces the size of the firmware. Answer: B Explanation: A TEE creates a secure enclave where cryptographic keys and critical operations are shielded from the potentially compromised main OS. Question 37. Which of the following is a common method to bypass a disabled UART console on an IoT board?

A) Re‑flash the firmware via OTA. B) Use the JTAG interface to access the CPU. C) Connect to the device’s Wi‑Fi network. D) Power‑cycle the device. Answer: B Explanation: Even if UART is disabled, JTAG often remains accessible and can provide low‑level debugging capabilities. Question 38. In a firmware reverse‑engineering workflow, what is the purpose of “symbolic execution”? A) To automatically generate documentation. B) To explore possible execution paths without running the code on hardware. C) To compress the binary. D. To encrypt the firmware. Answer: B Explanation: Symbolic execution treats inputs as symbolic variables, allowing analysis of many code paths to discover vulnerabilities such as buffer overflows. Question 39. Which of the following best describes a “side‑channel” attack on an IoT device? A) Exploiting a software bug in the HTTP stack. B) Intercepting Bluetooth pairing codes. C) Gleaning secret information from physical emissions (e.g., power, EM radiation). D. Performing SQL injection on a cloud database. Answer: C Explanation: Side‑channel attacks leverage indirect information leakage like power consumption or electromagnetic emanations to infer secrets.

Explanation: The manifest contains hashes or signatures that the device uses to ensure the received firmware has not been tampered with. Question 43. Which of the following attacks specifically targets the MQTT “retain” flag to persist malicious payloads on a broker? A) Retain‑Message Injection B) QoS Downgrade C. Will‑Message Hijack D. Topic Flooding Answer: A Explanation: By publishing a message with the retain flag set, an attacker can cause the broker to store and deliver the malicious payload to any future subscriber. Question 44. What is the primary function of a “gateway” in an IoT architecture? A) To provide power to sensors. B) To translate and forward data between the perception layer and the cloud/network layer. C. To store user passwords. D. To generate random numbers. Answer: B Explanation: Gateways bridge resource‑constrained devices and higher‑level networks, handling protocol translation, security, and aggregation. Question 45. Which of the following best describes a “buffer overflow” in an IoT firmware binary? A) A condition where the device runs out of battery. B) Writing more data to a memory buffer than it can hold, overwriting adjacent memory. C. A Wi‑Fi signal that is too weak.

D. An error in the device’s bootloader. Answer: B Explanation: Buffer overflows corrupt adjacent memory, potentially allowing code execution or privilege escalation. Question 46. When using a Bus Pirate to communicate with an I2C EEPROM, which command sequence is required to read data? A) START → SEND address with R/W=0 → RESTART → SEND address with R/W=1 → READ → STOP B. START → SEND address with R/W=1 → READ → STOP C. START → SEND address with R/W=0 → WRITE → STOP D. START → SEND address with R/W=1 → WRITE → STOP Answer: A Explanation: I2C read operations require a write of the target address (R/W=0), followed by a repeated start and a read request (R/W=1). Question 47. Which of the following is a common default credential that many IoT devices ship with, making them vulnerable? A) admin:admin B) root:password C) user:guest D. All of the above Answer: D Explanation: Manufacturers often use simple default usernames and passwords; unless changed, they are easily exploitable. Question 48. In a wireless sensor network, what is the effect of a “jamming” attack? A) It steals encryption keys.

Question 51. When analyzing a captured BLE advertisement packet, which field contains the device’s universally unique identifier? A. Complete Local Name B. Manufacturer Specific Data C. Device Address (MAC) D. Service UUID list Answer: C Explanation: The BLE device address (MAC) uniquely identifies the peripheral during advertising. Question 52. Which of the following best describes a “replay attack” against an IoT device’s authentication protocol? A. Capturing a legitimate authentication message and sending it again to gain access. B. Flooding the device with random packets. C. Modifying the firmware checksum. D. Overloading the device’s CPU with compute‑intensive tasks. Answer: A Explanation: Replay attacks reuse previously captured valid authentication data to bypass security checks. Question 53. What is the primary function of a “nonce” in cryptographic protocols used by IoT devices? A. To increase bandwidth. B. To provide a unique, single‑use value that prevents replay attacks. C. To store user preferences. D. To compress data. Answer: B Explanation: A nonce ensures each session or message is unique, thwarting replay attacks.

Question 54. Which of the following is an example of a “hardening” configuration for an embedded Linux device? A. Enabling SSH root login with password. B. Removing unnecessary services and disabling unused ports. C. Storing passwords in plain text. D. Using default admin credentials. Answer: B Explanation: Minimizing the attack surface by removing unneeded services and closing unused ports reduces potential entry points. Question 55. In the context of IEC 62443, what does the “defense‑in‑depth” principle advocate for IoT systems? A. Using a single firewall at the network edge. B. Applying multiple, layered security controls across device, network, and management levels. C. Relying solely on encryption. D. Installing antivirus software on every sensor. Answer: B Explanation: Defense‑in‑depth calls for overlapping security mechanisms at various layers to mitigate failures in any single control. Question 56. Which tool can be used to emulate an ARM‑based Linux firmware image without the physical hardware? A. Wireshark B. Firmadyne C. Nmap D. Burp Suite