




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam evaluates expertise required to operate or engage with authorized laboratories for security certification testing. It covers testing methodologies, compliance verification, reporting standards, and quality assurance processes. Candidates are assessed on technical rigor, ethical testing practices, and certification governance. The exam emphasizes reliability, independence, and security assurance.
Typology: Exams
1 / 121
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. What is the primary purpose of the ioXt Alliance’s Live Label? A) To certify that a device meets performance benchmarks B) To provide consumers with a QR code that reveals the device’s security status C) To register the device’s MAC address with the Alliance database D) To enable over‑the‑air firmware updates automatically Answer: B Explanation: The Live Label displays a QR code that, when scanned, shows the device’s security certification status, giving transparency to consumers.
Question 2. Which of the following entities is NOT a founding governance member of the ioXt Alliance? A) Google B) Amazon C) T‑Mobile D) Samsung Answer: D Explanation: The founding governance includes Google, Amazon, and T‑Mobile; Samsung is a member but not a founding governance stakeholder.
Question 3. In the ioXt certification lifecycle, what distinguishes Self‑Certification from Authorized Lab Certification?
A) Self‑Certification requires a physical lab visit, while Authorized Lab does not B) Self‑Certification is performed by the device manufacturer without third‑party testing, whereas Authorized Lab Certification involves an independent, accredited lab C) Authorized Lab Certification allows unlimited product versions, Self‑Certification does not D) Self‑Certification automatically grants a Live Label, Authorized Lab does not Answer: B Explanation: Self‑Certification is done internally by the manufacturer, while Authorized Lab Certification requires testing by an ioXt‑authorized independent lab.
Question 4. Which requirement must an Authorized Lab fulfill to maintain its status? A) Publish all test results publicly within 24 hours B) Contribute to ioXt Working Groups and undergo annual recertification C) Offer free testing for open‑source IoT projects D) Provide on‑site support to manufacturers for firmware updates Answer: B Explanation: Authorized Labs must actively contribute to Working Groups and renew their authorization each year.
Question 5. The principle “No Universal Passwords” primarily aims to prevent which security risk? A) Brute‑force attacks on Wi‑Fi networks
D) RC4 for streaming encryption Answer: B Explanation: AES‑256 is a widely accepted, peer‑reviewed algorithm recommended for strong encryption.
Question 8. A device ships with Wi‑Fi WPA2‑PSK enabled but allows the user to downgrade to WEP. Which principle is violated? A) No Universal Passwords B) Security by Default C) Signed Software Updates D) Automatic Updates Answer: B Explanation: Security by Default requires that devices ship with the highest security settings enabled and prevent insecure fallbacks.
Question 9. What is the main purpose of digitally signing firmware updates? A) To compress the update file for faster transmission B) To verify the authenticity and integrity of the update before installation C) To encrypt the firmware payload for confidentiality D) To enable automatic rollback to previous versions
Answer: B Explanation: Digital signatures ensure that only authentic, untampered firmware can be installed.
Question 10. Which mechanism best fulfills the “Automatic Updates” principle? A) Providing a downloadable firmware ZIP file on the vendor website B) Requiring the user to manually approve each patch via a mobile app C) Using an over‑the‑air (OTA) service that silently installs security patches after verification D) Sending firmware updates via email attachment Answer: C Explanation: OTA updates that install automatically after verification meet the Automatic Updates requirement.
Question 11. An ioXt‑certified product must publish a “Security Expiration Date.” What does this date represent? A) The date the product will be discontinued from the market B) The date after which the manufacturer will no longer provide security patches or updates C) The date the product’s warranty expires D) The date the device’s battery is expected to fail Answer: B Explanation: The Security Expiration Date defines the support window for security updates.
Question 14. In the Residential Camera profile, which protocol is recommended for secure cloud storage of video footage? A) FTP without TLS B) HTTP with basic authentication C) HTTPS with mutual TLS authentication D) MQTT over unencrypted TCP Answer: C Explanation: HTTPS with mutual TLS ensures confidentiality and authentication for cloud video storage.
Question 15. The Network Lighting Controller profile emphasizes which of the following? A) Low‑latency audio processing B) Commercial‑grade reliability and resilience against network storms C) Integration with Bluetooth Low Energy for local control D) Support for proprietary lighting protocols only Answer: B Explanation: Lighting controllers must meet commercial reliability standards and handle network disruptions.
Question 16. When mapping an ioXt test case to global standards, which NIST publication is most commonly referenced?
Answer: B Explanation: NIST IR 8425 provides guidance on IoT cybersecurity and is directly mapped to ioXt test cases.
Question 17. A product receives a “base score” of 85 % on the ioXt test matrix. What does this indicate? A) The device passed all mandatory requirements and exceeded optional ones B) The device met the minimum baseline but failed several optional enhancements C) The device is not eligible for the Live Label D) The device must undergo a full re‑test before certification Answer: B Explanation: A base score reflects compliance with mandatory criteria; scores below 100 % indicate missing optional enhancements.
Question 18. Which OWASP MASVS requirement is most directly related to “Client‑Side Security” in the MAP? A) Data protection – encrypted storage of sensitive data on the device
C) Using only HTTP for internal communications D) Relying on IP address filtering alone Answer: B Explanation: Certificate pinning ensures the app only trusts a specific server certificate, preventing MitM attacks.
Question 21. A MAP assessment for an Android app must verify compliance with GMS (Google Mobile Services). Which of the following is a GMS‑specific security check? A) Ensuring the app uses Apple’s Secure Enclave B) Verifying the app’s use of Google Play Integrity API to detect tampering C) Checking for compatibility with Samsung Knox D) Enforcing Microsoft Azure AD authentication Answer: B Explanation: The Google Play Integrity API is a GMS service that helps detect app tampering and device integrity.
Question 22. In hardware security, what is a “root of trust” primarily used for? A) Storing user credentials in clear text B) Providing a secure anchor for boot verification and cryptographic operations C) Enabling faster Wi‑Fi connectivity D) Managing power consumption in low‑power devices
Answer: B Explanation: A hardware root of trust establishes a secure foundation for boot processes and cryptographic functions.
Question 23. Which attack technique involves inducing voltage glitches to bypass secure boot checks? A) Side‑channel analysis B) Fault injection (glitching) C) Replay attack D) Dictionary attack Answer: B Explanation: Fault injection, often performed via voltage or clock glitches, can disrupt boot integrity checks.
Question 24. When performing firmware forensics, which of the following is the most reliable indicator of hard‑coded secrets? A) Presence of long strings of printable ASCII characters in the binary B) High CPU utilization during boot C) Use of a proprietary compression algorithm D) Frequent OTA update attempts
Explanation: Matter mandates secure bootstrapping, TLS, and certificate‑based authentication.
Question 27. In the context of BLE security, which mode provides the strongest protection against eavesdropping? A) Just Works pairing B) Passkey entry with encryption C) No security (unencrypted) D) Legacy pairing with PIN Answer: B Explanation: Passkey entry establishes an authenticated link and enables encryption, offering stronger protection than Just Works.
Question 28. Which of the following is NOT a required element of an ioXt Vulnerability Reporting Program? A) Publicly disclosed contact information for security researchers B) A defined timeline for acknowledging and responding to reports C) Mandatory monetary rewards for any reported issue D) A process for coordinated disclosure Answer: C
Explanation: While many programs offer bounties, they are not a mandatory requirement for ioXt compliance.
Question 29. When evaluating a device against ETSI EN 303 645, which clause directly maps to the “No Universal Passwords” principle? A) Clause 2.1 – Secure Boot B) Clause 4.2 – Default Passwords C) Clause 5.3 – Secure Updates D) Clause 6.1 – Data Privacy Answer: B Explanation: Clause 4.2 addresses the prohibition of default or universal passwords.
Question 30. A lab tester discovers that a smart plug’s firmware image contains a hard‑coded Wi‑Fi SSID and password. Which ioXt principle is breached? A) Secure Interfaces B) No Universal Passwords C) Automatic Updates D) Signed Software Updates Answer: B Explanation: Embedding default credentials violates the “No Universal Passwords” requirement.
Question 33. Which hardware analysis tool is commonly used to detect side‑channel leakage? A) Wireshark B) Oscilloscope with power analysis capabilities C) JTAG debugger D) Serial console Answer: B Explanation: Power analysis via an oscilloscope can reveal side‑channel information.
Question 34. During a secure boot validation, the lab observes that the bootloader verifies a hash but does not verify a digital signature. Which ioXt requirement is not met? A) Proven Cryptography B) Signed Software Updates C) Security by Default D) Automatic Updates Answer: B Explanation: Signed Software Updates require both hash and signature verification to ensure authenticity.
Question 35. Which of the following statements about the “Security Expiration Date” is true? A) It must be at least 10 years from the product’s launch date B) After this date, the device must automatically disable network connectivity C) The date must be publicly disclosed in the product’s documentation or on the Live Label D. It is optional for devices that use open‑source firmware Answer: C Explanation: Transparency requires publishing the security support end‑date.
Question 36. A device’s Wi‑Fi module supports WPA3‑Enterprise but ships with WPA2‑Personal enabled by default. Which principle does this violate? A) No Universal Passwords B) Security by Default C) Signed Software Updates D) Automatic Updates Answer: B Explanation: Shipping with a less secure default setting breaches Security by Default.
Question 37. In the context of the ioXt Test Case ID system, what does the prefix “SC‑” typically denote? A) Security Certification
Answer: B Explanation: AES‑GCM provides confidentiality and integrity with per‑file random IVs.
Question 40. Which of the following best describes the role of the “Working Groups” for an Authorized Lab? A) To develop proprietary testing tools exclusive to the lab B) To contribute to the evolution of ioXt standards and share best practices C) To certify devices without following the official test matrix D. To manage the financial transactions of the Alliance Answer: B Explanation: Labs must actively participate in Working Groups to help evolve the standards.
Question 41. In MAP, which iOS‑specific security feature helps protect cryptographic keys from extraction? A) Keychain with Secure Enclave backing B) Storing keys in NSUserDefaults C) Using plain‑text files in the app bundle D. Relying on JavaScriptCore Answer: A Explanation: The Secure Enclave provides hardware‑backed protection for keys.
Question 42. Which testing technique is most appropriate for verifying that a device disables unused UART ports? A) Static code analysis of the firmware source B) Physical inspection of the PCB for solder bridges C) Penetration testing using a serial console adapter to attempt access D. Network sniffing of Wi‑Fi traffic Answer: C Explanation: Attempting to access the UART with a console adapter confirms whether the port is disabled.
Question 43. A device’s firmware includes a debug backdoor that can be triggered by a specific magic packet. Which ioXt principle is directly violated? A) No Universal Passwords B) Secure Interfaces C) Proven Cryptography D. Automatic Updates Answer: B Explanation: Hidden backdoors constitute insecure interfaces that can be exploited.