








































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The PrepIQ IoXt SelfCertification Ultimate Exam validates knowledge of self-assessment and certification processes for IoT devices and connected systems. The curriculum explores cybersecurity compliance frameworks, device security requirements, risk mitigation strategies, testing methodologies, and secure product lifecycle management. Learners gain practical understanding of implementing and maintaining secure IoT certification standards.
Typology: Exams
1 / 80
This page cannot be seen from the preview
Don't miss anything!









































































Question 1. Which ioXt pledge commitment requires that every device ship with a distinct default credential or force a password change at first boot? A) Secured Interfaces B) No Universal Passwords C) Security by Default D) Verified Software Answer: B Explanation: The “No Universal Passwords” pledge explicitly forbids shared default credentials and mandates unique passwords or a mandatory change on first use. Question 2. In the ioXt Security Pledge, which principle ensures that all communication ports such as USB, UART, and Bluetooth are either encrypted, authenticated, or disabled in production units? A) Proven Cryptography B) Security Expiration Date C) Secured Interfaces D) Automatic Security Updates Answer: C Explanation: “Secured Interfaces” addresses the protection of physical and logical ports by encryption, authentication, or disabling them in final products. Question 3. Which cryptographic algorithm is specifically mentioned by ioXt as an example of industry-standard, peer-reviewed encryption? A) RC B) AES-128/ C) DES D) Blowfish Answer: B Explanation: The pledge cites AES-128 and AES-256 as examples of proven, peer-reviewed cryptography.
Question 4. The “Security by Default” pledge means that a device should: A) Require the user to enable encryption after setup. B) Ship with the most restrictive security settings already enabled. C) Allow any password length. D) Disable all networking interfaces. Answer: B Explanation: “Security by Default” mandates that the highest security configuration is active out-of-the-box without user intervention. Question 5. What does the “Verified Software” pledge require a device to perform before executing firmware? A) Check for a valid internet connection. B) Verify a digital signature using the manufacturer’s private key. C) Verify a digital signature using the manufacturer’s public key. D) Perform a checksum comparison only. Answer: C Explanation: Secure boot validates that firmware is signed with the manufacturer’s private key by verifying the signature with the corresponding public key. Question 6. Which pledge guarantees that security patches are delivered and installed without user action? A) Automatic Security Updates B) Vulnerability Reporting Program C) Security Expiration Date D) No Universal Passwords Answer: A Explanation: “Automatic Security Updates” obliges the vendor to push and apply patches automatically. Question 7. The ioXt “Vulnerability Reporting Program” (VDP) must be:
B) Video stream encryption and secure cloud storage. C) Battery life optimization. D) NFC pairing security. Answer: B Explanation: Video stream protection and secure cloud storage are core to the Residential Camera Profile. Question 11. Which profile is tailored for industrial lighting systems and focuses on network segmentation and command authentication? A) Smart Speaker Profile B) Networked Lighting Controller Profile C) Mobile Application Profile D) Base Profile Answer: B Explanation: The Networked Lighting Controller (NLC) profile addresses commercial/industrial lighting security requirements. Question 12. The Mobile Application Profile for ioXt certification aligns its testing with which established standard? A) ISO 27001 B) OWASP MASVS C) PCI DSS D) NIST SP 800- 53 Answer: B Explanation: The Mobile Application Profile uses the OWASP Mobile Application Security Verification Standard (MASVS) as its baseline. Question 13. What is the minimum set of requirements that all IoT devices must meet regardless of their vertical profile? A) Base Profile B) Smart Speaker Profile
C) Networked Lighting Controller Profile D) Mobile Application Profile Answer: A Explanation: The Base Profile defines universal security controls applicable to every IoT endpoint. Question 14. In the Self-Certification Workflow, which step involves uploading firmware version numbers, cryptographic metadata, and VDP links to the ioXt portal? A) Alliance Integration B) Evidence Submission C) Test Case Execution D) Self-Attestation vs. Lab Testing decision Answer: B Explanation: Evidence Submission requires detailed documentation, including firmware versions and VDP information. Question 15. When is a third-party Authorized Lab required instead of self-attestation? A) For any device with Bluetooth. B) When the product contains a hardware root of trust. C) When the product exceeds the scope of the Base Profile and cannot demonstrate compliance without external validation. D) Only for devices sold in Europe. Answer: C Explanation: An Authorized Lab is needed when self-attestation cannot adequately prove compliance, typically for higher-risk or complex products. Question 16. Which of the following is NOT a typical test case in the ioXt Test Plan? A) Verification that firmware images are signed.
B) Secure Element (SE) or TPM C) Flash memory D) SD card Answer: B Explanation: Secure Elements and TPMs provide hardware-backed, tamper-resistant key storage. Question 20. What does PSA Certified silicon provide to simplify ioXt certification? A) Automatic Wi-Fi connectivity. B) A pre-validated hardware root of trust and cryptographic services. C) Built-in voice assistants. D) Extended battery life. Answer: B Explanation: PSA Certified silicon includes a hardware root of trust and vetted cryptographic primitives, easing compliance. Question 21. Which of the following best describes “fuzzing” as used in IoT security testing? A) Sending malformed or random data to interfaces to discover crashes or memory errors. B) Encrypting data at rest. C) Conducting a formal verification of source code. D) Performing a static code analysis. Answer: A Explanation: Fuzzing involves feeding unexpected inputs to provoke failures, revealing vulnerabilities. Question 22. A device that implements TLS 1.3 for all outbound connections satisfies which ioXt requirement? A) Proven Cryptography
B) Secured Interfaces C) Data in Motion protection D) Security Expiration Date Answer: C Explanation: TLS 1.3 secures data in motion, meeting the requirement for encrypted communications. Question 23. Which regulatory framework is specifically referenced by ioXt for aligning with privacy and security of consumer IoT devices in California? A) GDPR B) SB- 327 C) HIPAA D) PCI DSS Answer: B Explanation: California Senate Bill 327 (SB-327) sets security standards for IoT devices sold in the state. Question 24. The “SmartCert Living Document” concept means that: A) Certification is a one-time event and never revisited. B) Certification status must be re-evaluated whenever a new firmware version is released. C. The certificate expires after 12 months regardless of updates. D) Manufacturers can delete the certificate after product launch. Answer: B Explanation: The living document approach requires continuous compliance verification as firmware evolves. Question 25. Which of the following is a primary benefit of using a Hardware Root of Trust (RoT) in an ioXt-certified product? A) Faster Wi-Fi speed. B) Guarantees that only authorized firmware can run.
D. Publishing the source code. Answer: B Explanation: Product registration in the portal is the initial step after alliance membership. Question 29. Which of the following best describes “Self-Attestation” in the ioXt process? A) A manufacturer declares compliance based on internal testing and provides evidence. B. An external lab tests the device and issues a certificate. C) The government audits the product. D. The device automatically certifies itself without documentation. Answer: A Explanation: Self-Attestation relies on the manufacturer’s internal validation and evidence submission. Question 30. An IoT device that disables its JTAG port in production satisfies which pledge commitment? A) Proven Cryptography B) Secured Interfaces C) Automatic Security Updates D) Security Expiration Date Answer: B Explanation: Disabling JTAG is a measure to secure a physical interface, meeting the Secured Interfaces pledge. Question 31. Which cryptographic mode is recommended by ioXt for encrypting firmware images before signing? A) ECB B) CBC with a static IV C) GCM (Authenticated Encryption)
Answer: C Explanation: GCM provides confidentiality and integrity, aligning with best-practice encryption for firmware. Question 32. The “Vulnerability Reporting Program” should include which of the following elements? A) A public email address or web form, a defined response timeline, and a policy for handling disclosed information. B) Only a phone number. C) A private internal ticketing system inaccessible to outsiders. D) A requirement that researchers sign a non-disclosure agreement before reporting. Answer: A Explanation: Transparency, a clear channel, response timeline, and handling policy are essential components of a VDP. Question 33. For a smart speaker, which additional security control is required beyond the Base Profile? A) Mandatory OTA firmware updates. B) Encryption of microphone audio before transmission. C) Use of a proprietary encryption algorithm. D) Disabling Wi-Fi. Answer: B Explanation: Protecting voice data is a vertical-specific requirement for the Smart Speaker Profile. Question 34. Which of the following statements about “Automatic Security Updates” is true? A) Updates may be applied only after the user manually approves each one. B) The device must be able to receive and install patches without user interaction.
D) The connection is not encrypted. Answer: B Explanation: Mutual TLS requires both ends to present and validate certificates, enhancing authentication. Question 38. The ioXt “Base Profile” requires that all firmware images be: A) Signed with a manufacturer-owned private key. B) Compressed using ZIP. C) Delivered via USB only. D) Written in Python. Answer: A Explanation: Signed firmware ensures integrity and authenticity, satisfying the Base Profile. Question 39. Which of the following is an example of a “granular access control” that could be implemented on an IoT gateway? A) Allowing any device on the LAN to control all lights. B) Defining role-based permissions where only admin users can change network settings. C) Disabling all user accounts. D) Using a single shared password for all functions. Answer: B Explanation: Role-based access control provides granular permissions, aligning with the principle of least privilege. Question 40. Which of the following statements about the “Networked Lighting Controller” profile is correct? A) It mandates that lighting data be stored in clear text on the cloud. B) It requires authentication for every lighting command received over the network. C) It does not require any encryption because lighting is low-risk. D) It only applies to residential use-cases.
Answer: B Explanation: The NLC profile emphasizes authenticated command handling to prevent unauthorized lighting changes. Question 41. A manufacturer wishes to demonstrate compliance with the “Proven Cryptography” pledge. Which action would be considered non-compliant? A) Using AES-256 for data encryption. B) Implementing a custom, unpublished block cipher. C) Leveraging RSA-2048 for digital signatures. D) Using SHA-256 for hashing. Answer: B Explanation: Proprietary or unpublished algorithms violate the requirement to use peer-reviewed, standard cryptography. Question 42. Which of the following is a key advantage of using a “Secure Boot” process? A) It speeds up the boot time by skipping checks. B) It ensures only firmware signed by the trusted entity can run, preventing malicious code execution. C) It allows any developer to load unsigned firmware for testing. D) It disables all network interfaces. Answer: B Explanation: Secure boot validates firmware signatures, protecting against unauthorized code. Question 43. In the ioXt certification workflow, “Alliance Integration” primarily concerns: A) Performing hardware stress tests. B) Legal agreements, membership enrollment, and portal access setup. C) Designing the product’s user interface. D) Publishing the source code on GitHub.
Explanation: ioXt’s Base Profile is designed to be compatible with ETSI EN 303 645’s consumer IoT security guidelines. Question 47. A device that supports “hardware-backed key storage” is most likely using which of the following? A) Software-based key derivation only. B) A Trusted Platform Module (TPM) or Secure Element. C) An external SD card. D) Plain text files on the filesystem. Answer: B Explanation: TPMs and Secure Elements provide hardware-protected key storage. Question 48. Which of the following is considered a “security-by-default” configuration for a Wi-Fi enabled IoT device? A) Open network (no password). B) WPA3-Personal enabled with a unique pre-shared key per device. C) WEP enabled. D) No authentication required for OTA updates. Answer: B Explanation: WPA3-Personal with a unique PSK per device represents a strong, default-on security setting. Question 49. In the context of the “Automatic Security Updates” pledge, which of the following delivery mechanisms is preferred? A) Manual download via a web browser. B) Over-the-air (OTA) signed update packages applied automatically. C) Requiring the user to press a physical button to start the update. D) Sending the update on a USB flash drive only. Answer: B
Explanation: OTA signed updates that install automatically fulfill the automatic update requirement. Question 50. Which of the following is a typical requirement for the “Mobile Application Profile” when the companion app communicates with the IoT device? A) Use of plain HTTP. B) Mutual TLS authentication between app and device. C) Storing device passwords in the app’s source code. D. Disabling certificate validation. Answer: B Explanation: Mutual TLS ensures both the app and device authenticate each other, meeting the Mobile Application Profile’s security expectations. Question 51. Which of the following statements correctly describes “fuzzing” in the context of IoT interface testing? A) It is a method of encrypting data. B) It involves providing random or malformed inputs to an interface to discover crashes or unexpected behavior. C) It is a technique for compressing firmware. D) It validates digital signatures. Answer: B Explanation: Fuzzing is a testing approach that supplies unpredictable inputs to uncover vulnerabilities. Question 52. The “Security Expiration Date” pledge helps consumers by: A) Extending the warranty indefinitely. B) Allowing the device to be used forever without updates. C) Providing a clear timeline for when security patches will no longer be provided. D) Automatically deleting all user data after the date. Answer: C
Explanation: The VDP enables external security researchers to report vulnerabilities responsibly. Question 56. In the context of the “Base Profile,” which of the following is required for all network communications? A) Use of unencrypted UDP. B) Encryption using at least TLS 1.2. C) No authentication required. D) Only IPv4 support. Answer: B Explanation: The Base Profile mandates encrypted communications, typically via TLS 1.2 or higher. Question 57. Which of the following best describes “Secure Boot” in an IoT device? A) A process that encrypts data stored on the device. B) A method to verify that the bootloader and firmware are signed by a trusted key before execution. C) A technique for speeding up the boot sequence. D) A way to disable all wireless radios. Answer: B Explanation: Secure boot validates signatures to ensure only authorized code runs. Question 58. The “Smart Speaker Profile” mandates which of the following for voice data? A) Storing raw audio on the device for 30 days. B) Encrypting voice recordings end-to-end before transmission to the cloud. C) Sending voice data over HTTP. D) Disabling the microphone when the device is powered on. Answer: B Explanation: End-to-end encryption of voice data protects user privacy.
Question 59. Which of the following is an example of a “vertical-specific” requirement for the Residential Camera Profile? A) Use of a proprietary codec without licensing. B) Mandatory TLS encryption for live video streams. C) Allowing anyone on the LAN to view the video without authentication. D. Storing video footage on the device’s SD card without encryption. Answer: B Explanation: Encrypting live video streams aligns with the Residential Camera Profile’s focus on privacy. Question 60. When a device implements “role-based access control” (RBAC), which statement is true? A) All users receive the same privileges. B) Permissions are assigned based on the user’s role, such as admin, user, or guest. C) The device does not require authentication. D. Access control is enforced only at the network layer. Answer: B Explanation: RBAC grants specific rights based on defined roles. Question 61. Which of the following best explains why proprietary encryption algorithms are discouraged by the ioXt pledge? A) They are always slower than standard algorithms. B) They have not undergone public peer review, making their security uncertain. C) They are illegal in most countries. D) They cannot be implemented in hardware. Answer: B Explanation: Lack of independent analysis means proprietary algorithms cannot be trusted.