






































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The PrepIQ IoXt SmartCert Program Ultimate Exam focuses on IoT security standards, smart device certification, and cybersecurity best practices for connected technologies. Topics include device authentication, secure communication protocols, vulnerability management, privacy protection, compliance standards, and IoT ecosystem security. Participants gain practical expertise in evaluating and certifying secure smart technology solutions.
Typology: Exams
1 / 78
This page cannot be seen from the preview
Don't miss anything!







































































Question 1. Which ioXt principle requires a device to enforce a password change at first boot? A) Secured Interfaces B) No Universal Passwords C) Security by Default D) Automatic Security Updates Answer: B Explanation: The “No Universal Passwords” principle mandates unique credentials or a forced password change on initial setup to stop botnet propagation. Question 2. What cryptographic algorithm is explicitly mentioned as acceptable under the Proven Cryptography principle? A) MD B) SHA- 1 C) AES D) DES Answer: C Explanation: AES (Advanced Encryption Standard) is an industry-standard, peer-reviewed algorithm approved by the Proven Cryptography principle. Question 3. Which of the following best describes “Security by Default” in the ioXt pledge? A) Users must manually enable all security features. B) Devices ship with the strongest security settings enabled. C) Security settings are disabled to improve performance. D) Only network interfaces are secured. Answer: B Explanation: “Security by Default” requires that devices are shipped with the highest security configuration active, and users must opt-out if desired.
Question 4. A device that verifies a firmware’s digital signature before installation is complying with which upgradability principle? A) Automatic Security Updates B) Signed Software Updates C) Vulnerability Reporting Program D) Security Expiration Date Answer: B Explanation: Signed Software Updates ensure that only manufacturer-signed firmware can be installed, protecting against malicious code. Question 5. Which feature allows manufacturers to push critical patches without user interaction? A) Manual Update Mode B) Automatic Security Updates C) User-Triggered Patch D) Firmware Rollback Answer: B Explanation: Automatic Security Updates minimize the window of vulnerability by delivering patches automatically. Question 6. The public policy that lets security researchers disclose flaws is known as: A) Security Expiration Date B) Vulnerability Reporting Program C) Signed Software Updates D) Security by Default Answer: B Explanation: The Vulnerability Reporting Program (VDP) or bug bounty provides a channel for researchers to report issues.
A) Energy efficiency metrics. B) End-to-end video encryption and access logging. C) Lighting control protocols. D) Firmware size limits. Answer: B Explanation: The Residential Camera Profile emphasizes privacy for video streams, requiring encryption and logging. Question 11. The Networked Lighting Controller (NLC) Profile must comply with which industry consortium’s cybersecurity requirements? A) Zigbee Alliance B Thread Group C) DesignLights Consortium (DLC) D) Bluetooth SIG Answer: C Explanation: NLC must meet DLC’s cybersecurity guidelines for commercial lighting systems. Question 12. Which certification pathway is mandatory for high-assurance products? A) Self-Attestation only B) Authorized Lab Testing C) Community Voting D) Peer Review on GitHub Answer: B Explanation: High-assurance devices require third-party validation by an ioXt-accredited lab. Question 13. In self-certification, manufacturers submit evidence through which platform? A) ioXt portal
B) GitHub repository C) Email to NIST D) Physical paperwork to the FCC Answer: A Explanation: The ioXt portal is used for submitting test results and documentation in self-attestation. Question 14. Which resource provides the set of test cases manufacturers must address? A) Test Case Library B) OpenSSL Benchmark Suite C) OWASP Top 10 D) ISO 26262 Answer: A Explanation: The Test Case Library contains ioXt-defined tests for each pledge principle. Question 15. Which document is NOT typically part of evidence submission? A) Firmware version manifest B) Cryptographic library source code C) Marketing brochure D) Update mechanism design diagram Answer: C Explanation: A marketing brochure does not prove compliance; the other items are technical evidence. Question 16. Continuous monitoring of a SmartCert requires tracking what type of change? A) Color of the device casing B) Significant hardware or software version changes
Answer: B Explanation: “Expired” denotes that the security support period has ended. Question 20. Mapping to NIST 8259A primarily helps manufacturers meet requirements in which region? A) Europe B) United States C) Asia-Pacific D) South America Answer: B Explanation: NIST 8259A is a U.S. federal IoT security recommendation. Question 21. Which European standard aligns with the ioXt Security Pledge? A) IEC 62304 B) ETSI EN 303 645 C) ISO 9001 D) GDPR Answer: B Explanation: ETSI EN 303 645 is the European consumer IoT security standard. Question 22. California SB-327 mandates which of the following for IoT devices sold in the state? A) Mandatory open-source firmware. B) Unique passwords for each device. C) Mandatory biometric authentication. D) Solar power operation. Answer: B Explanation: SB-327 requires that devices shipped with unique passwords or a forced password change.
Question 23. Oregon’s IoT security law focuses on which key requirement? A) End-to-end encryption of all traffic. B) Automatic updates and vulnerability disclosure. C) Mandatory AI-based threat detection. D) Cloud-only data storage. Answer: B Explanation: Oregon law emphasizes automatic updates and a public vulnerability reporting program. Question 24. Which of the following is NOT a required element of the “Secured Interfaces” principle? A) Encryption of Bluetooth traffic. B) Authentication of Wi-Fi connections. C) Physical tamper-evidence stickers. D) Secure Ethernet communication. Answer: C Explanation: Physical stickers are not part of interface security; encryption and authentication are. Question 25. A device that ships with WPA3 enabled for Wi-Fi demonstrates compliance with which principle? A) No Universal Passwords B) Security by Default C) Proven Cryptography D) Automatic Security Updates Answer: B Explanation: Enabling WPA3 out-of-the-box reflects “Security by Default”. Question 26. Which cryptographic key size is recommended for ECC under the Proven Cryptography principle?
C) To record user preferences. D) To log power consumption. Answer: B Explanation: Version tracking ensures that significant changes are re-evaluated for compliance. Question 30. Which of the following best describes the “Automatic Security Updates” mechanism? A) User must download a patch manually. B) Manufacturer pushes signed updates over a secure channel. C) Device disables networking until an update is installed. D) Updates are optional and can be ignored. Answer: B Explanation: Automatic updates involve signed patches delivered automatically via a protected channel. Question 31. The MAP profile requires protection of sensitive data stored on the mobile device using which OS feature? A) Android’s Keychain B) iOS Keychain/Keystore C) Windows Registry D) Linux /etc/passwd Answer: B Explanation: MAP mandates use of platform-specific secure storage such as iOS Keychain or Android Keystore. Question 32. Which of the following is a required feature for the Residential Camera Profile? A) Facial recognition analytics on the device. B) End-to-end encrypted video streams. C) Open-source firmware.
D) Multi-language UI. Answer: B Explanation: End-to-end encryption of video streams protects user privacy. Question 33. The “Security Expiration Date” must be communicated in which of the following ways? A) Only on the manufacturer’s internal wiki. B) Publicly on the product packaging or online listing. C) Through a private email to the first buyer. D) In the device’s bootloader code. Answer: B Explanation: Transparency requires the expiration date to be publicly available. Question 34. Which of the following is a direct benefit of the Vulnerability Reporting Program? A) Reducing manufacturing costs. B) Accelerating the discovery and remediation of bugs. C) Eliminating the need for encryption. D) Extending battery life. Answer: B Explanation: A VDP encourages researchers to report flaws, leading to faster fixes. Question 35. What is the main difference between Self-Attestation and Authorized Lab Testing? A) Self-Attestation is free; labs charge a fee. B) Self-Attestation relies on manufacturer-provided evidence; labs perform independent testing. C) Labs only test hardware, not software. D) Self-Attestation is only for medical devices. Answer: B
Question 39. Under the Base Profile, which of the following is a mandatory requirement? A) AI-based anomaly detection. B) Minimum TLS 1.2 for all network communications. C) Voice control support. D) Solar power operation. Answer: B Explanation: TLS 1.2 or higher is a baseline security transport requirement. Question 40. Which of the following is an example of a “Security by Default” setting for a smart plug? A) Allowing remote control without authentication. B) Defaulting to a closed-loop power state until the user authorizes activation. C) Disabling all security features until a firmware update. D) Enabling factory default password “admin”. Answer: B Explanation: The device should start in a safe, locked state, requiring user consent to enable remote control. Question 41. The “Researcher Validation” process primarily serves to: A) Reward manufacturers for fast patching. B) Allow independent verification that a SmartCert is still valid. C) Provide a marketplace for selling vulnerabilities. D) Replace the need for any certification. Answer: B Explanation: Researchers can challenge a certification, prompting re-evaluation. Question 42. Which of the following best defines “Signed Software Updates” in the context of OTA?
A) Updates are signed with a manufacturer’s private key and verified on the device. B) Updates are signed by the user before upload. C) Updates are signed with a self-generated key on the device. D) No signature is required if the update is small. Answer: A Explanation: The manufacturer signs the update; the device validates the signature before installation. Question 43. Which of the following is a required element for the QR code on the packaging? A) It must be printed in black ink only. B) It must link to a real-time security status page. C) It must contain the device’s MAC address. D) It must be scannable only by the manufacturer’s app. Answer: B Explanation: The QR code provides consumers access to the live “nutrition label”. Question 44. Under the MAP profile, which of the following is a recommended practice for storing API keys on the device? A) Hard-code them in plain text. B) Store them in the OS secure keystore. C) Keep them in a publicly accessible config file. D) Write them to external SD card. Answer: B Explanation: Secure keystore usage protects sensitive credentials. Question 45. Which compliance testing evidence would demonstrate adherence to the “Proven Cryptography” principle? A) Screenshot of the device UI. B) Copy of the cryptographic library source code showing use of AES-256.
Answer: A Explanation: It defines the end of security support, akin to EOL for firmware updates. Question 49. Which of the following is a requirement for the Residential Camera Profile concerning user access logs? A) Logs must be stored on the cloud without encryption. B) Logs must be encrypted at rest and accessible only to the device owner. C) Logs are optional. D) Logs must be sent to a third-party analytics service. Answer: B Explanation: Protecting access logs ensures privacy and integrity. Question 50. For the NLC profile, compliance with DLC cybersecurity requirements primarily addresses: A) Color temperature standards. B) Resilience to grid-level disruptions. C) Compatibility with voice assistants. D) Battery backup duration. Answer: B Explanation: DLC requirements focus on security and resilience for commercial lighting. Question 51. Which of the following is NOT a typical element of the “Test Case Library”? A) Functional test scripts for OTA updates. B. Marketing slogan verification. C) Cryptographic algorithm validation tests. D. Interface authentication test cases. Answer: B
Explanation: Marketing slogans are unrelated to security testing. Question 52. The “Automatic Security Updates” principle helps satisfy which regulatory requirement in California? A) Mandatory open-source firmware. B) Requirement for timely patches. C) Requirement for solar-powered devices. D) Requirement for AI-based monitoring. Answer: B Explanation: California SB-327 expects devices to receive timely security updates. Question 53. Which of the following best describes the “Living Certification” concept? A) A certification that expires after 30 days. B) A certification that is continuously re-evaluated as the product evolves. C) A certification only for devices with renewable energy sources. D) A certification granted without any testing. Answer: B Explanation: “Living Certification” means the status is actively maintained and updated. Question 54. Which of the following is a required attribute of the QR code system for consumers? A) It must be scannable with any generic QR reader. B) It must require a proprietary app to decode. C) It must display the device’s serial number only. D) It must be printed in QR-CODE-V2 format. Answer: A Explanation: The QR code should be universally readable to ensure consumer access.
Question 58. Which of the following is a required feature for the MAP profile to protect data at rest on the mobile device? A) Use of plain text files. B) Encryption with device-specific keys stored in the secure keystore. C) Storing data in the app’s cache directory. D) Relying on the user to encrypt files manually. Answer: B Explanation: Secure keystore-based encryption safeguards data at rest. Question 59. Which of the following best illustrates compliance with the “Proven Cryptography” principle for asymmetric encryption? A) Using a custom algorithm designed in-house. B) Implementing RSA-2048 with a reputable library. C) Using a 512-bit RSA key. D) Using MD5 for digital signatures. Answer: B Explanation: RSA-2048 is a widely vetted algorithm; custom or weak algorithms are not allowed. Question 60. The “Security Expiration Date” must be updated when: A) The device receives a minor bug fix. B) The manufacturer decides to extend support. C) The device changes its color. D) The user changes the Wi-Fi password. Answer: B Explanation: Extending support changes the expiration date, which must be communicated. Question 61. Which of the following statements about “Signed Software Updates” is true?
A) The signature can be generated on the device itself. B) The signature must be verified before applying the update. C) Signed updates are optional for low-risk devices. D) The signature is only required for major version jumps. Answer: B Explanation: Verification of the signature is essential to ensure authenticity. Question 62. In the NLC profile, which of the following is a specific security focus? A) Secure dimming algorithms. B) Protection against grid-level cyber-attacks. C) Voice command authentication. D) Integration with smart thermostats. Answer: B Explanation: NLC emphasizes resilience to large-scale grid cyber threats. Question 63. Which of the following is a direct outcome of a successful Vulnerability Reporting Program? A) Increased device weight. B) Faster discovery and remediation of security flaws. C) Decreased battery life. D) Mandatory hardware redesign. Answer: B Explanation: VDPs encourage researchers to report issues, leading to quicker fixes. Question 64. Which of the following best describes the “Base Profile” requirement for firmware integrity? A) Firmware must be signed and verified before execution. B) Firmware can be unsigned if the device is low-cost. C) Firmware integrity is optional.