IoT Security 1.1 Chapter 4 Quiz Answers

Explanation: IoT devices may have power constraints that may only permit the use of very short-range radios. IoT wireless protocols may use a topology that allows sensor data to travel from node to node until the data reaches the gateway.

Explanation: In order for a smart plug to be controlled over the internet, it must connect to the home Wi-Fi network. The smart plug will commonly set up a promiscuous mode hot spot that can be identified by the cell phone app of the vendor or the PC software to allow the buyer to connect to the smart plug and configure it to access the home Wi-Fi network.

Explanation: When securing the IoT network traffic attack surface, the following vulnerabilities should be taken into account:

• LAN traffic
• LAN to internet traffic
• short range
• nonstandard protocols
• wireless
• packet manipulation (protocol fuzzing)

Explanation: IP address spoofing attacks occur when a threat actor creates packets with false source IP address information. With non-blind spoofing, the threat actor can see the traffic that is being sent between the host and the target. Reasons for non-blind spoofing include determining the state of a firewall, TCP sequence-number prediction, or hijacking an authorized session.

Explanation: The wireless personal-area network commonly uses Bluetooth to interconnect personal fitness trackers, smart watches, and audio devices to a cell phone that serves as an IoT gateway.

Explanation: Smart objects and things can communicate directly with the cloud or data center (IP capable) if they have their own IPv6 protocol stacks and messaging protocols. Being IP capable allows the things to send through the IP network without requiring translation into IP by an IoT gateway.

Explanation: The man-in-the-middle attack is a common IP-related attack where threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication.

Explanation: In TCP/IP transmissions, the protocols at the transport layer of both the OSI and TCP/IP model use port addressing to enable multiple conversations to be tracked and connected with the correct applications. The destination port number in the packets sent by the source device identifies the requested application.

Explanation: When the IoT device network services attack surface is being secured, the following vulnerabilities should be taken into account:

• Information disclosure
• Injection
• Denial of service
• Unencrypted services
• Poorly implemented encryption
• Test/development services
• Vulnerable UDP services
• Replay attack
• Lack of payload verification
• Lack of message integrity check

Explanation: The cluster-tree topology contains mainly full function devices (FFDs). Any of these FFDs can act as a coordinator and provide synchronization services to other devices and coordinators. A reduced function device (RFD) may connect to a cluster-tree network as a leaf node at the end of a branch.

Explanation: The wireless mesh topology allows smart objects to connect with other smart objects to eventually reach an IoT gateway. This allows the smart objects to be deployed over a much larger area than would otherwise be possible if each node were required to communicate directly with the IoT gateway.

Explanation: 802.15.4 operates at the OSI physical and data link layers. There are four basic security services performed at the data link layer:

• Access control – prevents unauthorized devices from joining the network
• Message integrity – protects against alteration of data while it is in transit
• Message confidentiality – prevents threat actors from reading the transmitted data
• Replay protection – prevents threat actors from successfully capturing legitimate messages and sending them out on the network at a later time

Explanation: LoRaWAN is a specification for low power wide-area network connection. Unlike cellular, LoRaWAN devices do not require a fixed power supply.

Explanation: The IEEE 802.15.4 protocol was originally developed for use in personal-area networks (PANs) and consists of physical (PHY) and media access layer specifications. Due to the layered architecture, developers have been able to create diverse upper-layer protocols to allow ZigBee, Thread, and 6LoWPAN to run on top of 802.15.4.

Explanation: A smurf attack uses amplification and reflection techniques to overwhelm a targeted host. The threat actor forwards ICMP echo request messages that contain the source IP address of the victim to a large number of hosts. These hosts all reply to the spoofed IP address of the victim with the intent of overwhelming it.

Explanation: In DDoS attack scenarios, zombies, or infected hosts, continue to scan and infect targets with the intent of creating more zombies. The command-and-control (CnC) server communicates with zombies using a covert channel. When ready, the threat actor (botmaster) uses the CnC servers to instruct the botnet of zombies to launch a DDoS attack on a specific target.

Explanation: Threat actors use ICMP messages for reconnaissance and scanning attacks. ICMP messages are also used by threat actors to launch DoS attacks.

Explanation: With denial of service (DoS) attacks, threat actors overwhelm a targeted host by sending an overwhelming quantity of maliciously formatted packets. This causes the targeted host to crash or become unable to respond to legitimate requests.

Explanation: Application layer protocols TFTP and DHCP use UDP as the transport layer protocol. HTTP, HTTPS, and FTP use TCP as the transport layer protocol.

Explanation: When referring to security, crossing a trust boundary means that the level of trust and reliability of data has changed. As data moves from a trusted network to an untrusted network, the security of the data changes.

Explanation: Bluetooth and Wi-Fi both use radio waves to transmit data and are commonly used in IoT home applications. Bluetooth is used in wireless personal-area networks and Wi-Fi is used in wireless local-area networks.

Explanation: A threat actor can use a tool like UDP Unicorn or Low Orbit Ion Cannon to send a flood of UDP packets to launch a UDP flood attack that causes all the resources on a network to become consumed. These types of programs will sweep through all the known ports trying to find closed ports. This causes the server to reply with an ICMP port unreachable message. Because of the many closed ports on the server, there is so much traffic on the segment that almost all the bandwidth gets used. The end result is very similar to a DoS attack.

Explanation: A DDoS attack is similar in intent to a DoS attack, except that a DDoS attack is larger because it originates from multiple and coordinated sources. DDoS attacks commonly include a botnet, handler systems, and zombie computers.

Explanation: Media Access Control (MAC) address spoofing attacks are used when threat actors have access to the internal network. Threat actors alter the MAC address of their host to match the known MAC address of a target host.