Exercises: Mobile and IoT Security
These exercises move from device vocabulary to fleet-scale judgment. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/design/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before you read one.
Work in your own notebook, lab, or a private repository. Use only documentation IP ranges
(192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, RFC1918) and meridianbank.example in anything
you draft. Where an exercise asks you to "score," "design," or "draft," the reasoning matters more than
landing on one perfect answer.
Part A — Core vocabulary ⭐
1.† In one sentence each, define IoT, embedded device, and firmware, then write one sentence that uses all three correctly to describe a network-connected security camera.
2. Classify each item as mobile device, IoT/embedded device, control, or weakness:
(a) a wealth advisor's iPhone enrolled in UEM; (b) a lobby camera with the password admin; (c)
containerization; (d) unpatchable firmware on a thermostat; (e) conditional access; (f) a network-
connected badge reader; (g) hard-coded default credentials; (h) device segmentation.
3. Explain the difference between jailbreaking and rooting, what they have in common, and why either one makes a device dangerous to allow onto corporate data.
4.† Define mobile app sandboxing and explain, in two or three sentences, the chain of reasoning that connects "sandboxing" to "this is why a jailbroken phone is blocked by conditional access."
5. Match each device-ownership model to its description: BYOD, COPE, CYOD, COBO. (a) company owns it, no personal use allowed; (b) employee owns it, company manages a slice; (c) company owns it, employee chooses from an approved list; (d) company owns it, personal use permitted as a perk.
6. Why is shadow IoT described as "the most dangerous device class," even though a single shadow device may be no more vulnerable than a known one? Answer in terms of what unknown implies for segmentation, monitoring, patching, and incident response.
Part B — Inventory and default-credential triage ⭐⭐
7.† Inventory and flag. You are handed this (illustrative) raw device list. Using the logic of
iotinv.py, identify which devices are running on default credentials and which are unmanaged,
then state the single device you would remediate first and why.
id user password managed
cam-br04-01 admin admin no
phone-ortiz -- -- yes
hvac-br04 admin password no
atm-0107 svc 7$Lq2!vR yes
printer-br04 root root no
tablet-rao -- -- yes
8. Find the default cred. For each device below, say whether the listed credential is a well-known
default, and if so, give the one-line remediation. (a) router admin / admin; (b) camera root /
root; (c) database service account / a 20-character random string; (d) badge controller admin /
password; (e) a device whose vendor documentation says the admin password "cannot be changed."
9. A branch has 38 IoT devices. A scan shows 11 still on default credentials, 7 of which are on firmware versions with publicly known vulnerabilities and no available patch. Rank the remediation order and justify it. Which finding is "fix in minutes," and which is "cannot fix — must contain"?
10.† Reading a compliance snapshot. Given this UEM export, write the triage actions (highest priority first) and name the control that should already have limited the damage of the worst row.
device_id os os_version encrypted passcode jailbroken
M-201 iOS 17.5 yes yes no
M-202 Android 10 yes yes no
M-203 iOS 16.2 no yes no
M-204 Android 13 yes yes YES
Part C — Analyze this (telemetry & scenarios) ⭐⭐
11.† Analyze this log. A camera on Meridian's contained IoT segment (192.0.2.0/24) normally
talks only to its recording server at 192.0.2.10. Here is one hour of its connection log
(illustrative; times UTC):
03:14:02 src=192.0.2.51 dst=192.0.2.10 port=554 bytes=1200 (RTSP, normal)
03:14:30 src=192.0.2.51 dst=192.0.2.10 port=554 bytes=1190 (RTSP, normal)
03:41:09 src=192.0.2.51 dst=203.0.113.77 port=443 bytes=42000
03:41:40 src=192.0.2.51 dst=203.0.113.77 port=443 bytes=51500
03:42:11 src=192.0.2.51 dst=203.0.113.77 port=443 bytes=49800
(a) What in this log should trigger an alert, and why is it high-signal on this device specifically? (b) Is this consistent with compromise, and what would the attacker be doing? (c) Why did the segmentation design described in this chapter not prevent this outbound traffic — and what additional rule would have? (d) Name one detection rule you would write to catch this class of event going forward.
12. An employee reports their personal phone (enrolled in BYOD with a work container) was stolen. Walk through, step by step, what the security team can and cannot do, what data is at risk, and why the employee's family photos are safe.
13.† A new device appears on a branch network segment overnight. The SOC has never seen its MAC address or device fingerprint before. Before anyone touches it, list the questions you would answer to classify it, and the two most likely benign explanations versus the two most likely malicious ones.
14. A vendor tells Meridian that a fleet of deployed devices has a critical firmware vulnerability, that a patch exists, but that applying it requires a technician to physically visit each of 120 branches. Discuss the realistic options and recommend one, using the chapter's "contain it and watch it" framing.
Part D — Write it / design it ⭐⭐–⭐⭐⭐
15.† Write the BYOD policy. Draft a BYOD policy section (8–12 bullet points) for Meridian that a GRC analyst could publish. It must, at minimum: state eligibility/scope, minimum device requirements, exactly what the company can and cannot see and do, the copy/paste-and-data-handling rules, and the offboarding (selective wipe) process. Write it in plain language an employee would actually read.
16.† Design device segmentation. You are given a branch with these devices: 6 teller workstations, 1 branch file server, 4 managed laptops, 3 lobby cameras, 2 badge readers, 1 HVAC controller, 2 network printers, 2 POS terminals, and guest Wi-Fi for customers. Design the segmentation: draw (in ASCII or prose) the segments, state the default rule between them, and write the allow-list for the IoT/facilities segment. Justify why each cross-segment path is allowed or denied.
17. Write the rule/policy. Draft a one-line monitoring/detection rule (in plain language or pseudo-Sigma) for: (a) an IoT-segment device contacting any destination outside its allow-list; (b) a new device appearing on a branch segment; (c) a managed mobile device falling below the minimum OS version. For each, state the expected false-positive rate and why.
18. Design it. A new Meridian branch is opening. Write the one-page "device onboarding" standard operating procedure that ensures the lobby-camera story from this chapter cannot repeat: how a connected device gets approved, inventoried, assigned an owner, credentialed, and placed on the right segment before it goes live.
19. ⭐⭐⭐ Meridian's wealth-management group wants to issue tablets that advisors carry to client homes, holding sensitive client data and used on untrusted home and public Wi-Fi. Recommend an ownership model (BYOD/COPE/CYOD/COBO) and a full control set (management, encryption, app control, network, loss/theft response), and defend your choice against the cheaper alternative.
Part E — CTF-style challenge ⭐⭐⭐
20.† The five-minute foothold. A penetration-test report (authorized; your own environment) says: "Starting from the guest Wi-Fi, the tester reached a lobby camera using documented default credentials, used the camera's shell to scan the local segment, found a flat network, pivoted to a teller workstation, and from there reached a file server — total elapsed time under thirty minutes, no exploit code required." Reconstruct the kill chain step by step in the vocabulary of this chapter, then identify the single architectural change that would have stopped the pivot at the camera, and two additional controls that would have prevented or detected the initial access. (No offensive steps — analyze the defense.)
Part F — Interleaved & forward-looking ⭐⭐
21.† (Interleaves Chapter 11.) This chapter says ATMs should be hardened "where the platform allows." Using Chapter 11's host-hardening ideas, list four specific hardening measures you would apply to an ATM that can be hardened, and explain why application allowlisting is the single best fit for a special-purpose device.
22. (Interleaves Chapter 8.) The chapter places guest and BYOD-personal Wi-Fi on an untrusted, internet-only segment. Connect this to Chapter 8: what wireless-specific attack (name one) could let an attacker onto a network they should not reach, and how does segmenting wireless limit the damage even if that attack succeeds?
23. (Interleaves Chapter 1.) Apply Chapter 1's $\text{Risk} = \text{Likelihood} \times \text{Impact}$ to three devices: (a) a managed, encrypted, current-OS phone; (b) an unpatchable lobby camera on a contained segment; (c) the same camera on a flat network. Score each 1–5 on both axes, multiply, and explain what the difference between (b) and (c) proves about segmentation.
24. Forward-looking. This chapter sets up Chapter 33 (operational technology). Based only on what you learned here, predict two ways securing an industrial control system will be like securing branch IoT, and one way it will be harder (hint: think about what happens if the device is turned off or its network is disrupted).
25. Of the four IoT weaknesses (default credentials, unpatchable firmware, insecure interfaces, no security-by-design/no owner), which do you think is hardest for a defender to address, and why? Defend your choice in a paragraph, then name the control you would prioritize given that it is hard.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor. If you cannot justify a design choice in a sentence, treat that as a signal to gather more information and note what you would go find out.