Chapter 31 Quiz: IoT and Embedded Systems Hacking

Question 1

What is the most common communication protocol used in IoT publish/subscribe messaging?

A) HTTP B) MQTT C) SMTP D) FTP

Question 2

You have identified a 4-pin header on an IoT device PCB. One pin reads 0V, another fluctuates between 0V and 3.3V during boot, and two read steady 3.3V. What interface is this most likely?

A) SPI B) I2C C) UART D) JTAG

Question 3

Which tool is primarily used for extracting and analyzing firmware images from IoT devices?

A) Nmap B) Burp Suite C) Binwalk D) Wireshark

Question 4

What is the default port for unencrypted MQTT communication?

A) 443 B) 8080 C) 1883 D) 5683

Question 5

In BLE security, what is the vulnerability of "Just Works" pairing?

A) It requires a long pairing process B) It provides no protection against man-in-the-middle attacks during pairing C) It only works with iOS devices D) It requires physical button presses on both devices

Question 6

Which hardware interface provides the deepest level of processor access, including memory read/write and breakpoint setting on embedded devices?

A) UART B) SPI C) JTAG/SWD D) I2C

Question 7

What is the purpose of the flashrom tool in IoT security testing?

A) Flashing firmware on mobile phones B) Reading and writing SPI flash memory chips C) Analyzing network flash traffic D) Encrypting firmware images

Question 8

Which of the following is NOT a common vulnerability in embedded web interfaces?

A) Default credentials B) Command injection in diagnostic tools C) SQL injection in distributed databases D) Directory traversal in file access

Question 9

What does subscribing to the MQTT topic # accomplish?

A) Subscribes to topics starting with the hash character B) Subscribes to all topics on the broker (wildcard) C) Subscribes to system diagnostic topics only D) Creates a new topic called "#"

Question 10

What is the Mirai botnet primarily known for exploiting?

A) Zero-day vulnerabilities in Linux kernels B) Default credentials on IoT devices (cameras, DVRs, routers) C) Buffer overflows in web browsers D) SQL injection in cloud databases

Question 11

In the context of ICS/SCADA, what does a PLC (Programmable Logic Controller) do?

A) Manages user authentication for industrial networks B) Controls physical processes based on programmed logic, reading sensors and controlling actuators C) Routes network traffic between IT and OT networks D) Stores historical process data for analysis

Question 12

What is the standard port for Modbus TCP communication?

A) 80 B) 502 C) 1883 D) 4840

Question 13

When performing entropy analysis on a firmware image with binwalk, what does a section with consistently high entropy (close to 1.0) indicate?

A) The section contains plaintext code B) The section is mostly zeros (empty space) C) The section is encrypted or compressed D) The section contains ASCII strings

Question 14

What is the primary security concern with CoAP (Constrained Application Protocol)?

A) It only works on proprietary networks B) It uses UDP, which is inherently less reliable and may lack encryption by default C) It requires specialized hardware to implement D) It is incompatible with IP networks

Question 15

A JTAGulator is used for which purpose in IoT security testing?

A) Flashing new firmware onto devices B) Automatically identifying JTAG pinouts by testing all possible pin combinations C) Monitoring power consumption for side-channel attacks D) Intercepting BLE communications

Question 16

In the Purdue Model for ICS network architecture, what sits between the IT network (Level 4-5) and the operational technology network (Level 0-3)?

A) A firewall B) A VLAN C) A Demilitarized Zone (DMZ) D) A VPN tunnel

Question 17

Which of the following is the most effective defense against firmware reverse engineering on an IoT device?

A) Obfuscating the file names in the filesystem B) Using a custom compression algorithm C) Enabling read protection fuses on the microcontroller and implementing secure boot D) Disabling the device's LED indicators

Question 18

You are testing a MedSecure vital signs monitor and discover that patient vital signs data is transmitted over BLE without encryption. Under which category does this fall in a risk assessment?

A) Low risk — BLE has limited range B) Medium risk — encryption is optional for BLE C) High/Critical risk — unencrypted PHI violates HIPAA and patient data is exposed to any nearby BLE scanner D) Informational — BLE inherently provides sufficient security

Answer Key

  1. B — MQTT (Message Queuing Telemetry Transport) is the most widely used IoT messaging protocol, designed for low-bandwidth, high-latency environments. It uses a publish/subscribe model with a central broker.

  2. C — A 4-pin header with GND (0V), TX (fluctuating during boot as data is transmitted), and RX/VCC (steady 3.3V) is characteristic of a UART debug interface. SPI uses more pins (CS, CLK, MISO, MOSI), I2C uses 2 data pins (SDA, SCL), and JTAG uses 4-5 signal pins.

  3. C — Binwalk is the primary tool for firmware analysis. It scans binary files for known file signatures, identifies embedded filesystems (SquashFS, JFFS2, etc.), and can extract components. Nmap is for network scanning, Burp Suite for web testing, and Wireshark for packet capture.

  4. C — MQTT uses port 1883 for unencrypted communication and port 8883 for TLS-encrypted communication. Port 443 is HTTPS, 8080 is alternative HTTP, and 5683 is CoAP.

  5. B — "Just Works" pairing provides no protection against man-in-the-middle attacks because there is no mechanism for the user to verify that they are pairing with the intended device. An attacker can intercept the pairing process and establish connections with both devices.

  6. C — JTAG (Joint Test Action Group) and SWD (Serial Wire Debug) provide the deepest hardware access, including reading/writing processor memory, setting breakpoints, stepping through code, and direct flash access. UART provides a serial console, while SPI and I2C are bus protocols for peripheral communication.

  7. B — Flashrom is a tool for reading and writing SPI flash memory chips, commonly used to extract firmware from IoT devices by connecting to the SPI flash chip directly.

  8. C — SQL injection in distributed databases is not a common IoT web vulnerability (IoT devices typically use simple file storage or embedded SQLite, not distributed databases). Default credentials, command injection, and directory traversal are among the most prevalent embedded web vulnerabilities.

  9. B — The # character is the MQTT multi-level wildcard. Subscribing to # subscribes to all topics on the broker. If this is possible without authentication, it represents a critical security finding as all device data becomes visible.

  10. B — The Mirai botnet primarily exploited IoT devices with default credentials. It scanned the internet for devices with factory-default usernames and passwords (like admin/admin or root/root) and infected them, building a massive botnet used for DDoS attacks.

  11. B — A PLC (Programmable Logic Controller) is an industrial computer that reads sensor inputs, executes programmed logic, and controls actuators (motors, valves, switches) to manage physical processes in manufacturing, power generation, water treatment, and other industrial settings.

  12. B — Modbus TCP uses port 502. This is important for network scanning and ICS security assessments. Port 80 is HTTP, 1883 is MQTT, and 4840 is OPC UA.

  13. C — High entropy (approaching 1.0 or 8.0 bits per byte depending on the scale) indicates data that is encrypted or compressed, as both produce output with near-uniform byte distribution. Plaintext code and ASCII strings have lower entropy with more predictable patterns.

  14. B — CoAP uses UDP (port 5683), which lacks the connection guarantees of TCP. More significantly, CoAP itself does not mandate encryption — DTLS (Datagram Transport Layer Security) must be implemented separately. Many CoAP deployments omit DTLS, transmitting data in plaintext.

  15. B — The JTAGulator, created by Joe Grand, automates the process of identifying JTAG pinouts by systematically testing all possible pin combinations on a target device's header to find TDI, TDO, TMS, TCK, and optionally TRST pins.

  16. C — The Purdue Model places a Demilitarized Zone (DMZ) between the IT network (Levels 4-5) and the OT network (Levels 0-3). This DMZ provides a controlled boundary for data exchange between enterprise IT and industrial operations, typically hosting historians, jump servers, and data diodes.

  17. C — Enabling hardware read protection fuses (such as STM32 RDP Level 2) prevents firmware extraction through debug interfaces, and secure boot with cryptographic verification prevents modified firmware from running. Obfuscation and custom compression are trivially bypassable.

  18. C — Unencrypted transmission of patient vital signs (Protected Health Information) over BLE is a High or Critical risk finding. HIPAA requires encryption of PHI in transit, and BLE signals can be captured from up to 100 meters away. While BLE's range is limited compared to WiFi, it is sufficient for attack in clinical settings (hospital hallways, parking lots, adjacent rooms).