Here are some important 2 mark questions and answers from Unit 4 of Internet

of Things course as per the syllabus:

Q1) What are the security goals of IoT?

A1) The main security goals of IoT are confidentiality, integrity, authentication,
authorization and non-repudiation.

Q2) What is a digital signature in IoT security?

A2) A digital signature is an electronic signature used to validate the authenticity
and integrity of IoT data.

Q3) How is authentication implemented in IoT networks?

A3) Authentication in IoT is done through symmetric key cryptography,
certificates, passwords and multi-factor mechanisms.

Q4) What is a software bill of materials?

A4) A software bill of materials is a list of components, libraries and modules
used in IoT software to track vulnerabilities.

Q5) What is COSE protocol used for in IoT security?

A5) COSE (CBOR Object Signing and Encryption) provides end-to-end security
between IoT devices through object signing and encryption.

Q6) What is the role of blockchain in IoT security?

A6) Blockchain provides decentralized security mechanisms for device identity
management, authentication and preventing data tampering.

Q7) What is the role of gateways in IoT security?

A7) Gateways provide firewall capabilities, VPN tunnels, intrusion detection,
access control and protect IoT devices.
Q8) How can firmware security be ensured in IoT devices?
A8) By digitally signing firmware updates, secure boot mechanisms and
implementing access controls for firmware modifications.

Here are some explained answers for important 2 mark questions from Unit 2 of
Internet of Things course as per the syllabus:

Q1) What are the different M2M protocols used in IoT?

A1) Some common M2M (machine to machine) protocols used in IoT are:
- MQTT (Message Queuing Telemetry Transport) - lightweight publish-subscribe
based protocol that works on top of TCP/IP. Used for connections with remote
locations and unstable networks.
- CoAP (Constrained Application Protocol) - specialized web transfer protocol
designed for low power and resource constrained devices. Uses UDP instead of
TCP.
- AMQP (Advanced Message Queuing Protocol) - provides reliable and secure
message queuing and delivery features using virtual channels.
- DDS (Data Distribution Service) - allows real-time communication by
publishing data to topics. Enables scalable and high performance data exchanges.
- XMPP (Extensible Messaging and Presence Protocol) - enables real-time
exchange of small structured data between devices. Uses XML format for
messaging.

Q2) What are the issues with IoT standardization?

A2) Some key issues faced in IoT standardization are:

- Too many competing and overlapping standards bodies and protocols.
- Lack of compatibility and interoperability between different standards and their
implementations.
- Complexity in integrating multiple protocols into a unified system.
- Concerns regarding end-to-end security, privacy and legal compliance.
- Testing and certification challenges to ensure standards compliance.
- Evolution of protocols requires constant updating of standards and devices.

Q3) What is Zigbee and its role in IoT?

A3) Zigbee is a specification for low power wireless networks based on the IEEE
802.15.4 standard. It provides network, security and application layer standards
on top of 802.15.4 to enable interoperable data transmission between remote
devices. In IoT, it is used to connect low-powered sensors, actuators and control
systems requiring two-way communication at relatively low data rates.
Here are some explained answers for important 2 mark questions from Unit 4 of
Internet of Things course as per the syllabus:

Q1) What are the security goals of IoT?

A1) The main security goals that need to be addressed in IoT systems are:
- Confidentiality - Protecting sensitive data from unauthorized access through
encryption.
- Integrity - Ensuring data is not altered in transit by verifying integrity checks.
- Authentication - Validating the identity of devices and users before allowing
access to networks and data.
- Authorization - Enforcing access control policies and providing appropriate
permissions to devices and users.
- Non-repudiation - Ensuring actions or transactions cannot be denied later by
implementing logging, auditing and digital signatures.

Q2) What is a digital signature in IoT security?

A2) A digital signature is a mathematical technique used to validate the
authenticity and integrity of messages or documents in the IoT system. It uses
public key cryptography to generate a unique encrypted value based on the
message and private key of sender. This signature is attached to the message. The
receiver can verify it using the sender's public key. It provides proof of origin and
that the data is unchanged.

Q3) How is authentication implemented in IoT networks?

A3) Authentication in IoT networks is implemented through:

- Symmetric key cryptography based mechanisms such as AES, SHA2 for
deriving shared secret keys.
- Digital certificates using public key infrastructure for validating device
identities.
- Password based authentication using secure protocols like OAuth, SAML.
- Multi-factor authentication using a combination of passwords, tokens,
biometrics for users.
- Mutual authentication to validate both devices and servers.

Here are some more explained answers for important 2 mark questions from Unit
4 of Internet of Things:

Q4) What is a software bill of materials in IoT security?

A4) A software bill of materials (SBOM) is an inventory of all software

components, modules, libraries and their versions used in the IoT devices and
platforms. It helps in managing security vulnerabilities and risks by providing
details about third-party and open source components so that any known issues
can be addressed through patches and updates.
Q5) What is the role of blockchain in IoT security?

A5) Blockchain provides decentralized security mechanisms for IoT networks:

- Public key infrastructure for device identity and authentication using blockchain
addresses.
- Ensuring integrity of IoT data through cryptographic hash based linkage
between blocks.
- Access control and authorization through smart contracts.
- Enabling trusted data sharing between IoT systems through distributed ledger.
- Protection against denial of service by eliminating single point of failure.

Q6) What is the role of gateways in IoT security?

A6) IoT gateways provide various security capabilities:

- Firewall, deep packet inspection to filter malicious traffic.
- VPN tunnels to provide secure connections between devices and cloud.
- Intrusion detection and prevention systems to identify and block attacks.
- Access control mechanisms to enforce authentication and authorization.
- Protecting constrained IoT devices which cannot implement full security stacks.

Q7) How can firmware security be ensured in IoT devices?

A7) Secure firmware update and integrity verification mechanisms are required
in IoT devices through:
- Digitally signed firmware images to prevent tampering.
- Secure boot mechanisms to validate firmware integrity at load time.
- Access controls around firmware modification capabilities.
- Testing firmware thoroughly for vulnerabilities before release.
Here are some more explained 2 mark answers for Unit 4:

Q8) What are the privacy risks in IoT?

A8) Some key privacy risks in IoT include:

- User location and personal data tracking through sensors and devices.
- Analytics on collected user data can reveal sensitive information.
- Lack of consent from users on data being collected about them.
- No data anonymization or aggregation to protect personal information.
- No controls around access to user data stored on cloud servers.
- Unauthorized access or leakage of personal data from insecure devices.

Q9) How can data protection be implemented in an IoT system?

A9) Data protection in IoT can be implemented through:

- Encryption of data in transit and at rest.
- Access control and minimal dissemination of collected user data.
- Aggregation and anonymization techniques to remove personally identifiable
information.
- Compliance with privacy regulations around personal data use.
- Allowing user consent and choices around data collection.
- Secure storage like blockchain to prevent unauthorized access.

Q10) What is a honeypot in IoT security?

A10) A honeypot is a deception technique used in IoT network security to distract

and detect attackers. It acts like a fake system that mimics real devices and
applications. Since it does not have any production value, any connections made
to it are likely malicious probes, which can be analyzed to identify threats and
gather intelligence about attackers and their methods.

Here are some more 2 mark explanatory answers for Unit 4:

Q11) What is a botnet attack in IoT?

A11) A botnet attack involves taking control of multiple vulnerable IoT devices
using malware and commanding them to perform cyber attacks in a coordinated
fashion across the network. Common botnet attacks include distributed denial of
service, spamming, click fraud, mining cryptocurrency and infecting other
devices to expand the botnet.

Q12) How can device tampering attacks be prevented in IoT?

A12) Device tampering attacks can be prevented through:

- Tamper resistant hardware packaging for IoT devices.
- Secure boot mechanisms to ensure only authorized firmware can be loaded.
- Attestation mechanisms to validate device integrity.
- Trusted execution environments like TPM for secure storage and execution of
code.
- Periodic validation of devices through remote attestation.

Q13) What is social engineering in the context of IoT security?

A13) Social engineering refers to manipulation techniques used to trick users or

personnel into revealing sensitive information or taking actions to bypass IoT
systems security through:
- Phishing emails
- Vishing - Phone calls
- Impersonation on social media

This allows attackers to gain unauthorized access and compromise security. User
education is important to prevent social engineering.

Q14) How can secure software development be ensured for IoT systems?

A14) Practices for secure IoT software development include:

- Threat modeling to identify risks early during design.
- Static and dynamic analysis of code for vulnerabilities.
- Monitoring open source components for CVEs.
- Security testing of applications like fuzzing, pen testing.
- Secure coding standards and reviewer checklists.
- Hardening to remove unnecessary features, ports, services etc.

Here are some more explained 2 mark answers for Unit 4:

Q15) What is a man-in-the-middle attack in IoT networks?

A15) A man-in-the-middle attack involves an attacker secretly relaying

communication between two IoT devices or systems in order to eavesdrop or
manipulate the data exchanged between them. The attacker effectively makes
independent connections with victims on either side and relays messages to make
them believe they are talking directly. This allows interception of sensitive data
and injection of malicious commands.

Q16) What is backscatter in the context of IoT security?

A16) In IoT networks, backscatter refers to techniques where attackers reflect and
manipulate existing wireless signals from RFID, NFC or other radio wave sources
to steal data from devices or gain network access. This allows compromise of air-
gapped systems also. Faraday shielding of devices can prevent such backscatter
attacks.

Q17) How can IoT mobile app security be ensured?

A17) Security best practices for IoT mobile apps include:

- Secure authentication and authorization of users.
- Encrypted storage and transmission of data.
- Input data validation and sanitization.
- Protection against reverse engineering through code obfuscation.
- Security testing of apps like fuzzing, SAST, DAST.
- Timely patching of vulnerabilities in third party libraries/SDKs.

Q18) What are the benefits of using a DMZ network in IoT?

A18) A DMZ network provides additional security in IoT by isolating critical

network infrastructure into a separate perimeter from the open internet. Key
benefits are:
- Shielding internal servers from direct attack.
- Monitoring traffic for malware before entering the local network.
- Preventing backdoor network access in case of breaches.
- Funneling connections through security devices like firewalls.
Here are some more 2 mark explanatory answers for Unit 4:

Q19) How can secure configuration be implemented for IoT devices?

A19) Secure configuration of IoT devices can be done through:

- Hardening to disable unnecessary ports, services, accounts.

- Keeping firmware updated with latest patches.
- Using secure configuration templates and baselines.
- Configuring authentication, authorization and encryption settings correctly.
- Centralized policy management of device configurations.
- Tools for secure configuration monitoring and auditing.

Q20) What are the ways to implement IoT data security in the cloud?

A20) IoT data security in cloud can be achieved through:

- Encryption of data at rest and in transit.

- Access controls on cloud data storage like RBAC.
- Data anonymization and aggregation techniques.
- Cloud security measures like firewalls, IDS/IPS.
- Regular audits and logging of access to data.
- Backup and disaster recovery mechanisms.
- Compliance with regulations around data security and privacy.

Q21) What is a honeypot and how is it used in IoT security?

A21) A honeypot is a system designed to act like a fake IoT device or network to
attract attackers. Since it does not have any real usage, any access attempts are
likely unauthorized probes which can be monitored to learn about threats.
Honeypots allow observation of attacker behavior for security intelligence.
Q22) What is the role of penetration testing in IoT security?

A22) Penetration testing involves authorized mock attacks on an IoT system to

identify vulnerabilities that real attackers could exploit. It is used to improve
security by fixing gaps before deployment and enhance incident response.
Here are some more 2 mark explanatory answers for Unit 4 of IoT:

Q23) What is a passive RFID tag and its security risks?

A23) A passive RFID tag does not have its own power source and reflects back
the radio waves from the RFID reader to transmit data. Security risks include:

- Tracking of tags via their unique ID by unauthorized readers.

- Cloning or modification of tag data since they have no built-in security.
- Replay and relay attacks to impersonate genuine tags.

Q24) How can brute force attacks be prevented against IoT devices?

A24) Brute force attacks can be prevented by:

- Lockout mechanisms after threshold failed attempts.

- Multi-factor authentication instead of just passwords.
- Blocking common default passwords through configuration hardening.
- Encrypting password files using strong cryptography.
- Rate limiting authentication attempts.

Q25) What are the benefits of implementing security logging and monitoring for
an IoT system?
A25) Benefits include:

- Early detection of security incidents through logs.

- Forensic evidence for investigation of attacks.
- Identifying vulnerabilities and gaps in security.
- Enables compliance with regulations requiring audit trails.
- Troubleshooting system errors and performance issues.
- Correlating threats across networks, endpoints and cloud assets.

Q26) How is IoT different from traditional IT security?

A26) IoT differs from IT security due to:

- Constrained capabilities of devices vs powerful PCs and servers.

- Real time sensing and actuation creates safety risks.
- Scale and distributed nature make it hard to manage security.
- Connectivity via wireless networks and internet exposes more attack surfaces.
- Longer lifecycles mean devices operate with unpatched vulnerabilities.

Here are some more explanatory 2 mark answers for Unit 4 of Internet of Things:

Q27) What are the benefits of a layered security approach for IoT?

A27) A layered security approach provides multiple defensive measures at

different levels, giving more comprehensive protection. Benefits include:

- Defense-in-depth - Attacks have to overcome multiple barriers

- Fail-safe redundancy - One layer can still protect if another fails
- Flexibility to use different controls as per risk profile
- Protects against both external and internal threats
- Allows securing both hardware and software
- Easier to isolate and troubleshoot breaches

Q28) What are the different types of malware attacks against IoT devices?

A28) Different types of IoT malware are:

- Viruses - self-replicate by infecting other programs and devices

- Worms - self-propagate through networks by exploiting vulnerabilities
- Trojans - disguised as legitimate software to deliver payloads
- Ransomware - encrypts data to extort money as ransom
- Spyware - covertly gathers data and credentials from devices
- Botnets - take remote control of devices for attacks

Q29) What are the techniques used to secure IoT data analytics?

A29) IoT analytics security can be done via:

- Access controls on analytic systems - authentication, authorization

- Anonymization of data to remove personal identifiable information
- Encryption of stored data as well as communication
- Trusted execution environments for analytic applications
- Securing the integrity of analysis algorithms from tampering
- Hardening analytic servers by removing unnecessary services
Q30) What are the benefits of using cryptography in IoT solutions?

A30) Cryptography in IoT provides:

- Confidentiality through encryption of data

- Integrity verification using hash functions and signatures
- Authentication of device identities via certificates
- Access control through secure key distribution
- Lightweight ciphers optimized for IoT devices
- Standards like AES, ECC, and SHA provide proven security

Here are some very important 2 mark questions with simple answers for Unit 4
on IoT security:

Q1) What are the goals of security in IoT?

A1) Confidentiality, integrity, authentication, authorization, non-repudiation.

Q2) What is social engineering attack?

A2) Manipulating users to obtain sensitive data or take unsafe actions.

Q3) What is man-in-the-middle attack?

A3) Intercepting communication between two parties by inserting an attacker in
between.
Q4) What is a botnet?
A4) Network of compromised devices controlled remotely to launch attacks.

Q5) What is a DDoS attack?

A5) Flooding a server with traffic from multiple sources to disrupt service.

Q6) How can brute force attacks be prevented?

A6) Password complexity, failed login limits, multi-factor authentication.

Q7) What is tamper resistance in hardware security?

A7) Mechanisms to prevent or detect physical alteration of devices.

Q8) What is a honeypot in network security?

A8) Deception technique using a system to attract attackers.

Q9) What is penetration testing?

A9) Authorized simulated attacks to find weaknesses.

Q10) What is digital signature?

A10) Cryptographic technique to ensure authenticity and integrity.
++++++++++++++++++++++++
1. Why data aggregation for IoT in smart city need?

Data aggregation is needed in smart city IoT applications for the following
reasons:

- Massive volume of data generated from numerous sensors and devices across
the city. Aggregation helps reduce and make sense of this data.

- Real-time analysis and decision making requires aggregated situational

overview rather than raw data from individual sources.

- Preserves privacy of citizens by combining data into summarized view instead

of collecting individual user data.
- Reduces network bandwidth usage and cloud storage through consolidated
datasets.

- Enables identifying macro trends, patterns and insights not visible in separate
data streams.

- Shared aggregated data enables innovation by third-party application developers

to provide smart city services.

2. What are contribution from FP7 projects? Why its need ? What are security,
privacy, trust in IoT data platform for smart cities?

- FP7 refers to the Seventh Framework Programme by the European Commission

that funded IoT research and pilot projects.

- It enabled development of technologies for open IoT platforms, standards,

security and smart city solutions like FIWARE.

- Provided EU-wide coordination of IoT efforts including privacy, data protection

and information security.

- Smart city IoT data platforms need end-to-end security, privacy protections and
trust frameworks:
- Encryption, access controls and cyber threat protections.

- Anonymization and aggregation before sharing data.

- Transparency, accountability and consent of citizens regarding data usage.

- Policies, audits and certification around security and privacy.

Trust and privacy are critical issues for the Internet of Things (IoT) which need
to be addressed.

Importance of Trust for IoT:

- IoT systems have interconnected networks of sensors, devices, infrastructure

and services. Trust is essential for them to reliably exchange and act on
information security.

- Lack of trust can lead to IoT systems undermining their usefulness by not
sharing data, taking inconsistent actions and being vulnerable to attacks.

- Establishing trust requires identity management, provenance of data, integrity

checks and transparency in data handling.

- Blockchain, access controls and standards like Trusted IoT Alliance promote
trust between IoT systems, users and service providers.

- Trust must be maintained not just during initial deployment but throughout the
lifecycle via security updates, resilience to outages, responsible disclosure etc.

Importance of Privacy for IoT:

- IoT collects vast amounts of personal and sensitive data like locations, activities,
utilities usage etc. which expose users to privacy risks if not protected.

- Privacy breaches lead to concerns among users which limit IoT adoption. Laws
like GDPR impose fines for privacy violations.
- Techniques like anonymization, data encryption, consent requirements,
decentralized identity management and audits help safeguard privacy.

- Privacy needs to be safeguarded not just in individual IoT devices but across the
entire ecosystem including cloud platforms.

- Transparency around data collection and usage as well as providing opt-out

choices to users builds confidence in IoT privacy protections.