2

Question 1

Bluetooth classic
Frequency:
Modulation:
Channel #:
H/S:
Data Rate:
Range:
Payload:

Answer 1

2.4Ghz
FHSS
79 Channels
1600
3 mbps
10-100 m
none

Question 2

What is the difference between Bluetooth smart and Bluetooth ready?

Answer 2

Smart - Can only connect to devices with Bluetooth low energy mode
Smart Ready- can connect too both new and old bluetooth

Question 3

Bluetooth low energy
Frequency:
modulation:
Channels? How many are data transfers and BD_ADDR advertisments?
H/S:

Answer 3

2.4 Ghz
FHSS
40, 37 tx, 3 adver
100 h/s

Question 4

BLE ver4.0-4.2
Data rate:
Range:
Payload:

Answer 4

1 mbps
10m
2-39 bytes

Question 5

BLE ver 5.0-5.2
Data Rate:
Range:
Payload:

Answer 5

2 Mbps - 20 m or 40m -1 mbps
2 - 257 bytes

Question 6

What does Bluetooth Low energy do for security?

Answer 6

Will send out a randomized BD_Addr in order to prevent location tracking

Question 7

Why is exploiting BT difficult?

Answer 7

Use of FHSS; based on a secret value
standard equipment doesn’t support

Question 8

What is it called that determines the hopping pattern of BT classic?

How long before it resets?

What are the two components its made of?

Answer 8

Pseudorandom hopping pattern

23 hours

Master Mac
Clock value

Question 9

What is the relationship within a piconet?
How many devices in total/different types?

Answer 9

Master-Slave
1 master, 7 slaves, 8 in total

Question 10

What are the two devices discovery modes? And what are there characteristics?

Answer 10

Discoverable:
Responds to Inquiry scans with inquiry response

Non-Discoverable
cannot make new connections, dosen’t respond to inquiry scans. Can still react w/ devices they have previously interacted with

Question 11

What is a BD_ADDR?

Answer 11

48-bit mac address of a bluetooth device

Question 12

What parts make up the BD_ADDR?
SB:CD:DE:12:34:56

Answer 12

SB:CD - NAP Non-significant address part
First sixteen bits of BD_ADDR

DE - UAP Upper-address part
Last 8 bits of the oui

12:34:56 - Lower-address part
last 24 bits of the MAC address

Question 13

When is a BD_ADDR sent over the air?

Answer 13

Only when a device is in discoverable mode and never in the layer 2 header

Question 14

What are the characteristics of the Host in a Bluetooth Protocol stack?

Answer 14

-Computer
-soft-ware based
-upper-layer protocols
- Profiles are stored here
- easily accessible to developers

Question 15

What are the characteristics of the Host Controller Interface (HCI) in a Bluetooth Protocol stack?

Answer 15

• Communication link b/w the host layer and the controller layer, *Last layer easily accessible by developers

Question 16

What are the characteristics of the Controller (dongle) in a Bluetooth Protocol stack?

Answer 16

-hardware-based
-comes from a manufacturer
- encryption and authentication
- not accessible to developers

Question 17

What is a Bluetooth Profile?

Answer 17

Define additional functionality w/ a BT device, In order for a BT device to use certain functionality they must be operating the same profile

Question 18

What are the two types of authentications within BT?

Answer 18

Traditional pairing
Secure Simple Pairing

Question 19

What is the Link Key made of in a traditional pairing?

What can be found during the initial pairing of a device

What is traditional pairing vulnerable too?

Answer 19

BD_ADDR
PIN
Random #s

Random #s

pin attacks

Question 20

What is the Link Key made of in a secure simple pairing

Is it vulnerable to pin attacks? Why or why not?

Answer 20

ECC w/the Diffie Helman key exchange

No, because it isn’t used in the creation of the key. Preventing man-in-the-middle attacks

Question 21

Bluetooth Power classes
What is the power/range of class 1?

Answer 21

100 mw 100m

Question 22

Bluetooth Power classes
What is the power/range of class 1.5?

Answer 22

10 mw 20m

Question 23

Bluetooth Power classes
What is the power/range of class 2?

Answer 23

2.5mw 10m

Question 24

Bluetooth Power classes
What is the power/range of class 3?

Answer 24

1mw 1m

Question 25

When trying to find the BD_ADDR what are the methods to do so?

Answer 25

1. Active Discovery - Scanning inquiry response
2. Passive Discovery - looking for label that has BD_ADDR
3. Hybrid Discovery - off by one method, looking at last byte of a wifi mac address and adding or subtracting one the last value too guess the BD_ADDR
4. Traffic Analysis- reconstructing the BDR_ADDR from a BT frame, taking the LAP from the Sync word which comes from the Access code and the UAP from the frame size fo the payload

Question 26

When trying to exploit BT Classic pin attacks what’s the order?

Answer 26

Scan and recon for BD_ADDR using AD, PD, HD, TA > Get BD_ADDR from Inquiry Response > Brute Force PIN > get the link key

Question 27

What is the repairing exploit in BT?

Answer 27

Disconnect Bluetooth devices to force them into another session and get another opportunity for an inquiry response

Question 28

What is the vulnerability of Bluetooth low energy ver 4.0-4.2?

Answer 28

A weak temporary key

Question 29

What is the Device Identity Manipulation?

Answer 29

-Happens before A connection
- Changing class information too bypass any connection restrictions

Question 30

What exploit is abusing profiles

Answer 30

Happens after a connection
- takes advantage of a preloaded profile for uses it was not designed for

Question 31

RFID
Communication:
Frequencies(3):
Componenets(3):

Answer 31

Simplex “one way”
Low, High, Ultra High
Reader/Interrogator
Antennae
Tag

Question 32

Within RFID what is the difference between an active and passive tag?
Active:
Power source?
Transmit capable?
range?
Devcies?

Passive
Power source?
Transmit capable?
range?
Devcies?

Answer 32

Active:
Power source
transmits 300 ft
Transponder: transmits when interrogated
Beacon: Transmits periodically

Passive:
No power Source
Can’t transmit
can be read 30 ft

Question 33

What are the security concerns of RFID?

Answer 33

Skimming, tag data manipulation, jamming

Question 34

NFC
Communication:
Freq:
Data Rate:
Range:
Components

Answer 34

Simplex, Half-duplex, and full duplex
13.56 MHz
424 kbps
4cm-10cm
initiator, target

Question 35

What NFC mode of operation emulates a physical card?

Answer 35

Card emulation

Question 36

What NFC mode of operation allows interaction w/an information source

Answer 36

Discovery

Question 37

What NFC mode of operation has two NFC enabled devices to communicate directly to each other.

Answer 37

Perr-to-Peer communication

Question 38

NFC Security?

Answer 38

Skimming
Tag manipulation
jamming

Question 39

ZigBee
Layer 1 and Layers 2:
Layer 3 and Layer 4:
Frequency:
Data rate:
Range:
Toplogies:
max # of hops:
max # of nodes:

Answer 39

IEEE 802.15.4
ZigBee
2.5GHz
250kbps
10-20m between nodes
star, tree, or mesh
unlimited
65,535

Question 40

ZigBee device types:
__________ Trust center, can only be 1 in the network, All keys are unique and stored here

Answer 40

ZigBee Coordinator (Zc)

Question 41

ZigBee device types:
____________ - forwards traffic

Answer 41

Zigee Router (ZR)

Question 42

ZigBee device types:
_____________ - can only communicate w/ a zigbee coordinator for a ZigBee Router. No perr-to-peer communication

Answer 42

ZigBee End Device (ZED)

Question 43

What are 2 security models of Zigbee?

Answer 43

Centralized - unique keys, (Zc)
Distributed - identical keys (no Zc)

Question 44

What are the two security modes of ZigBee?

Answer 44

High Security- Enterprise
Standard - Residential

Question 45

Zwave
Layer 1 and Layer 2:
Layer 3 and 4:
Frequency:
data rate:
Range:
Topologies:
max # of hops:
max # of nodes:

Answer 45

ITU-T Rec. G.9959
Zwave
Sub-1 GHz
100 kbps
100m b/w nodes
mesh only
4
232

Question 46

What is Zwave security charecxteristics?

Answer 46

Zsnare downgrade S2 > S0
-optional encryption is Zwaves biggest threat