WIRELESS DAY 2

Question 1

Bluetooth devices advertise their BD_ADDR and device name when operating in what mode of operation?

Answer 1

Discoverable Mode

Question 2

What allows Classic Bluetooth devices to alter their hopping sequences to avoid channels with interference?

Answer 2

Adaptive Frequency Hopping (AFH)

Question 3

What is the max transmit power and typical range for Power Class 1 interfaces?

Answer 3

100 mW and 100 meters

Question 4

The Bluetooth discovery method of Traffic Analysis attempts to read the 24-bit Lower Address Part (LAP) out of the _____ _____ and reverse engineer the 8-bit Upper Address Part (UAP) from the ________.

Answer 4

Sync Word and Checksum

Question 5

What is the max transmit power and typical range for Power Class 1.5 interfaces?

Answer 5

10 mW and 20 meters

Question 6

What is the hopping rate for Classic Bluetooth operations?

Answer 6

1600 hops per second

Question 7

What Bluetooth discovery method attempts to guess the BD_ADDR as being “off-by-one” from the Wi-Fi MAC address of the same device?

Answer 7

Hybrid Discovery

Question 8

Which portion of the Classic Bluetooth protocol stack is software-based, user-accessible, and is where profiles can be found?

Answer 8

Host Layer

Question 9

What is the max transmit power and typical range for Power Class 2 interfaces?

Answer 9

2.5 mW and 10 meters

Question 10

What is the maximum data rate for Bluetooth Classic?

Answer 10

3 Mbps

Question 11

What defines security mechanisms and various applications for various Bluetooth uses?

Answer 11

Bluetooth Profiles

Question 12

What Bluetooth protocol can be used to enumerate what services are available on a potential target device?

Answer 12

Service Discovery Protocol (SDP)

Question 13

What are the three parts of the BD_ADDR?

Answer 13

Non-significant Address Part (NAP), Upper Address Part (UAP), Lower Address Part (LAP)

Question 14

Which portion of the Classic Bluetooth protocol stack is hardware-based, not user-accessible, and where encryption is implemented?

Answer 14

Controller Layer

Question 15

On a Classic Bluetooth protocol stack, what is the interface called between the user-accessible protocols implemented on the Bluetooth host and the typically inaccessible protocols implemented on the Bluetooth controller?

Answer 15

Host Controller Interface (HCI)

Question 16

Classic Bluetooth uses FHSS modulation to hop across how many frequencies?

Answer 16

79

Question 17

In what frequency range does Classic Bluetooth operate?

Answer 17

2.4 GHz ISM Band

Question 18

What is the max transmit power and typical range for Power Class 3 interfaces?

Answer 18

1 mW and 1 meter

Question 19

In what frequency band does BLE operate?

Answer 19

2.4 GHz ISM Band

Question 20

What optional privacy feature is available for BLE devices?

Answer 20

Randomly generated BD_ADDR for each connection

Question 21

On how many channels/frequencies does BLE networks hop?

Answer 21

40 total: 37 data channels and 3 advertising channels.

Question 22

What marketing term describes devices capable of operating in both Classic Bluetooth and BLE?

Answer 22

Bluetooth Smart Ready

Question 23

For Bluetooth Low Energy 4.0

Max Data Rate: ____

Typical Max Range: ____

Max Payload Size: ___

Answer 23

1 Mbps

10 meters

39 bytes

Question 24

For Bluetooth Low Energy 5.0

Max Data Rate: ____

Typical Max Range: ____

Max Payload Size: ___

Answer 24

2 Mbps

40 meters

257 bytes

Question 25

What marketing term describes devices capable of operating in BLE only?

Answer 25

Bluetooth Smart

Question 26

How many devices can participate in a piconet?

Answer 26

Maximum of 8 total devices. 1 Master device and up to 7 Slave devices.

Question 27

What architecture does a Bluetooth piconet use?

Answer 27

Master-Slave structure formed in an ad hoc fashion

Question 28

What is the key value used to generate the pseudorandom hopping sequence?

Answer 28

MAC Address of the Master device

Question 29

What 3 components are required to create a Classic Bluetooth Security (Link) Key?

Which part(s) is/are sent during the pairing process?

Answer 29

BD_ADDR, PIN value, and some Random Numbers

Only the Random numbers are sent during the pairing process.

• The PIN is never transmitted
• The BD_ADDR is only transmitted when in Discoverable mode

Question 30

What is the term used to describe changing a Bluetooth interface’s name, service class, and/or BD_ADDR in order to bypass connection restrictions?

Answer 30

Device Identity Manipulation

Question 31

What makes intercepting Bluetooth traffic difficult?

Answer 31

1. Use of FHSS modulation
   - Unique and long hopping pattern
   - Pattern may have been altered due to AFH
2. Standard Bluetooth interfaces do not support “monitor-mode” passive sniffing

Question 32

What is the term used to describe taking advantages of vulnerabilities of Bluetooth Profiles after establishing a connection to a target device?

Answer 32

Abusing Profiles

Question 33

What attack attempts to invalidate legitimate Security Keys to create an opportunity for an attacker to capture a new “initial” pairing?

Answer 33

Repairing attack

Question 34

What are the 3 types of ZigBee devices?

Answer 34

ZigBee Coordinator (ZC)

ZigBee Router (ZR)

ZigBee End Device (ZED)

Question 35

What network topologies are supported in ZigBee networks?

Answer 35

Tree, Star, or Mesh

Question 36

What open standard is used by ZigBee devices at Layers 1 & 2?

Answer 36

IEEE 802.15.4

Question 37

What is the most common frequency range for ZigBee networks?

Answer 37

2.4 GHz ISM band

Question 38

What is the typical max range of transmission for ZigBee devices?

Answer 38

10 to 20 meters

Question 39

What is the max data rate for ZigBee communications?

Answer 39

250 Kbps

Question 40

What is the maximum number of devices in a ZigBee network?

Answer 40

65,535

Question 41

What are the two ZigBee security modes?

Which is more secure?

Answer 41

High Security and Standard

High Security is more secure

Question 42

What are the two security models?

Which is more secure?

Answer 42

Centralized and Distributed

Centralized is more secure

Question 43

What frequency range does Z-Wave networks operate?

Answer 43

Sub-1 GHz (865 - 926 MHz)

Question 44

What is the max data rate for Z-Wave transmissions?

Answer 44

100 Kbps

Question 45

What network topologies are supported by Z-Wave networks?

Answer 45

Mesh

Question 46

What open standard do Z-Wave devices use at Layers 1 & 2?

Answer 46

ITU-T Recommendation G.9959

Question 47

What is the maximum number of devices on Z-Wave networks?

Answer 47

232

Question 48

What is the biggest security threat to Z-Wave operations?

Answer 48

Lack of use of the optional encryption

Question 49

What are the different types of RFID tags?

Answer 49

Active - has own power source

Passive - powered through inductive coupling of the magnetic field from the reader

Question 50

What are the three major components of an RFID system?

Answer 50

1. Reader/Interrogator
2. Antenna
3. Tag

Question 51

In how many frequency ranges can RFID operate?

Answer 51

3 different frequency ranges (LF, HF, and UHF)

Question 52

What is the biggest security concern with RFID?

Answer 52

“Skimming” and duplication of RFID tags

Question 53

What are the two types of Active Tags?

Answer 53

1. Transponder - transmits when interrogated

2. Beacon - transmits on a periodic basis

Question 54

What is the max range of operation for RFID systems?

Answer 54

approximately 300 feet

Question 55

What is the frequency of operation for NFC devices?

Answer 55

13.56 MHz

Question 56

What is the typical range of transmission for NFC?

Answer 56

less than 4 centimeters

Question 57

What are the components of an NFC system?

Answer 57

1. Initiator

2. Target

Question 58

What is the max data rate of transmission for NFC?

Answer 58

424 Kbps

Question 59

What are the 3 NFC modes of operation?

Answer 59

1. Card Emulation
2. Discovery (read & write)
3. Peer-to-peer communications

Question 60

What are the communication modes supported by NFC?

Answer 60

Simplex (one-way)

Half-Duples (two-way)

Full-Duplex (two-way)

Question 61

What is the term used to describe using malicious code embedded in QR codes to execute malware on a victim device?

Answer 61

Attack Tagging or “attaggin”

Question 62

A typical QR code can store how many alphanumeric characters?

Answer 62

appx. 4000 (4296)

Question 63

A typical QR code can store how many numeric characters?

Answer 63

appx. 7000 (7,089)