CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system-such as kernel modules, drivers, or system processes-to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario- cloaking activity, providing admin-level control, persisting undetected-are directly aligned with rootkit behavior as described in CEH training material.

CEH's approach to suspected compromise aligns with an incident-handling mindset: containment first, then analysis and remediation. In IoT and OT-adjacent environments (smart city infrastructure, SCADA-like components, embedded controllers), CEH emphasizes that suspicious external communications and unexplained open ports may indicate compromise, misconfiguration, exposed management services, or implanted malware/backdoors. Because IoT endpoints often have limited logging and are difficult to reimage safely, the safest next step is to isolate the suspected device to prevent further data exfiltration, command-and- control activity, or lateral movement to other city systems.
Option A best matches CEH guidance: isolate the device and investigate its firmware, services, and configuration, including checking for unauthorized binaries, altered firmware images, insecure default services, and hardcoded credentials. This also preserves evidence and reduces the blast radius.
Option C (blocking the external IP) can be helpful, but it's a partial control: attackers can rotate infrastructure, and the device could still be compromised internally. Option B (full network pen test) is too broad and delays containment when a specific high-risk indicator is already present. Option D (attempting a reverse connection) crosses into active exploitation behavior and is not an appropriate "next step" in a defensive investigation; CEH methodology stresses authorized, controlled testing and prioritizes risk reduction over interacting with suspicious external hosts.
Thus, CEH-aligned best practice is immediate isolation and firmware-level investigation.

CEH v13 explains that Side-Channel Attacks exploit physical characteristics of cryptographic devices-such as power consumption, timing variations, electromagnetic leakage, or acoustic emissions-to infer confidential data like encryption keys. These attacks do not break the cryptographic algorithm itself but instead analyze unintended signals produced during computation. The scenario describes a classic power analysis and timing analysis attack, where the attacker monitors fluctuations during encryption operations on a smart card. CEH details how Differential Power Analysis (DPA) and Simple Power Analysis (SPA) allow attackers to extract secret keys by statistically correlating measured power traces to cryptographic operations.
This type of attack is extremely dangerous because it bypasses mathematical strength and targets hardware implementation flaws. Options A, C, and D do not relate to side-channel exploitation. CEH specifically categorizes this method as observing hardware emissions to deduce secrets, making Option B the most accurate match.

The best answer is D. Insecure routing protocols because the scenario describes legacy neighbor-to-neighbor device communications that lack encryption and integrity validation, allowing operational routing data to be exchanged without verification. In CEH-aligned network hacking concepts, this is a classic weakness of older or improperly secured routing protocols (and related network control-plane exchanges) where routers trust updates from neighbors and do not cryptographically validate the authenticity and integrity of routing information.
When routing updates are accepted without strong verification, an attacker who can position themselves on the same segment (or spoof a trusted neighbor) may inject or manipulate routing information. This can enable attacks such as route injection, route poisoning, man-in-the-middle (MITM) traffic redirection, blackholing traffic, or causing instability/denial of service by continuously advertising bad routes. The mention of
"neighboring systems" and "operational data" strongly maps to routing adjacencies where devices exchange reachability and topology information. The absence of integrity checks makes it feasible to alter routing messages in transit or forge them, and the absence of encryption can expose routing details that further assists reconnaissance and targeted manipulation.
Why the other options are less accurate:
Firewall vulnerabilities relate to filtering and policy enforcement, but the core issue here is the trust model and protection of routing/control messages, not firewall rule flaws.
Lack of password protection is too generic and typically refers to weak/no credentials on management access, not unauthenticated routing exchanges.
Lack of authentication is conceptually related, but the question asks for the type of vulnerability most clearly present given "legacy communication mechanisms" between neighbors carrying operational data-this is most specifically categorized in CEH terms as insecure routing protocols (i.e., routing updates lacking authentication/integrity and sometimes encryption).
In practice, organizations mitigate this by enabling routing protocol authentication (where supported), using cryptographic integrity protections, restricting routing adjacencies, and segmenting or filtering routing/control- plane traffic to trusted peers only.