IoT-Scan: Network Reconnaissance for Internet of Things
IoT-Scan is a holistic approach for IoT network reconnaissance to enable enumeration of IoT devices in one’s organization based on software-defined radio (SDR) technology, which allows for a flexible software-based implementation of radio protocols.
Abstract
The rapid growth of the Internet of Things (IoT) has resulted in an array of competing, largely incompatible wireless communication technologies. This plethora of technologies has resulted in a complex landscape, notably a lack of visibility, making it difficult for organizations to come up with appropriate policies and tools to secure their operational environments. In this article, we present IoT-Scan, a holistic approach for IoT network reconnaissance to enable enumeration of IoT devices in one’s organization. IoT-Scan is based on software-defined radio (SDR) technology, which allows for a flexible software-based implementation of radio protocols. We present a series of passive, active, multichannel, and multiprotocol scanning algorithms to speed up the discovery of devices with IoT-Scan. We benchmark the passive scanning algorithms against a theoretical traffic model based on the nonuniform coupon collector problem. We implement the scanning algorithms for four popular IoT protocols: 1) ZigBee; 2) Bluetooth LE; 3) Z-Wave; and 4) LoRa. Through extensive experiments with dozens of IoT devices, we evaluate and compare the performance of the various algorithms in terms of their discovery time, packet loss, and energy consumption. Notably, using multiprotocol scanning, we demonstrate a reduction of 70% in the discovery times of Bluetooth and ZigBee devices in the 2.4-GHz band and of LoRa and Z-Wave devices in the 900-MHz band, compared to sequential passive scanning.