IoT-Scan: Network Reconnaissance for the Internet of Things

TL;DR

IoT-Scan is a versatile, SDR-based network reconnaissance tool designed for IoT devices, enabling multi-protocol discovery with high efficiency and minimal packet loss, significantly reducing device discovery times.

Contribution

The paper introduces IoT-Scan, the first universal IoT network reconnaissance tool that supports multiple protocols and demonstrates near-theoretical performance in device discovery.

Findings

Multi-protocol scanning reduces discovery time by 70%.

IoT-Scan achieves minimal packet loss and high performance.

Performance benchmarks align closely with theoretical models.

Abstract

Network reconnaissance is a core networking and security procedure aimed at discovering devices and their properties. For IP-based networks, several network reconnaissance tools are available, such as Nmap. For the Internet of Things (IoT), there is currently no similar tool capable of discovering devices across multiple protocols. In this paper, we present IoT-Scan, a universal IoT network reconnaissance tool. IoT-Scan is based on software defined radio (SDR) technology, which allows for a flexible software-based implementation of radio protocols. We present a series of passive, active, multi-channel, and multi-protocol scanning algorithms to speed up the discovery of devices with IoT-Scan. We benchmark the passive scanning algorithms against a theoretical traffic model based on the non-uniform coupon collector problem. We implement the scanning algorithms and compare their performance for four popular IoT protocols: Zigbee, Bluetooth LE, Z-Wave, and LoRa. Through extensive experiments with dozens of IoT devices, we demonstrate that our implementation experiences minimal packet losses and achieves performance near the theoretical benchmark. Using multi-protocol scanning, we further demonstrate a reduction of 70\% in the discovery times of Bluetooth and Zigbee devices in the 2.4\,GHz band and of LoRa and Z-Wave devices in the 900\,MHz band, compared to sequential passive scanning. We make our implementation and data available to the research community to allow independent replication of our results and facilitate further development of the tool.