学术文献库

Network reconnaissance is a core networking and security procedure aimed at discovering devices and their properties. For IP-based networks, several network reconnaissance tools are available, such as Nmap. For the Internet of Things (IoT), there is currently no similar tool capable of discovering devices across multiple protocols. In this paper, we present IoT-Scan, a universal IoT network reconnaissance tool. IoT-Scan is based on software defined radio (SDR) technology, which allows for a flexible software-based implementation of radio protocols. We present a series of passive, active, multi-channel, and multi-protocol scanning algorithms to speed up the discovery of devices with IoT-Scan. We benchmark the passive scanning algorithms against a theoretical traffic model based on the non-uniform coupon collector problem. We implement the scanning algorithms and compare their performance for four popular IoT protocols: Zigbee, Bluetooth LE, Z-Wave, and LoRa. Through extensive experiments with dozens of IoT devices, we demonstrate that our implementation experiences minimal packet losses and achieves performance near the theoretical benchmark. Using multi-protocol scanning, we further demonstrate a reduction of 70\% in the discovery times of Bluetooth and Zigbee devices in the 2.4\,GHz band and of LoRa and Z-Wave devices in the 900\,MHz band, compared to sequential passive scanning. We make our implementation and data available to the research community to allow independent replication of our results and facilitate further development of the tool.