Methods and tools for network reconnaissance of IoT devices

The Internet of Things (IoT) impacts nearly all aspects surrounding our daily life, including housing, transportation, healthcare, and manufacturing. IoT devices communicate through a variety of communication protocols, such as Bluetooth Low Energy (BLE), Zigbee, Z-Wave, and LoRa. These protocols serve essential purposes in both commercial industrial and personal domains, encompassing wearables and intelligent buildings. The organic and decentralized development of IoT protocols under the auspices of different organizations has resulted in a fragmented and heterogeneous IoT ecosystem. In many cases, IoT devices do not have an IP address. Furthermore, some protocols, such as LoRa and Z-Wave, are proprietary in nature and incompatible with standard protocols. This heterogeneity and fragmentation of the IoT introduce challenges in assessing the security posture of IoT devices. To address this problem, this thesis proposes a novel methodology that transcends specific protocols and supports network and security monitoring of IoT devices at scale. This methodology leverages the capabilities of software-defined radio (SDR) technology to implement IoT protocols in software. We first investigate the problem of IoT network reconnaissance, that is the discovery and characterization of all the IoT devices in one’s organization. We focus on four popular protocols, namely Zigbee, BLE, Z-Wave, and LoRa. We introduce and analyze new algorithms to improve the performance and speed-up the discovery of IoT devices. These algorithms leverage the ability of SDRs to transmit and receive signals across multiple channels in parallel. We implement these algorithms in the form of an SDR tool, called IoT-Scan, the first universal IoT scanner middleware. We thoroughly evaluate the delay and energy performance of IoT-Scan. Notably, using multi-channel scanning, we demonstrate a reduction of 70% in the discovery times of Bluetooth and Zigbee devices in the 2.4GHz band and of LoRa and Z-Wave devices in the 900MHz band, versus single-channel ...