Can We Classify an IoT Device using TCP Port Scan?

Abstract

The explosion in the number of Internet-of-Things connecting to smart environments has increased the demand for obtaining visibility into these devices among network operators, black-box penetration testers, as well as cyber-attackers. More specifically, enterprise network operators need efficient tools to classify devices in operation for a better maintenance of their network assets, enforce device-specific policies, or quarantine vulnerable devices, thereby reducing the likelihood that they will be compromised. Recent works have advocated passive network monitoring techniques to classify these devices based on their characteristics. However, these techniques require special network infrastructures and powerful data analytics engines to monitor and classify connected devices based on their network behavioral profile. Also, active discovery methods are often limited to the number of devices due to various factors. This paper aims to discover whether an IoT can be classified using an active TCP port scan. First, we propose a technique to determine the type of an IoT device by probing its open TCP ports based on prior knowledge from a range of IoT devices. Then, we evaluate our method by applying to 19 distinct off-the-shelf consumer IoT devices from different vendors. Our preliminary results show that IoT devices can be identified and classified by a very lightweight network TCP scan.