Annual IoT Security Report 2019-6

Annual IoT Security Report 2019-6

November 25, 2020 | Mina Hao

Identification of IoT Assets from Known IPv6 Addresses

The preceding section gives a brief account of difficulties in the blind-scan of IPv6 addresses. To work around these problems, we based our recon on some available IPv6 addresses, in a bid to discover IoT assets operating in IPv6 environments. Sources of these addresses include Hitlist27, which maintains about 3 million IPv6 addresses, and NSFOCUS Threat Intelligence (NTI), which provides a collection of about 1.7 billion IPv6 addresses extracted from domain name intelligence. Note that the IPv6 addresses available for our recon are but a very small portion of the total number. Besides, IoT assets found active in IPv6 environments were rather small in number.

We limited our scope of recon to these IPv6 addresses and, by scanning ports commonly used by IoT assets, found about 80,000 IPv6 IoT assets, whose types are shown in the following figure. Of all IPv6 IoT assets discovered, VoIP phones took up the largest proportion, standing at 70,682, followed by cameras (13,960) and routers (1549).

As for port distribution of IPv6 IoT assets, port 5060 opened for VoIP and port 554 opened for cameras were most frequently seen in our scanning results, as shown in Figure 2-11. As for global distribution of IPv6 IoT assets, Germany topped the list with the most IPv6 IoT assets, followed by the Netherlands and the USA, as shown in Figure 2-12.

Although it is very difficult to perform a full scan of IPv6 assets, that does not mean that we cannot do the recon at all. An idea is to narrow down the scope of IPv6 addresses and adopt heuristic approaches to, for example, identify IPv6 addresses based on their characteristics and identify dual-stack IoT assets via the UPnP service. Sections 2.4.3 Heuristic Recon of IPv6 Addresses Based on Their Characteristics and 2.4.4 Heuristic Recon via the Dual-Stack UPnP Service detail the two methods.

To be continued.