About Our Work on Detecting IoT Devices

There has been a surge for IoT devices in the past years: 15.4 billion devices in 2015; Estimation shows this number will be doubled in 2020. Recent IoT-based DDos attacks raise increasing concern of IoT security vulnerability.

To understand distribution and growth of IoT devices and the potential security threats they pose upon the Internet, we are working on detecting IoT devices by passive network measurements.

For this purpose, we've purchased a limited set of IoT devices and it will be extremely helpful if we could get traffic traces from more devices. If you happen to own any kind of IoT devices (e.g. IP cam, smart light bulb, TV stick, etc), next section explains how you could help our research.

How to Help Our Research with Your Devices?

We generally need two traffic dumps for each device: one during device boot-up and the other during device operating its functions (e.g. when user press Amazon dash button for purchasing). Each traffic dump consists of two pcap files (assuming device is behind NAT): one captured at LAN side , the other at WAN side. (only one pcap file is needed if device uses public IP)

Collecting traffic dump requires router running openwrt. If you already have a openwrt router, please follow instructions below to tcpdump your device's traffic and share pcap files with author via hangguo@usc.edu . If you don't have a openwrt router, you could either install openwrt in your router or we could arrange a visit via the same email: I could come to your place, cable my Openwrt router's WAN port to your router's LAN port, connect you device to my Openwrt router via WiFi and tcpdump your device's traffic through my Openwrt router.

Instructions on Tcpdumping IoT Device's Traffic

Assume eth0 is NAT router's LAN port and eth1 is the WAN port, DEVICE is the name (manufacturer_model) for your device and PCAP_DIR is the target directory to store pcap files.

To collect boot-up traffic, first shut down IoT devices completely. Then open two terminals in your laptop/desktop and ssh into openwrt router from there. To start tcpdump at both LAN and WAN port, type following commands in the two terminals you just opened. Next, turn on device and wait for boot-up process to complete. It is recommended to wait for another 3 minutes after boot up in case some background traffics haven't finished. To end tcpdumping, press ctrl+C in both terminals. To quit sshing, press ctrl+D in both terminals.


		###Tcpdumping LAN side traffic###
		timestamp="$(date +"%m-%d-%Y_%Z%H-%M-%S")"
		tcpdump -i eth0 -w $PCAP_DIR/$DEVICE'_bootup_lan_'$timestamp'.pcap'
           

                ####Tcpdumping WAN side traffic####
                timestamp="$(date +"%m-%d-%Y_%Z%H-%M-%S")"
                tcpdump -i eth1 -w $PCAP_DIR/$DEVICE'_bootup_wan_'$timestamp'.pcap'
           

To collect device's operation traffic, first keep IoT devices completely idle. Then open two terminals in your laptop/desktop and ssh into openwrt router from there. To start tcpdump at both LAN and WAN port, type the following commands in the two terminals you just opened. Next, operate device to do whatever function it has (e.g. press Amazon dash button for purchasing. Remote access IP camera to view a room). It is recommended to wait for another 3 minutes after all operations finished in case some background traffics haven't finished. To end tcpdumping, press ctrl+C in both terminals. To quit sshing, press ctrl+D in both terminals.


                ###Tcpdumping LAN side traffic###
                timestamp="$(date +"%m-%d-%Y_%Z%H-%M-%S")"
                tcpdump -i eth0 -w $PCAP_DIR/$DEVICE'_operation_lan_'$timestamp'.pcap'
           

                ####Tcpdumping WAN side traffic####
                timestamp="$(date +"%m-%d-%Y_%Z%H-%M-%S")"
                tcpdump -i eth1 -w $PCAP_DIR/$DEVICE'_operation_wan_'$timestamp'.pcap'
           

Finally, please add a README.txt file with the IPs (both in LAN and in WAN), manufacturer, model and optionally purchase link of this device.

Data Sharing and Anonymization

We may share IoT devices' traces we have publicly to facilitate IoT research. Before sharing, we'll filter out all non-IoT traffic in LAN and WAN pcap and apply prefix-preserving anonymization to all user IPs to preserve user privacy,

Contact Authors

Hang Guo: hangguo@usc.edu USC/Information Science Institute

John Heidemann: johnh@isi.edu USC/Information Science Institute