Returning to Port: Efficient Detection of Home Router Devices

The detection of IoT devices has been a popular research topic, mainly because of their omnipresence and appeal as targets of malicious actors. In this paper, we focus specifically on identifying home router devices across the IP address space by using network fingerprints derived from an active probing approach. Unlike existing approaches that rely on open ports and banner grab-bing, our network fingerprints highlight the feasibility of detecting a portion of home routers even when they do not expose any open ports or network services. Furthermore, we propose a flexible scanning strategy that aims to drastically reduce the number of network probes, enabling scaling of the device detection across the entire IPv4 address space. We then evaluate the false and true positives of our network fingerprints against ground truth data derived from a large passive DNS dataset and Censys. The results show that many home routers can be detected efficiently and that the derived fingerprints have high detection accuracy. Finally, we measure what services are typically exposed by users through their home routers, and point out generic patterns as well as some interesting individual cases.