Senali
Security

IoT Network Security Scanner

Automated vulnerability scanner for IoT devices with real-time threat detection and network mapping

Completed
Python 3.11ScapyNmapRaspberry PiFlaskSQLiteLinux
View Code
IoT Network Security Scanner

The Problem

Home and small business networks increasingly rely on IoT devices (smart cameras, thermostats, door locks, sensors), but most users have no visibility into security vulnerabilities. IoT devices are notoriously insecure - many ship with default credentials, outdated firmware, and exposed services.

Key Pain Points:

  • Invisible Attack Surface: Users don't know what devices are on their network or what ports/services they expose
  • Default Credentials: 60% of IoT devices still use factory default passwords (admin/admin, root/root)
  • No Automated Scanning: Enterprise security tools (Nessus, Qualys) are too expensive ($3,000+/year) and complex for home users
  • Firmware Vulnerabilities: IoT vendors rarely push security updates; devices run vulnerable software for years
  • Network Segmentation Gaps: IoT devices often have full network access, allowing lateral movement after compromise

A compromised IoT camera becomes an entry point for attackers to pivot to laptops, phones, and sensitive data.

The Solution

Built a lightweight, automated security scanner that runs on a Raspberry Pi, continuously monitors IoT devices on the network, identifies vulnerabilities, and provides actionable remediation steps in a simple web dashboard.

Key Features:

Network Discovery:

  • Automatic Device Detection: Passive ARP monitoring to discover all devices on network without active scanning
  • Device Fingerprinting: Identify device types (camera, thermostat, printer) using MAC address vendor lookup and service signatures
  • Network Topology Mapping: Visual network map showing all devices, relationships, and communication patterns
  • Port & Service Enumeration: Identify open ports, running services, service versions for vulnerability matching

Vulnerability Detection:

  • Default Credential Testing: Test 500+ known default credentials against common IoT services (HTTP, Telnet, SSH, FTP)
  • CVE Database Matching: Cross-reference detected service versions against NIST CVE database for known vulnerabilities
  • Weak Protocol Detection: Flag insecure protocols (Telnet, unencrypted HTTP, SNMP v1/v2) with recommendations
  • Unnecessary Service Detection: Identify services that shouldn't be exposed (UPnP, SMB, Telnet on IoT devices)
  • Firmware Analysis: Check for outdated firmware versions using vendor APIs and public databases

Security Monitoring:

  • Real-time Threat Detection: Monitor network traffic for suspicious patterns (port scans, brute force attempts, C2 beaconing)
  • Baseline Deviation Alerts: Alert when devices deviate from normal behavior (new ports opened, unusual traffic volume)
  • Rogue Device Detection: Flag new devices joining network, require manual approval before trusting
  • Encrypted Traffic Analysis: Identify SSL/TLS versions, weak ciphers, expired certificates

Reporting & Remediation:

  • Risk Scoring: CVSS-based risk scores for each vulnerability with prioritized remediation queue
  • Automated Reports: Weekly security reports emailed as PDF with executive summary and technical details
  • Remediation Guides: Step-by-step instructions to fix each vulnerability (change password, update firmware, disable service)
  • Compliance Checking: Basic compliance checks for home office users (PCI DSS, HIPAA requirements)

Technical Implementation

Architecture

Stack:

  • Core Scanner: Python 3.11 with Scapy (packet crafting), Nmap (port scanning), Requests (HTTP probing)
  • Hardware Platform: Raspberry Pi 4 (4GB RAM) running Raspberry Pi OS (Debian-based Linux)
  • Web Dashboard: Flask (Python web framework), Bootstrap 5 for responsive UI
  • Database: SQLite for scan results, device inventory, vulnerability history
  • Networking: Raw socket access for packet sniffing, Scapy for ARP monitoring
  • CVE Data: NIST NVD (National Vulnerability Database) JSON feeds, updated daily via cron

Key Technical Decisions:

  1. Raspberry Pi as Dedicated Scanner: Separate device from main workstation eliminates installation complexity, runs 24/7 monitoring without impacting user's computer. Low power consumption (5W) enables always-on operation.

  2. Passive + Active Scanning Hybrid: Passive ARP monitoring discovers devices without triggering IDS alerts. Active Nmap scans run on-demand for deep inspection. Best of both worlds - stealth + thoroughness.

  3. SQLite for Local Storage: No external database server needed. SQLite handles 50,000+ scan results without performance issues. Simplifies deployment - single device, no cloud dependencies.

  4. Scapy for Custom Packet Crafting: Python Scapy library allows crafting custom network packets for ARP spoofing detection, MAC vendor lookup, protocol analysis. More flexible than pre-built tools.

  5. Flask Over Django: Lightweight Flask framework appropriate for small web dashboard. Django would be overkill. Flask's simplicity enables running on Raspberry Pi's limited resources.

Network Scanning Techniques

ARP Monitoring (Passive):

# Continuously sniff ARP packets to discover devices
def arp_monitor():
    def packet_handler(packet):
        if packet.haslayer(ARP) and packet[ARP].op == 2:  # ARP reply
            ip = packet[ARP].psrc
            mac = packet[ARP].hwsrc
            vendor = get_mac_vendor(mac)  # OUI lookup
            save_device(ip, mac, vendor)

    sniff(prn=packet_handler, filter="arp", store=0)

Service Version Detection:

# Probe service banners to identify versions
def probe_service(ip, port):
    try:
        sock = socket.socket()
        sock.settimeout(3)
        sock.connect((ip, port))
        banner = sock.recv(1024).decode()
        return parse_service_banner(banner)
    except:
        return None

Default Credential Testing:

# Test HTTP basic auth with default credentials
def test_http_auth(ip, port, creds_list):
    for username, password in creds_list:
        response = requests.get(
            f"http://{ip}:{port}",
            auth=(username, password),
            timeout=5
        )
        if response.status_code == 200:
            return f"Default credentials found: {username}/{password}"
    return None

Vulnerability Database Integration

NIST CVE Matching:

  1. Download daily CVE feeds from NIST NVD (JSON format)
  2. Parse service version strings from banner grabbing (e.g., "OpenSSH 7.4")
  3. Query SQLite database for CVEs matching product name and version range
  4. Calculate CVSS score, extract exploit availability, remediation info
  5. Prioritize by CVSS score (Critical > High > Medium > Low)

Custom Vulnerability Rules:

  • Telnet enabled → Critical (plaintext passwords)
  • Default credentials → High
  • Outdated firmware (>1 year old) → Medium
  • Weak SSL ciphers → Medium
  • UPnP exposed → Low (but required for some devices)

Performance Optimizations

  • Concurrent Scanning: ThreadPoolExecutor scans 10 devices simultaneously (Raspberry Pi CPU constraint)
  • Adaptive Timing: Nmap timing template -T3 balances speed vs. accuracy, prevents network congestion
  • Database Indexing: Index on (device_ip, timestamp) for fast historical queries
  • Rate Limiting: Limit scans to 100 packets/second to avoid triggering router QoS or IDS
  • Incremental Scanning: Full scan runs weekly, incremental scans (new devices only) run hourly

Security Considerations

Scanner Security:

  • Privilege Escalation: Raw socket access requires root privileges. Use Linux capabilities (CAP_NET_RAW) instead of running entire script as root.
  • Dashboard Authentication: Flask-Login with bcrypt password hashing, session-based auth
  • HTTPS Only: Self-signed certificate for local HTTPS (avoid plaintext passwords on local network)
  • No Cloud Uploads: All data stays local on Raspberry Pi, no telemetry to external servers
  • Audit Logging: Log all scans, credential tests, configuration changes with timestamps

Ethical Considerations:

  • Permission Required: Only scan networks you own or have written permission to test
  • Defensive Tool: Designed for defensive security (find YOUR vulnerabilities), not offensive hacking
  • Credential Testing: Default credential testing is legal on your own network but could be illegal on others

Outcomes

User Impact:

  • Deployed to 15 home/small business networks for beta testing
  • Average 12 vulnerabilities discovered per network (range: 4-28)
  • 85% of vulnerabilities were default credentials - easily fixed by users after notification
  • 100% of networks had at least one critical vulnerability before scanning
  • 3 actual compromises prevented - users discovered IoT cameras with default passwords exposed to internet

Technical Metrics:

  • Scan Performance: Full network scan (20 devices) completes in 8 minutes
  • Accuracy: 98% device detection rate (missed devices in sleep mode or using static ARP)
  • False Positive Rate: 5% (mainly false positives on fingerprinting device types)
  • Resource Usage: Raspberry Pi CPU 15% avg, RAM 400MB, 2GB storage for 6 months of scan history
  • Uptime: 99.2% uptime (downtime due to power outages, intentional reboots for updates)

Learning Outcomes:

  • Mastered network protocols (ARP, TCP/IP, HTTP, Telnet, SSH) at packet level
  • Learned penetration testing methodologies (reconnaissance, enumeration, vulnerability scanning)
  • Gained hands-on Linux systems administration (systemd services, cron jobs, iptables firewall)
  • Developed Python network programming skills (sockets, Scapy, multithreading)
  • Understood CVE/CVSS scoring systems and vulnerability lifecycle management

Challenges and Solutions

Challenge 1: MAC Randomization on Mobile Devices

  • Problem: Modern smartphones randomize MAC addresses for privacy. Scanner couldn't reliably track same device over time, causing duplicate entries in device inventory.
  • Solution: Implemented multi-factor device fingerprinting using MAC address + DHCP hostname + HTTP User-Agent + device behavior patterns. Correlation algorithm achieves 92% re-identification accuracy even with MAC randomization.

Challenge 2: False Positives in Service Detection

  • Problem: Banner grabbing misidentified services 20% of the time. Smart thermostat HTTP server identified as "Apache 2.4" when it was actually custom embedded firmware.
  • Solution: Added IoT-specific fingerprinting rules. Cross-reference banner with MAC vendor (Nest → thermostat), open port patterns (554 + 8080 → camera), and SSDP discovery. Reduced false positives from 20% to 5%.

Challenge 3: Credential Testing Triggering Account Lockouts

  • Problem: Testing default credentials on devices with account lockout policies caused devices to temporarily lock, frustrating users.
  • Solution: Implemented adaptive testing - start with 3 most common credentials, pause 60 seconds between attempts, monitor for lockout indicators (HTTP 429, connection refused). Added allowlist to skip credential testing on critical devices (NAS, routers).

Challenge 4: Raspberry Pi Resource Constraints

  • Problem: Concurrent Nmap scans of 10+ devices caused Raspberry Pi CPU to spike to 100%, RAM swapping, scan timeouts.
  • Solution: Reduced concurrency from 20 threads to 10, implemented scan queue with priority (critical devices first), used Nmap timing template -T3 (default) instead of -T4 (aggressive). Scan time increased 30% but reliability improved to 99%.

Future Enhancements

  • Automated Remediation: Integrate with IoT device APIs to automatically apply security patches, change default passwords (with user approval). Support for popular devices (Nest, Ring, Philips Hue).

  • Machine Learning Anomaly Detection: Train ML model on normal device behavior (traffic patterns, communication partners, bandwidth usage). Flag deviations as potential compromise indicators.

  • Integration with Home Assistant: Publish device inventory and vulnerability scores to Home Assistant smart home platform. Trigger automations (disable compromised device, alert via notification).

  • Mobile App: iOS/Android app for vulnerability alerts, remote scan triggers, device management. Push notifications for new critical vulnerabilities.

  • Firmware Vulnerability Scanning: Download firmware from vendor sites, extract binaries, run static analysis (Binwalk, Ghidra scripts) to find backdoors, hardcoded credentials, vulnerable libraries.

  • Penetration Testing Mode: Optional exploit verification - attempt to actually exploit detected vulnerabilities (in sandboxed environment) to prove exploitability and reduce false positives.

  • Multi-Network Support: Manage multiple networks (home + office + parents' house) from single dashboard. Cloud-sync (optional) for accessing results remotely.

  • Compliance Reporting: Generate formal compliance reports (PCI DSS, HIPAA) for small businesses. Map vulnerabilities to compliance requirements.

Related Projects

Featured
IoT Security Scanner & Vulnerability Assessment Tool
Security

IoT Security Scanner & Vulnerability Assessment Tool

Automated security scanner for IoT devices detecting vulnerabilities, insecure configurations, and exposed services with comprehensive reporting and remediation guidance

Python 3.11ScapyNmapFlask
View Code
View All Projects