Large-Scale IoT Devices Firmware Identification Based on Weak Password

The growth of Internet-connected IoT devices brings many security issues, such as DDoS, weak password and embedded malware. The vulnerability analysis is a critical strategy to prevent security issues. Due to technical exclusivity of diverse manufacturers, their firmware is hard to patch timely and respectively. Therefore, the vulnerability of the device is closely related to the device firmware version. The identification of the firmware version is an essential prerequisite for protecting these devices from attack. With the increasing of IoT devices, device firmware identification is still a critical challenge. In this paper, we propose a new firmware identification method by analyzing webpages content directly based on a weak password. We extract the characteristics of the login page to identify the device type and brand, and then use classification and page segmentation to identify the model and firmware version of the device. We evaluated 74,307 devices to verify the effectiveness of our proposed method. Experimental results show that our method achieves an accuracy of 95.97%, superior to the other methods.