Internet-wide studies provide extremely valuable insight into how operators manage their Internet of Things (IoT) deployments in reality and often reveal grievances, e.g., significant security issues. However, while IoT devices often use IPv6, past studies resorted to comprehensively scan the IPv4 address space. To fully understand how the IoT and all its services and devices is operated, including IPv6-reachable deployments is inevitable-although scanning the entire IPv6 address space is infeasible. In this paper, we close this gap and examine how to best discover IPv6-reachable IoT deployments. To this end, we propose a methodology that allows combining various IPv6 scan direction approaches to understand the findability and prevalence of IPv6-reachable IoT deployments. Using three sources of active IPv6 addresses and eleven address generators, we discovered 6658 IoT deployments. We derive that the available address sources are a good starting point for finding IoT deployments. Additionally, we show that using two address generators is sufficient to cover most found deployments and save time as well as resources. Assessing the security of the deployments, we surprisingly find similar issues as in the IPv4 Internet, although IPv6 deployments might be newer and generally more up-to-date: Only 39% of deployments have access control in place and only 6.2% make use of TLS inviting attackers, e.g., to eavesdrop sensitive data.

翻译：全网范围研究为运营商如何实际管理其物联网部署提供了极其宝贵的见解，并常常揭示出严重问题，例如重大的安全隐患。然而，尽管物联网设备常使用IPv6，以往的研究却只能全面扫描IPv4地址空间。要完全理解物联网及其所有服务与设备的运行状况，纳入IPv6可达的部署是不可避免的——尽管扫描整个IPv6地址空间并不可行。本文旨在填补这一空白，探讨如何最优地发现IPv6可达的物联网部署。为此，我们提出一种方法，能够结合多种IPv6扫描导向策略，以理解IPv6可达物联网部署的可发现性与普遍性。利用三个活跃IPv6地址源和十一种地址生成器，我们发现了6658个物联网部署。我们推断，现有地址源是寻找物联网部署的良好起点。此外，我们证明使用两种地址生成器足以覆盖大多数已发现的部署，并能节省时间与资源。通过对这些部署进行安全评估，我们意外地发现其问题与IPv4互联网中的情况相似，尽管IPv6部署可能更新且通常更现代化：仅有39%的部署实施了访问控制，只有6.2%使用了TLS协议，这无异于邀请攻击者（例如）窃听敏感数据。