Jordan is in the vulnerability scanning step because he has already moved past identification/cataloging (information gathering) and is now actively testing IoT devices for weaknesses such as outdated firmware, default credentials, and exposed/open service ports. In IoT hacking methodology, information gathering focuses on discovering devices, mapping the environment, identifying device types, interfaces, protocols, and versions, and understanding how data flows between endpoints, gateways, mobile apps, and cloud services. Once that baseline inventory exists, the next step is to assess the devices and their ecosystem components for known and observable security gaps.

The specific checks described are classic vulnerability scanning targets in IoT environments:

Outdated firmware can indicate known vulnerabilities, missing security fixes, and unpatched components.

Default passwords are a common IoT weakness and can enable trivial compromise when not changed.

Open service ports reveal exposed management interfaces or unnecessary services that can be enumerated or exploited.

Running “specialized tools” to systematically evaluate these elements is consistent with vulnerability scanning because it is structured assessment aimed at finding exploitable conditions, but it stops short of actually exploiting or establishing persistence.

Why the other options do not fit:

Information gathering (C) would focus on identifying devices and collecting details, not actively checking them for outdated firmware/default passwords/open ports as vulnerabilities.

Gain remote access (B) implies exploitation or obtaining unauthorized control/access, which the scenario does not indicate—he is checking and assessing.

Launch attacks (D) implies executing exploitation, disruption, or compromise steps. The question explicitly frames this as testing for weaknesses, not carrying out attacks.

Therefore, Jordan is performing A. Vulnerability scanning.