How Shodan Searches for Holes in The Internet of Things


Few people realize, but most search engines index all kinds of things besides just web pages and services. In fact, search engines can be used to find just about anything – from printers that can be controlled remotely to openly accessible web cams, and numerous other devices that are connected to the web without any protections in place. We can even access thousands of devices wherein the authentication information is located in the source, or devices which are known to use default passwords.

A search engine called Shodan helps to facilitate searches for this kind of information. Called “the scariest search engine on the internet”, by CNN Money, once you understand what it’s capable of doing, you might be inclined to agree. Shodan is, if you like, a search engine for the Internet of Things, but more than that, it’s a search engine that crawls the web with one goal in mind – to identify vulnerable devices that can be accessed publicly one way or another. It primarily focuses on SCADA (supervisory control and data acquisition) systems, and is capable of finding anything from stand-alone workstations to wide-area networking configurations.

For the uninitiated, Shodan’ll probably be a little confusing. The easiest way to get started is to take a tour and see how it works, or else just view some of the most popular search queries for a better understanding of the results it provides. Among the examples are a search for routers that have failed to later the original admin password, anonymous FTP servers, web services that use default passwords, and CISCO devices that don’t even have the most basic password protections in place.

Shodan works much the same as any other search engine, but it comes with a few unique bells and whistles that’ll help you to narrow your search down further. Filters include the ability to specify host names, ports, operating systems and locations. For example, the command country:us port:23 will throw up results for Telnet ports in the US only.

Top results for a search for devices with “anonymous access granted”

All of the results produced by Shodan are publicly available – there’s no cracking, hacking or decrypting stuff going on here – all it does is trawl through the net looking for vulnerable connected devices, then adds these to its growing database and makes them searchable. It’s creator, John Matherly, says that Shodan is mainly used by businesses and security researchers, but there’s a good chance that hackers and other malicious persons could decide to abuse it.

Speaking at DEFCON last year, pentester Dan Tentler revealed a sample of the things he’d found using Shodan, including a car wash that could be turned on and off by anyone, the traffic control system for a city that he refused to name, and the control systems for a French hydroelectric plant.

The potential for abuse is significant but in all fairness Shodan doesn’t really deserve any blame for this. The data it provides is publicly accessible anyway – Shodan just makes it easier to find it – if anything it’s just a timely reminder of how lax people can be when it comes to matters of security.