Last Updated on 10 May 2022 by admin
Shodan has been dubbed by some to be the most dangerous search engine in the world, but has this title been rightfully earned? Or does Shodan simply outline how individuals and companies alike have unknown devices at risk of cyber-attacks? In this post, we will explore what Shodan is, how it’s being used, and show you how Informer’s platform can help you to mitigate these risks.
What is Shodan?
Shodan’s main use is searching for Internet of Things (IoT) devices such as security cameras, medical instruments, and more recently smart home appliances such as fridges and doorbells. Such devices are often seen to have the small processing power and there may be approximately 31 billion of these devices around today.
Unfortunately, they have also caused major security issues, which were first brought to public attention when one of the largest scale Distributed Denial of Service (DDoS) attacks happened with the Mirai botnet which was mostly formed of IoT devices.
However, Shodan crawls the internet for all internet-connected devices – such as laptops, servers, printers, or any device with an IP address. This can prove immensely useful in uncovering poorly configured devices that may expose sensitive data.
How does Shodan work?
After you enter a search term, Shodan crawls the internet for any connected device with an IP address that matches your query. It will then present these results in a variety of categories, including locations, devices, and operating systems.
For example, you can search for “all unsecured smartphones” and Shodan will return devices that are publicly accessible and have their settings set to “unsecured.”
What can Shodan be used for?
Shodan is arguably the best search engine to find vulnerable systems on devices that are publicly exposed and that are not protected. It is commonly used among law enforcement agencies. You can also use it to find devices that have just recently been connected to the internet.
The devices that can be found often have these characteristics in common:
- Not protected by a password
- Not protected by a firewall
- Connected to the internet
- Not connected to a private network
- Have an open port
- Have recently been connected to the internet
Shodan can be used to find all of these things and more. If you have devices that aren’t protected and that have recently been connected to the internet, then Shodan is a great way to find them.
Why should you use Shodan?
Shodan is an excellent source for finding any of your devices connected to the internet that have vulnerable systems. These devices are often the first to be targeted by hackers who can use them to launch DDoS attacks or steal sensitive data. By scanning for these devices, enterprise organizations and security teams can learn which vulnerable devices need to be secured.
What can I expect to see?
One of the most prominent and daunting finds with the Shodan search engine was the presence of webcams and security cameras exposed with no authentication. A Wired article in 2013 was one of the first to bring this to attention and in spite of this, 7 years later similar issues persist. While not as prevalent, a quick search reveals CCTV cameras are still exposed through Shodan.
In our previous blog post, we explored how Remote Desktop Protocol (RDP) exposure increased due to COVID-19. This is a common way for hackers to enter a network before performing a ransomware attack. Shodans own blog reported 8% of RDP services on their platform were vulnerable to a common RDP flaw. RDP is not the only vulnerable service however, others such as Redis, MongoDB, MySQL and SMB are also all visible through Shodan.
What are the risks associated with exposed devices?
When devices are exposed to the internet they become targets of mass-cyber attacks. The previously mentioned Mirai botnet was formed through IoT devices being exposed with default credentials.
Ransomware has seen a significant increase in recent years and the trend is continuing. The effectiveness of this type of attack can be attributed to insufficient asset management and lack of backups in both consumer and professional environments. By exposing devices with weak or misconfigured services, the likelihood of a ransomware attack also increases.
Whilst conducting research, we found a particularly interesting device through the Shodan search that we can use as a case study now. The device had databases exposed behind no authentication. One of the databases present caught our attention, not for the data it stored, but because of its name:
The name READ_ME_TO_RECOVER_YOUR_DATA immediately suggests that this service has been subject to a ransomware attack and the contents of this database will contain the ransom note. This is a deeply saddening reality a lot of companies will face if they don’t take the appropriate measures to identify their attack surface and update their assets. Individuals could also be affected in similar ways, with personal files (such as photos) being encrypted in the same undiscriminating and ruthless manner as this database.
The advantages of using Shodan
Shodan is a fast and easy way to find unprotected devices on the internet. It’s also a great way to discover which devices have open ports on them.
Shodan can also be used to find devices that have recently been connected to the internet. This can give you an early warning about a breach and helps you to take the necessary steps to prevent data loss.
Shodan is also very accessible. You can easily use it from a desktop, smartphone, or tablet.
Is Shodan dangerous?
It may come as a surprise to some that Shodan is a legal and readily usable tool. Exposing so many devices may seem counterproductive in preventing cybercrime, but Shodan isn’t the issue. Shodan simply highlights a larger problem: individuals and organizations not being aware of their cyber footprint and attack surface.
Shodan removes a layer of security that has long been debunked as being effective – security through obscurity. Hackers will always find the exposed service or device given time and people should be securing their networks with this assumption.
Shodan is a search engine that is based on publicly accessible devices. It can be used to find unprotected devices, discover recently connected devices and create text to speech results if required. However, it is not capable of scanning for every single device connected to the internet.
It can, however, be used to find unprotected devices in your organisation which may not be secure and have recently been connected to the internet. With this data, you can act quickly to secure your devices and network from possible attacks.