Shodan: The Search Engine For Hackers

Woman working on MacBook looking at Shodan Website

Shodan has been dubbed by some to be the most dangerous search engine in the world, but has this title been rightfully earned? Or does Shodan simply outline how individuals and companies alike have unknown devices at risk of cyber-attacks? In this post, we will explore what Shodan is, how it’s being used, and show you how Informer’s platform can help you to mitigate these risks.

What is Shodan?

Shodan’s main use is searching for Internet of Things (IoT) devices such as security cameras, medical instruments, and more recently smart home appliances such as fridges and doorbells. Such devices are often seen to have small processing power and there may be approximately 31 billion of these devices around today. Unfortunately, they have also caused major security issues, which were first brought to public attention when one of the largest scale Distributed Denial of Service (DDoS) attacks happened with the Mirai botnet which was mostly formed of IoT devices.

However, Shodan crawls the internet for all internet-connected devices – such as laptops, servers, printers, or any device with an IP address. This can prove immensely useful in uncovering poorly configured devices that may expose sensitive data.

What can I expect to see?

One of the most prominent and daunting finds with the Shodan search engine was the presence of webcams and security cameras exposed with no authentication. A Wired article in 2013 was one of the first to bring this to attention and in spite of this, 7 years later similar issues persist. While not as prevalent, a quick search reveals CCTV cameras are still exposed through Shodan.

In our previous blog post, we explored how Remote Desktop Protocol (RDP) exposure increased due to COVID-19. This is a common way for hackers to enter a network before performing a ransomware attack. Shodans own blog reported 8% of RDP services on their platform were vulnerable to a common RDP flaw. RDP is not the only vulnerable service however, others such as Redis, MongoDB, MySQL and SMB are also all visible through Shodan.

What are the risks with exposed devices?

When devices are exposed to the internet they become targets of mass-cyber attacks. The previously mentioned Mirai botnet was formed through IoT devices being exposed with default credentials.

Ransomware has seen a significant increase in recent years and the trend is continuing. The effectiveness of this type of attack can be attributed to insufficient asset management and lack of backups in both consumer and professional environments. By exposing devices with weak or misconfigured services, the likelihood of a ransomware attack also increases.

Whilst conducting research, we found a particularly interesting device through the Shodan search that we can use as a case study now. The device had databases exposed behind no authentication. One of the databases present caught our attention, not for the data it stored, but because of its name:

The name READ_ME_TO_RECOVER_YOUR_DATA immediately suggests that this service has been subject to a ransomware attack and the contents of this database will contain the ransom note. This is a deeply saddening reality a lot of companies will face if they don’t take the appropriate measures to identify their attack surface and update their assets. Individuals could also be affected in similar ways, with personal files (such as photos) being encrypted in the same undiscriminating and ruthless manner as this database.

Is Shodan dangerous?

It may come as a surprise to some that Shodan is a legal and readily usable tool. Exposing so many devices may seem counterproductive in preventing cybercrime, but Shodan isn’t the issue. Shodan simply highlights a larger problem: individuals and organizations not being aware of their cyber footprint and attack surface.

Shodan removes a layer of security that has long been debunked as being effective – security through obscurity. Hackers will always find the exposed service or device given time and people should be securing their networks with this assumption.