Shodan is a powerful search engine that has gained a lot of attention in recent years within the cybersecurity community. Unlike traditional search engines like Google, Shodan is designed to search for devices and systems connected to the internet rather than web pages. It does this by scanning for open ports and identifying the types of devices and services connected to them.
IT and security professionals use Shodan to perform reconnaissance on their own systems, as well as to gather intelligence on potential vulnerabilities and threats. Shodan can help security teams identify exposed devices and systems that are at risk of being compromised, and it can be used to search for devices that may have been compromised and are being used as part of a botnet.
In this blog post, we’ll take a closer look at what Shodan is, how it works, and how IT and security professionals can use it to improve their security posture.
What is Shodan?
Shodan’s main use is searching for Internet of Things (IoT) devices such as security cameras, medical instruments, and more recently smart home appliances such as fridges and doorbells. Such devices are often seen to have the small processing power and there may be approximately 31 billion of these devices around today.
Unfortunately, they have also caused major security issues, which were first brought to public attention when one of the largest scale Distributed Denial of Service (DDoS) attacks happened with the Mirai botnet which was mostly formed of IoT devices.
However, Shodan crawls the internet for all internet-connected devices – such as laptops, servers, printers, or any device with an IP address. This can prove immensely useful in uncovering poorly configured devices that may expose sensitive data.
How does Shodan work?
After you enter a search term, Shodan crawls the internet for any connected device with an IP address that matches your query. It will then present these results in a variety of categories, including locations, devices, and operating systems.
For example, you can search for “all unsecured smartphones” and Shodan will return devices that are publicly accessible and have their settings set to “unsecured.”
What can Shodan be used for?
Shodan is arguably the best search engine to find vulnerable systems on devices that are publicly exposed and that are not protected. It is commonly used among law enforcement agencies. You can also use it to find devices that have just recently been connected to the internet.
The devices that can be found often have these characteristics in common:
- Not protected by a password
- Not protected by a firewall
- Connected to the internet
- Not connected to a private network
- Have an open port
- Have recently been connected to the internet
Shodan can be used to find all of these things and more. If you have devices that aren’t protected and that have recently been connected to the internet, then Shodan is a great way to find them.
Why hackers use Shodan?
Shodan is an excellent source for finding any of your devices connected to the internet that have vulnerable systems. These devices are often the first to be targeted by hackers who can use them to launch DDoS attacks or steal sensitive data. By scanning for these devices, enterprise organizations and security teams can learn which vulnerable devices need to be secured.
What can I expect to see using Shodan search engine?
One of the most prominent and daunting finds with the Shodan search engine was the presence of webcams and security cameras exposed with no authentication. A Wired article in 2013 was one of the first to bring this to attention and in spite of this, 7 years later similar issues persist. While not as prevalent, a quick search reveals CCTV cameras are still exposed through Shodan.
In another blog post, we explored how Remote Desktop Protocol (RDP) exposure increased due to COVID-19. This is a common way for hackers to enter a network before performing a ransomware attack. Shodans own blog reported 8% of RDP services on their platform were vulnerable to a common RDP flaw. RDP is not the only vulnerable service however, others such as Redis, MongoDB, MySQL and SMB are also all visible through Shodan.
What are the risks associated with exposed devices?
When devices are exposed to the internet they become targets of mass-cyber attacks. The previously mentioned Mirai botnet was formed through IoT devices being exposed with default credentials.
Ransomware has seen a significant increase in recent years and the trend is continuing. The effectiveness of this type of attack can be attributed to insufficient asset management and lack of backups in both consumer and professional environments. By exposing devices with weak or misconfigured services, the likelihood of a ransomware attack also increases.
Whilst conducting research, we found a particularly interesting device through the Shodan search that we can use as a case study now. The device had databases exposed behind no authentication. One of the databases present caught our attention, not for the data it stored, but because of its name:
The name READ_ME_TO_RECOVER_YOUR_DATA immediately suggests that this service has been subject to a ransomware attack and the contents of this database will contain the ransom note. This is a deeply saddening reality a lot of companies will face if they don’t take the appropriate measures to identify their attack surface and update their assets. Individuals could also be affected in similar ways, with personal files (such as photos) being encrypted in the same undiscriminating and ruthless manner as this database.
The advantages of using Shodan
Shodan is a fast and easy way to find unprotected devices on the internet. It’s also a great way to discover which devices have open ports on them.
Shodan can also be used to find devices that have recently been connected to the internet. This can give you an early warning about a breach and helps you to take the necessary steps to prevent data loss.
Shodan is also very accessible. You can easily use it from a desktop, smartphone, or tablet.
Is Shodan dangerous?
It may come as a surprise to some that Shodan is a legal and readily usable tool. Exposing so many devices may seem counterproductive in preventing cybercrime, but Shodan isn’t the issue. Shodan simply highlights a larger problem: individuals and organizations not being aware of their cyber footprint and attack surface.
Shodan removes a layer of security that has long been debunked as being effective – security through obscurity. Attackers will always find the exposed service or device given time and people should be securing their networks with this assumption.
Conclusion
Shodan is a search engine that is based on publicly accessible devices. It can be used to find unprotected devices, discover recently connected devices and create text to speech results if required. However, it is not capable of scanning for every single device connected to the internet.
It can, however, be used to find unprotected devices in your organization which may not be secure and have recently been connected to the internet. With this data, you can act quickly to secure your devices and network from possible attacks.
Frequently Asked Questions
Is Shodan legal to use?
Absolutely! Shodan is a legitimate tool that provides valuable insights into internet-connected devices. However, it’s important to use Shodan responsibly and adhere to ethical guidelines while leveraging its capabilities.
Can Shodan be used for malicious purposes?
While Shodan can provide information that could potentially be exploited by malicious actors, it is essential to note that Shodan itself is not a hacking tool. Its primary purpose is to enhance cybersecurity practices and empower organizations to secure their networks effectively.
Is Shodan only useful for large organizations?
No, Shodan can be valuable for organizations of all sizes. Whether you’re a small business or a large enterprise, Shodan’s capabilities can help you identify vulnerabilities, assess your security posture, and protect your digital assets.
Can Shodan replace traditional vulnerability scanners?
While Shodan offers powerful vulnerability assessment capabilities, it should not be seen as a replacement for traditional vulnerability scanners. Shodan can complement existing vulnerability management processes and provide additional insights into devices that may not be covered by traditional scanners.
Is Shodan only focused on IoT devices?
Shodan is often associated with IoT devices, it can scan and provide information about various other devices and services connected to the internet. Shodan’s scope extends beyond IoT and encompasses a wide range of networked devices.