Shodan: Diving into the Google of IoT Devices
Reading time: 11 minutes
In this day and age, IoT devices are just about anywhere and everywhere. It's not uncommon to find a smart TV, a WiFi router or even a webcam in the garage—not to mention all the other internet-connected devices we use every day.
Given the increasing need for remote/public-network access with IoT devices, we see an ever-growing list of security concerns. These include devices that aren't configured correctly or are simply too old, with security flaws in their firmware. You know that security camera that's been on the street corner since 2013? It's probably on the internet, too, with a major security flaw that allows anyone to connect to it and watch your street.
With an estimated 26-31 billion IoT devices currently in use, estimating a low figure of 1% for devices with security flaws connected to the public internet still gives us a staggering 260 million devices that can be compromised (or are already).
Security researchers are always on the lookout for such devices, to find any security holes before the bad guys do. But searching for 260 million devices on the internet is like looking for a needle in a haystack.
Scanning through 4,294,967,296 IPv4 addresses might be possible, but looking for devices which are operational only on IPv6 space is just about impossible to scan in any reasonable period of time, especially for a single person faced with 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses. But wait… we have Shodan!
- What is Shodan?
- Grabbing intelligence data with Shodan
- Shodan Filters
- Legality of Shodan
- Do I need to pay for Shodan?
- Is it possible to integrate Shodan into my personal projects?
- Final words
What is Shodan?
Simply put, Shodan is a search engine for IoT devices. Shodan crawls the internet all day and night looking for IoT devices and indexes them for easy reference via a simple search query. With this IoT device information, we're able to discover many, many things about the public internet-connected devices in our homes, offices and beyond.
The IoT device information available at Shodan unlocks various possibilities, including:
-
Security research
- Various IoT devices have their firmware versions listed right on the login page
- This means researchers can find devices running specific versions of firmware with known vulnerabilities and possibly contact ISPs to inform them of such vulnerabilities existing on their networks.
- Various IoT devices have their firmware versions listed right on the login page
-
Sales/Marketing research
- IoT devices also display their brands and model numbers right on the login pages and in the HTTP headers, which opens up sales and marketing research topics, like
- How many people use a brand X WiFi router?
- How many people use a smart television from X year?
- Such information gives sales/marketing people ideas for targeting certain regions with offers, to get them to purchase newer devices.
- IoT devices also display their brands and model numbers right on the login pages and in the HTTP headers, which opens up sales and marketing research topics, like
-
Consumer research
- IT managers, Red teams and Blue Teams, and general SOC teams at companies can look for devices they're about to purchase, to determine whether said devices have any known security issues (e.g., new large-scale on-campus security camera deployments).
- Users can watch for their own IP addresses to see if any device in their home is listed at Shodan as well. This acts as a security tool for finding home devices which don't need to be on the public internet space.
Grabbing intelligence data with Shodan
Using Shodan to gather intelligence data is super easy and straightforward. To begin, head over to Shodan's website, located at https://www.shodan.io/
Once we're at Shodan, we see the following menu bar at the top of the website:
Here we see two primary options, first a search box and second an explore option. These allow for a multitude of possibilities in finding intelligence data for IoT devices.
Using the "Search" feature
Whether we're looking for a specific IoT device brand or model, or for devices on a specific IP address, we can utilize the Search option by inputting a device name, device type (webcams, routers, etc.), IP address or just about anything that helps to identify the type of device we're looking for. Shodan will then locate any relevant devices found with the data input and display the result.
Using the "Explore" feature
If you're new to Shodan and just looking around for something interesting, using the Explore option is your best bet.
This option allows you to find devices, device categories and recently shared device lists which have been put together by other Shodan users. This includes nearly all of the popular IoT-based devices one can think of: webcams, routers, smart TVs and much more, pre-categorized and pre-listed, ready for you to explore.
Since we're new to Shodan, we'll proceed with finding IoT intelligence data, which can yield a good amount of information.
Upon clicking the Explore option, we find three sections:
Featured Categories
The Featured Categories lists contain devices most commonly looked for, in categories including Industrial Control Systems, Webcams, Routers, Smart TVs and the like. Grouping items into specific device types lets you streamline your information gathering process.
Top Voted
The Top Voted lists include some of the most popular devices categorized into one list. As you can see in the screenshot above, the Webcams list alone contains 12,143 devices.
This gives us an excellent amount of devices for gathering intelligence data right away, without having to hunt for IoT device models, manufacturers or network/IP address information to tell us what these IoT devices might be.
Recently Shared
The Recently Shared device list contains a frequently updated list of "trending" IoT devices. This list features IoT devices which are newly discovered, or devices that are popular and are being shared on Shodan. Keeping an eye on this list can help find devices that are just being discovered by other infosec researchers in real time.
This list is vital to many researchers as it is dynamic and constantly updated. Anytime a device is shared it appears on this list, and the more often a device is shared, the more often it appears on the list, giving infosec researchers a clear indication about devices that are being looked at for security vulnerabilities, or devices that may have been recently compromised.
Since this is the first time we're exploring Shodan, let's check out the "Top Voted" section.
At the time of this writing, the highest-voted list of devices was "Webcam", so we'll start there:
In this list we see a ton of webcams connected to the public internet, as well as their physical locations, IP addresses, the ISPs they're connected to, and some of the web technologies they use.
On our side, the very first IoT device (webcam) we see is one located in Wollerau, Switzerland with the IPv4 Address "164.128.164.65" connected to the public internet via the ISP Swisscom. Let's click on the IP address to move forward:
We see from the Explore page that the IoT device is categorized as a "webcam", and upon clicking on the IP we get redirected to a page with device information gathered by Shodan:
As you can see, the above page shows us a lot! Information like device location, ports found open on the device (21, 80, 81, 443, 7001, 7547, 8080, and many more), services running, web technologies used and known CVE vulnerabilities—all of this gives us a great head start on our research.
CVEs, open ports and web technologies give us a good idea about the device's age along with any possible security issues the device may have by operating on the public internet. Let's take a deeper look at the device information page.
Location of the device
The location where the device is physically placed is available right away, by tracing the location of the device's public IP address of the device. This also gives us the following information:
- City — The city where this device is located
- Country — The country where this device is located
- Organization — Indicates whether the device belongs to a company or is used at home for example,
- If we see a residential ISP name listed under the ISP organization, we can assume the device is at a home/residential complex
- If we see a company name listed under the ISP organization, we can assume the device is at an office/industrial complex
- ISP — The internet service provider to which this IP address belongs, and which connects the device to the public internet
- Last Update — Indicates when this device was last seen on the public internet and when Shodan last scanned and indexed the device into their database
- Hostname — If any custom name or domain name is associated with this device, the device's manufacturer or model name can frequently be found here
- ASN — The autonomous system number associated with this ISP
Exposed ports
The network ports open on this device are listed here too. Open ports can be mapped to common services which allows finding more vulnerabilities. For example:
- Port 80 and 443 are commonly used by web servers like Apache and Nginx, which can further be traced to find the version of the web server running on the device, to find any security issues there
- Port 22 or 23 being listed open indicates SSH and/or Telnet access being available to the device, which allows for the possibility of more security issues (like weak passwords, etc.)
Services running on the device
Commonly used services and port numbers are mapped out by Shodan. For example:
- Port 23 is mapped to Telnet
- Port 80 is mapped to HTTP
This information helps save time when trying to find open ports and services running on a device, as port scanning and mapping to services for a device can take a while with multiple devices to scan. Shodan has this information available right away, and for all devices.
Web technologies in use
Shodan lists any web frameworks, libraries and applications installed/used by this device. This allows for research into application-level security issues.
For example, a possible security issue on the device admin management interface due to a security hole found in the web framework used to build the management interface.
Vulnerabilities found
This is the most vital information we're looking for, found by looking at the software version running on the device (under the "Services" section). This tells us just about anything and everything the device is vulnerable to.
Shodan also maps the vulnerabilities found to a CVE which helps find more information, by searching for solutions, possible available patches, or notes in device firmware update changelogs.
Shodan Filters
Google, Bing, and many other search engines offer filters and commands. Shodan works in the same way, by using single-term searches such as:
- geo: used to specify geolocation coordinates
- country: for finding devices in any country
- city: for finding IoT devices in any city
- hostname: for finding hostnames matching this value
- os: for searches based on operating system
- port: used to unveil exposed open ports
- net: performs searches based on IP or CIDR
- before/after: explores results within a specific timeframe
Examples:
Discover apache servers in China:
apache country:"CN"
Discover Nginx servers in New York city:
nginx city:"New York"
Filters can also be used in combination, as in the following example:
apache city:"New York" port:"80" product:"Apache/2.4.7"
Legality of Shodan
Now one may wonder: with all this information available with only a few clicks, is Shodan legal? The answer is simply — yes!
Shodan is a data aggregator. In plain English, Shodan puts information together which can be found by running a few different tools. For example, running any Nmap commands on a public IP address will list for you the ports open/filtered on that device. Using other open source and freely available port scanner tools will give you the same results, but with the added complexity Shodan takes away.
Do I need to pay for Shodan?
Yes and no. If you're simply looking around and researching a handful of devices with the explore or search features, Shodan can be used for free.
If you're looking to scan devices or for vulnerabilities on an IP address/host which hasn't been scanned yet, you would need to pay for Shodan.
Is it possible to integrate Shodan into my personal projects?
Yes! Shodan has an API which can be used to integrate into your personal projects. Using the API can make automation of your tasks and scanning very easy; for example, you could simply have a text file of IPs to scan and via a python script push it to Shodan's API, then Shodan would scan those IPs and return the result to you. The possibilities are endless with the easy-to-use and extensible API available at Shodan.
Final words
In multiple fields of research, Shodan proves itself to be an excellent tool for gathering intelligence for cybersecurity and infosec, by being informative with a clean and simple user interface.
Shodan, once combined with our SecurityTrails toolkit, endures as a formidable package for your company's complete cybersecurity needs.
Ranging from research to real-time monitoring of your company's attack surface, the package provides you with an in-depth 360-degree perspective of your company's security overview.
