The IoT search engine, Shodan, has gotten a lot of slack during its short life. The idea of a search engine that allows anyone to find and exploit internet connected devices doesn’t seem to sit well with most people. But is that what this search engine is meant to do? Let’s talk about Shodan and what it’s all about.
What is Shodan? The IoT Search Engine Explained
What Is Shodan?
Simply put, Shodan is like Google but for every “thing” on the internet. In other words, Google is a search engine that indexes websites, while Shodan is a search engine that indexes everything else found on the internet. From your internet connected printer to water treatment facilities, anything object that can be connected to the internet can be found on Shodan. Usually, penetration testers and white hat hackers use the search engine to identify vulnerabilities in their client’s networks, to identify infrastructure networks that shouldn’t be online, and gain valuable data on IoT devices and their security.
How Detailed Are Shodan’s Results
This search engine parses something called a “service banner” when indexing results. A service banner includes all of the metadata related to a particular device. Shodan uses something called banner grabbing to collect that metadata, which is already publicly available information, and include them in your search results.
Usually, Shodan collects data from:
- Web Servers (HTTP/HTTPS): by scanning port 80, 8080, 443, and 8443
- FTP: by scanning port 21
- SSH: by scanning port 22
- SIP: port 5060
- IMAP: port 993
- Telnet: port 23
- SNMP: port 161
- SMTP: port 25
- SIP: port 5060
- RTSP (Real Time Streaming Protocol): port 554.
Some of the metadata that can be found on a service banner include:
- The device’s name.
- It’s IP address.
- The software running on the device.
- It’s provided service.
- The default password/username combination for the device.
- The location/country the device is in.
- Any other metadata available.
As you can see, depending on each device’s service banner, Shodan can come back with results that can be dangerous for the owners of the searched-for devices.
Is Shodan Legal?
Yes, this search engine is completely legal. Why? Because it’s not really doing anything on its own.
Let me explain.
When Shodan searches the internet for certain devices, it port scans the devices to get their service banners. In other words, it simply scans all of the open ports these devices are running on and comes back with readable and structured search results. These results are already found on open ports without Shodan’s help, the engine itself doesn’t do anything with the information it finds.
Port scanning is not illegal and doesn’t violate the Computer Fraud and Abuse Act. Google, for example, tailors its search results based on a specific algorithm and presents the information found in ways that it feels would most benefit a particular user. Shodan doesn’t do that. All a search result really does is expose vulnerable devices and systems, nothing more and nothing less. So yes, Shodan and its methodology are completely legal.
How Can Shodan Be Dangerous?
It doesn’t take a lot of thinking to figure out that this search engine can be very dangerous when used by hackers or bad agents. The amount of information that a simple search result can bring back is enough to offer up total control of a device up to a complete stranger. The fact that the default username/password combination shows up, coupled with the reality that most people don’t change their default credentials makes it easy for anyone to take control of any device.
How To Benefit From Shodan
Can someone use this search engine to find targets for hacks? Yes, but that doesn’t mean you can’t be one step ahead of them. Since Shodan doesn’t do anything other than show the already public information each device has, you can use the engine to check on what vulnerabilities your devices have.
This way, you’ll have a basic understanding of the security measures you should be taking to protect those devices. Some of the measures you should consider taking include:
- Changing the default password and username. This is information that is publicly available, and keeping the defaults will only make it easier for a bad-agent to access your devices.
- Disabling your router’s remote management. This can be done through your router’s configuration page. This will hide your router’s configuration page from the public’s eye.
- Turning off Port Forwarding. This can also be done through your router’s configuration page. Ideally, you don’t want to have any forwarded ports, but pay extra attention to port 21, 222, and 3389.
- Stop Connecting Devices to the Internet. If you don’t really need an internet connection to use the device, I suggest you keep it offline. Most IoTs come with a slew of vulnerabilities, and not all of them can be fixed on the user’s end.
- Update Your Devices ASAP. While not all IoT devices have proper security measures in place, some do. Make sure to always update your devices to the latest security version to have your devices covered on the old and new threats.
What Is Shodan? – Final Thoughts
So, does Shodan put your device’s information at risk? In a way, yes, but that’s not what it’s for. When used correctly, this search engine offers security researchers, white hat hackers, and penetration testers a tool to help promote security by uncovering common vulnerabilities. It also helps regular users figure out how secure their devices really are. As scary as this search engine was made to be, following standard security measures is enough to keep a regular internet user safe and secure, even when using IoTs.