Shodan: Still the Scariest Search Engine on the Internet?
In April of 2013, CNN introduced the world to Shodan, a search engine for internet-connected devices, by publishing an article titled, Shodan: The scariest search engine on the Internet. CNN described how Shodan was used to find vulnerabilities: “… control systems for a water park, a gas station, a hotel wine cooler, and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.”
The article stated that these devices had almost no security; the lack of security was due to two main reasons. First, most of these IoT devices were made cheaply in an effort to remain competitive in the market. Second, internet connectivity and cybersecurity were absent in the initial design of these devices.
But the Shodan scare and the dismal state of IoT device security was way back in 2013—since then Shodan has been synonymous with internet searches for connected devices. Surely, by now we have learned a thing or two about cybersecurity and attack surface management. Right?
Nine years after the publication of that infamous article, Shodan is still trending. It remained a popular search item on Google in 2021, and Cognyte’s research from the same year found that it was the subject of 75 news articles and over 4,000 posts on Dark Web hacking forums, primarily relating to malware and vulnerability scanning activities. While Shodan remains the most popular site of its kind, competitors such as BinaryEdge, Censys and ZoomEye are making a name for themselves in the domain. These search engines typically work by scanning the entire IP range for connected devices, allowing users to search for device information including open ports, SSL certifications, vulnerabilities, etc.
These search engines are still mainly used for scanning the internet for open devices and their vulnerabilities. This type of scanning is used by both security researchers and threat actors. And while there are still several devices that can be found, there aren’t as many as there used to be; fewer sensitive devices can be found or accessed in this way.
Security researcher using Shodan to find exposed AD controllers Source: https://twitter.com/lkarlslund/status/1511727317365800963
Another step that’s been made toward securing the internet is the implementation of SSL certificates, which have become all but mandatory for websites to run properly on browsers. According to the website Web Tribunal, today there are around 176,000,000 SSL certificates on the internet, which represents about a 10% increase since last year. While this is an encouraging statistic, using search engines such as Shodan revealed that, in most cases, the IP of many devices can still be accessed directly. In fact, attackers have successfully bypassed the use of SSL in a number of different social engineering attacks.
Using Shodan to Find Vulnerabilities
One interesting trend in the last couple of years is the use of IoT search engines like Shodan in other aspects of cybersecurity research and attack surface management. Such search engines are widely used by security researchers to detect databases that were accidentally exposed to the internet, allowing anyone to access and download their content and subsequently find vulnerabilities. Shodan can be used to detect and locate malware command-and-control servers—devices used by threat actors to control malware. In several cases, security researchers were able to detect these servers, disable them or even take control of them, which can undermine attackers’ operations.
A query in Shodan used to detect the command and control servers of malware
Source: https://twitter.com/MichalKoczwara/status/1434959090338484224
Shodan and its ilk can be more than just scary internet search engines. While these search engines can be used by bad actors to find anything from smart refrigerators to ships that are connected to the internet, their power can also be used for good. Security teams, SOCs and CISOs can use these tools to gain a better understanding of their organization’s exposure to the outside world. Such an understanding can help focus teams’ responses to security events, direct them when working with other departments in the organization and improve decisions regarding resource allocation.
These search engines can also help security researchers and law enforcement agencies (LEAs) in the battle against cyberattacks. Organizations can use Shodan and its competitors to map national risks, detect botnets and malware command-and-control servers, monitor rough servers, detect data leaks before they become breaches and more.
When the good guys use the same tools as threat actors to find their own vulnerabilities, they impair the attackers at different stages of the attack: Reconnaissance, collection, command-and-control and exfiltration. This strategy can minimize the effectiveness gap between the attacker and the defender and give organizations a fighting chance at stopping attacks in their tracks.
