Shodan has been dubbed by some to be “the most dangerous search engine in the world”, but has this title been rightfully earned? Or does Shodan simply outline how individuals and companies alike have unknown devices at risk of cyber attacks? In this post we will explore what Shodan is, how it's being used and show you how Informer's platform can help you to mitigate these risks.
What is Shodan?
Shodan’s main use is searching for Internet of Things (IoT) devices such as security cameras, medical instruments, and more recently smart home appliances such as fridges and doorbells. Such devices are often seen to have small processing power and there may be approximately 31 billion of these devices around today. Unfortunately, they have also caused major security issues, which was first brought to public attention when one of the largest scale Distributed Denial of Service (DDoS) attacks happened with the Mirai botnet which was mostly formed of IoT devices.
However, Shodan crawls the internet for all internet connected devices - such as laptops, servers, printers, or any device with an IP address. This can prove immensely useful in uncovering poorly configured devices which may expose sensitive data.
What can I expect to see?
One of the most prominent and daunting finds with the Shodan search engine was the presence of webcams and security cameras exposed with no authentication. A Wired article in 2013 was one of the first to bring this to attention and in spite of this, 7 years later similar issues persist. While not as prevalent, a quick search reveals CCTV cameras are still exposed through Shodan.
In our previous blog post, we explored how Remote Desktop Protocol (RDP) exposure increased due to COVID-19. This is a common way for hackers to enter a network before performing a ransomware attack. Shodan’s own blog reported 8% of RDP services on their platform were vulnerable to a common RDP flaw. RDP is not the only vulnerable service however, others such as Redis, MongoDB, MySQL and SMB are also all visible through Shodan.
What are the risks with exposed devices?
When devices are exposed to the internet they become targets of mass-cyber attacks. The previously mentioned Mirai botnet was formed through IoT devices being exposed with default credentials.
Ransomware has seen a significant increase in recent years and the trend is continuing. The effectiveness of this type of attack can be attributed to insufficient asset management and lack of backups in both consumer and professional environments. By exposing devices with weak or misconfigured services, the likelihood of a ransomware attack also increases.
Whilst conducting research, we found a particularly interesting device through the Shodan search that we can use as a case study now. The device had databases exposed behind no authentication. One of the databases present caught our attention, not for the data it stored, but because of its name:
The name “READ_ME_TO_RECOVER_YOUR_DATA” immediately suggests that this service has been subject to a ransomware attack and the contents of this database will contain the ransom note. This is a deeply saddening reality a lot of companies will face if they don’t take the appropriate measures to identify their attack surface and update their assets. Individuals could also be affected in similar ways, with personal files (such as photos) being encrypted in the same undiscriminating and ruthless manner as this database.
Is Shodan dangerous?
It may come as a surprise to some that Shodan is a legal and readily usable tool. Exposing so many devices may seem counterproductive in preventing cyber crime, but Shodan isn’t the issue. Shodan simply highlights a larger problem: individuals and organisations not being aware of their cyber footprint and attack surface.
Shodan removes a layer of ‘security’ which has long been debunked as being effective - security through obscurity. Hackers will always find the exposed service or device given time and people should be securing their networks with this assumption.
How Informer can help
The Informer platform can help you effectively and efficiently manage your evolving attack surface by allowing you to discover all of your internet facing assets. Continuous asset discovery will alert you of new services added to your IT environment in real-time which you can then scan and monitor based on your asset criticality for both web applications and infrastructure. Any new vulnerabilities detected will include a detailed breakdown of the issue found complete with evidence and remediation advice to help you quickly resolve the problem.
Tyler Sullivan, Security Consultant
Tyler is a Security Consultant at Informer. During his degree in computer science, Tyler’s main focuses were on cyber security and machine learning.