What is Shodan? Is It An IoT Engine?

shutterstock_309003941
Shodan? What is it? How does it work? Do you need it?

Is Shodan the Internet of Things search engine that everyone needs but never knew wanted?

Well, the truth is that a lot of media sources on the internet have given Shodan an unhealthy amount of slack during the short lifespan it has had.

The problem with the simple idea of having a search engine which enables anyone and everyone to search for, find and perhaps even exploit all nearby internet-enabled devices actually does not sound good.

That is especially true in the case of those online consumers who are concerned about their privacy.

However, the real question that one should try and answer is:

Is the Shodan search engine meant to search for and find internet-connected user devices?

In order to answer that question, we would like to talk a bit about Shodan first before we move ahead to tell our readers what Shodan is all about.

What is Shodan?

In the simplest of terms, Shodan is a search engine.

But let’s go into more details.

Readers should think of Shodan as a Google for each and everything that has connected to the internet.

For comparison’s sake, Google is the world’s best search engine when it comes to indexing websites properly.

On the other hand, Shodan is a new online search engine which indexes each and everything that is not a website and found in the online world.

And there are lots of things which are not ‘websites’ but still have something to do with the internet.

Just to take an example, the internet has generated each and everything in our lives, from water treatment facilities to your regular printer.

Everything now has access to the internet.

And this is where Shodan does its work.

Anything that you can connect to the internet is something that you can find on Shodan.

Most of the times, it is the white hat hacking community along with penetration testers that make use of the Shodan search engine in order to identify security vulnerabilities which might be present in the networks of their clients.

They may also take the help of Shodan to identify various pieces of network infrastructure that, according to the needs of their clients, should have no connection to the internet.

Apart from that, people working in the cyber security industry can gain a ton of valuable data on various Internet of Things devices and all the problems related to their security.

shutterstock_603274976

Are the results on Shodan detailed enough?

Our research shows that the Shodan search engine actually passes a little something that the community calls a service banner while it is indexing search results.

So what is a service banner?

A service banner is essentially an amalgamation of all the metadata that is related to a given internet-enabled device.

Shodan makes use of something that the community calls banner grabbing in order to collect as much metadata as is possible.

Now, readers need to understand here that this metadata is actually already available on the internet as public information.

Shodan takes all of that and then includes the information in the search results to the user’s query.

Most of the time though, Shodan only goes through the process of collecting data from the following sources,

  • Real Time Streaming Protocol or RTSP: port 554.
  • SIP : port number 5060
  • SMTP : port number 25
  • SNMP : port number 161
  • Telnet : port number 23
  • IMAP : port number 993
  • SIP : port number 5060
  • SSH : port number 22 via scanning.
  • FTP : port number 21 via scanning.
  • HTTPS/HTTP web servers via scanning port number 8443, 443, 8080, 80.

Now, a portion of the metadata which search engines like Shodan can find on any given service banner may include,

  • The country or location that the internet-enabled device is currently present in.
  • The default username and/or password combination that a given device may be using.
  • The service which the device provides to the user.
  • The actual software and its version that is running on the given internet-enabled device.
  • The device’s current IP address.
  • The name of the internet-enabled device in question.
  • Any other type of available metadata.

As readers of this guide can probably tell on their own, all really depends on a given internet-enabled device’s own service banner.

Shodan can study that and potentially show search results which may prove as a threat to the owners of the internet-enabled and searched-for devices.

That leads us to the obvious question.

shutterstock_1155563722

Is using Shodan legal?

And the obvious answer to that obvious question is yes.

 

Shodan is utterly legal.

Glad we could clear that up for you.

But how is it completely legal?

Well, Shodan is legal because Shodan, on its own, does nothing.

Everything comes from someplace that already exists on the internet.

Let’s explain that a bit.

We have already mentioned the fact that Shodan searches the world of the internet for certain internet-enabled devices.

The port Shodan make use of scans the internet-enabled devices to obtain information about the devices’ service banners.

To put it in simpler terms, Shodan runs a simple scan of each and every port that almost all Internet of Things run on.

After doing that, the scan comes back with various search results which are both structured and readable.

Now, the thing you need to understand here is that the results Shodan scan comes back with are already available on various open ports even without any help from services like Shodan.

That is why we said that Shodan on its own does nothing.

It does nothing apart from showing information that is already available.

In other words, Shodan finds already-available information.

Moreover, our research also shows that activities such as port scanning are not illegal.

Such activities in no way violate anything that is mentioned in the Computer Fraud and Abuse Act.

To take an example, Google does a terrific job of tailoring its search results which are actually based on a very specific algorithm.

After doing that, Google presents all the information that it has found on the internet in ways that Google feels would provide the most benefit to a given online user.

Now, we are aware of the fact that Shodan does not do any of that.

All that a simple search result actually does is that it exposes vulnerable systems and devices.

It does nothing less and nothing more.

After reading all of that, it should not be hard for anyone to understand that Shodan and all the methodology that it makes use of are absolutely legal.

Is Shodan dangerous?

That depends.

On one hand, you do not have to think too long or too hard to actually figure out if a given search engine like Shodan can become a very useful tool for hackers and all other types of bad actors on the internet.

The sheer amount of ‘useful’ information that Shodan returns as a result of a simple search can actually be enough for someone with enough skills to take full control of a given internet-enabled device.

Shodan is a fantastic tool for people who are complete strangers to have total control of the user’s device.

Moreover, the main problem with search results on Shodan is that, it displays the default combination for username and password for the internet-enabled device in question.

Combine that with the fact that very few users take the time out to change their default login credentials and it is easy to see how some bad actor would try to use the weakness to take control of the user’s internet enabled device.

How to use Shodan

Here is the question that is probably on your mind right now:

Can you use a search engine like Shodan to find targets and hack devices?

The short answer is yes.

However, that in no way means that you cannot protect yourself from people who may want to hack your device using a service like Shodan.

In fact, there are lots of things that you can do right now to protect your devices, stay two steps ahead of hackers and not become victim to various hacks.

shodan_iot

Now, we have already mentioned the fact that Shodan on its own does not do any of the stuff that a search engine like Google does.

It only shows the results which are already available publicly regarding each internet-enabled device.

That goes in your favor in the sense that you can use Shodan search engine to, in reality, check on all the possible security vulnerabilities of your Internet-enabled devices.

Following such a route, you can actually gain a pretty good basic understanding of all the security measures that you should take in order to protect your devices.

Here is a short list of the things that you can do right now to take advantage of and protect yourself against Shodan all at the same time.

Change your device’s default username and password

Remember, this information is readily available in various places on the internet publicly.

So if you do not change the default login credentials once you buy an internet-enabled device, you only help hackers to have an easier time breaking into and accessing your device.

Disable remote management option on your router.

You can easily do that through the main configuration page of your wifi router.

Once you do that, you will effectively hide your WiFi router’s main configuration page and hence everything else from the eye of the public.

Port forwarding: Turn it off

You can easily do that via your router’s main configuration page.

In an ideal situation, you would want to not have any of the ports forwarded.

However, you must pay some extra consideration to port number 3389, 222 and 21.

Don’t connect devices to the internet willy nilly

Think carefully about whether or not you need to connect to the internet on a given device in order get some work done.

If you do not then the best course of action is to simply turn it off.

At this point in time, perhaps you do not need us to remind you that Internet of Things devices come with lots of features and a slew of security vulnerabilities.

Moreover, you can’t really do much to take care of these security vulnerabilities from your end.

Update all your IoT devices as soon as possible

Now, it is true that a ton of IoT devices do not have proper security protocols in place to protect users and their data but some of them do.

So if you happen to have such devices then you need to make sure you update them properly and in a timely manner.

Moreover, we would like to mention here that you should keep an eye out for those device’s manufacturer to roll out new updates.

The majority of the IoT devices, current ones at least, do not update on their own.

It is on you to update them to the latest version.

That is the only way to make sure that you are safe against threats old and new.

Conclusion: What is Shodan

So to answer the question of whether or nor services such as Shodan put your IoT devices at risk, yes.

It does, in a way.

However, the creators of Shodan did not have this use in their minds when they developed this service.

If one is only making use of Shodan for what it should be used and in the correct manner, our research shows that Shodan, the search engine, offers white hat hackers along with penetration testers and security researchers a great tool to assist and promote security.

Shodan comes in by providing people with the tools necessary to uncover common security vulnerabilities.

It is also true that Shodan can help users to figure out how bad their device really is in terms of security and safety.

We know that some of you may still find Shodan as something scary.

But it is not.

At least not as much as some media sources have tried to make it.

The thing we want you to understand here is that if you take proper and rather standard security measures then these should prove enough to keep your IoT device safe and in working order.

That is all that a regular internet user needs to do.

IoT devices are the future and instead of kicking them away because of their security vulnerabilities, we need to embrace them, care for them, improve them and benefit from them.

 

Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment