Shodan.io is a unique search engine dedicated to indexing internet facing devices. Created by developer John Matherly in 2009, Shodan is different than Google in that it allows users to easily sort through and view information such as exposed network devices and servers, IoT, live video feeds (CCTVs, nanny cameras, etc.), and databases. It has sections devoted to vulnerable devices utilizing default credentials (think admin:admin), lists of exploits and the brands/models affected by them, and filters for location, specific vulnerabilities, services, and types of devices. There’s even a section dedicated to exposed ICS/SCADA systems.
With all of these publicly available devices, it’s no wonder that the Mirai botnet (the one that took down DynDNS via an IoT-based DDoS in 2016) was so successful. But with that in mind, it’s interesting to consider the purpose or the benefits of a product such as Shodan. After all, there are countless sensationalist articles on how hackers are using it to watch you through your teddy bears, smart tvs, and toasters. So what’s its purpose?
Shodan’s primary user base consists of security researchers. Therefore, Shodan is doing exactly what it was developed to do: aid researchers/white hats in making the internet more secure. But, with capabilities such as these, Shodan can also be used for malicious purposes. However, there is one major change users can make in order to ensure a more secure experience:
CHANGE YOUR PASSWORD.
It’s that easy. Remember the devices mentioned above with default credentials? They’re a huge problem and make up an unfortunate chunk of the information returned by Shodan. Anything connected to the internet should be protected with a strong password, not the default—this especially includes corporate networks and anything affiliated with SCADA. Making simple changes to harden a device will better obscure it from Shodan and, in general, keep it more secure.
Thankfully some device developers are beginning to force users to create their own password upon setup, thus avoiding the default password conundrum. Now if only our home routers and SCADA sys admins did the same. So gather your tinfoil hats and pitchforks, the internet is most definitely watching and listening, but if you’re vigilant, you can avoid ending up on Shodan’s search engine of shame.