Shodan is a search engine created by Swiss computer scientist John Matherly that allows to locate any device connected to the Internet with any security hole, like for example an open dock.
You may have ended up here by looking for a Shotokan Karate style kata. Or you may have searched Heian Shodan! on Google, but this post isn’t about that.
Which devices I have access to?
With the rise of automation, the current amount of devices connected is immense. Shodan works as a web page with filters by city, type of dock… and browsing it is as easy as any other web navigation.
So, the answer of which devices you can access is quite simple: each and every one of them that has not had security policies applied. That is, the ones that have usernames and passwords by default like: “admin/admin”, “1234 or that have left certain docks open and exposed to the Internet.
Cybersecurity first. Read this post to learn how to avoid a cyberattack.
Accessing unsecured webcams through Shodan
One of the most compromising information we can access from the home of Shodan’s webpage are the unsecured webcams. You don’t need to be a hacker, just by clicking “Top Voted” and selecting “Webcam” we can see a list of unprotected cameras.
On the left of the page a world map appears with different shades according to the places where you can find more or less devices with vulnerable information. That is, devices without security. You can filter by country, Service, Organisation or by Product. On the right side you find the results of the filtering, showing the type of device with its geolocation and a trace showing the existing communication with the device.
For example, if you enter in the first VIDEO WEB SERVER you can see with extraordinary detail its geolocation. When zooming in on the map, you can even see the building where that device is located and the ASN (Access Service Node) that supplies Internet connection to it.
Careful: if you enter any of them you may find confidential information. The fact that they are not protected does not mean you are authorized to use them.
That’s it, any type of device can be found in Shodan, even ATMs or ships navigating in the middle of the ocean. It is pretty scary, but it has an easy solution.
First rule to protect your devices
Many things we purchase are connected to the Internet. It’s the era of the Internet of things. Just like some search engines like Shodan allow you to access unprotected cameras, they also enable us to check whether we have an unprotected device. And protecting it. Though ideally, the thing would be to do so after taking it out of the box.
To start off, set a username and password different from the default ones. In each device you will have a different way of carrying this process out, but it will take you about 2 minutes. Enter through the website in the device and change the default username and password of, for example, your webcam. Do the same with all those devices you have connected to the Internet and with username/password accesses: the robot vacuum, the oven, lighting, the fridge… They’re all susceptible of being hacked if they’re unsafe.
Extra protection will take you about 2 minutes but will save you from having bigger problems in the future. For the router case, I recommend you to set it so that only a few MAC directions can enter it. It’s the only way to ensure that only authorized devices can access them.
How to check whether your device is on Shodan
To check if any of your devices are on Shodan is quite easy. Thanks to cybersecurity committed minds we have a useful analytic tool of Shodan: the Internet of Things Scanner.
And click the “Check if I am on Shodan” button.
If everything is under control you will see this:
On the opposite case, better not to find out. It will show an error page saying “You are public on Shodan”. Plus, it says how many of your devices are unsecured and gives you a Security Guide to protect your devices.
Check if your user or password have been stolen in any security breach such as Collection#1.
I hope that after reading this post none of your devices show up on Shodan. If they do, remember the recommendations that I just gave you: avoid default usernames and passwords. The more people know about the existence of Shodan, the greater the awareness and less vulnerable we will be.
Author: Joan Rodríguez
Santander Global Tech