404 Tech Support

Shodan – the search engine for Internet-connected devices

Shodan, taking its name from the AI in the System Shock video game series, is a search engine for devices reachable on the Internet. The index is built by crawlers scanning the web 24/7 looking for devices that are reachable on standard ports.

This is a valuable resource to understand the security of your organization. You might have some devices intentionally exposed to the Internet, like a web or email servers, but the rest should be behind a firewall. Shodan gives you an outside perspective to make sure your perimeter is secure. In case somebody has connected a device that you do not know about or obsolete rules are exposing new servers, you will want to be aware and take appropriate action.

Shodan is simple to use. Just visit Shodan.io and enter your query like Google. For more capabilities, you can create a free account. This will allow you access to the first 5 pages of results and the ability to use filters to search by registered organizations, devices, software servers, or subnets. I looked at the whole range of my organization’s network and was able to audit the results to find interesting cases like webcams, VNC, OpenSSH, and even remote desktop. Prompt action can seal the door before it is taken advantage of and a procedure review can try to prevent rogue devices or old records from causing the problem again.

The IoT botnet is just one example of where this information could be useful. Security camera DVRs, routers, and other Internet of Things devices with default passwords were reigned under control and made part of a botnet to make significant websites inaccessible. If you scanned your network and saw an unknown device or port that was open to the web and it shouldn’t be (perhaps you have to connect to VPN first), you could remove these devices from being pawns of the botnet masters. For an even interface than Shodan, you can visit Bullguard’s IoT scanner to search your IP address for an entry on Shodan – no account required. You can then kick off a “deep scan” to do an active check to look for any known vulnerabilities at your IP address.

You can assume you are operating securely or you can search and be more sure.