What You Should Already Know About Shodan

Shodan is an account-based search engine that searches for, and provides information about, internet-connected devices.

Use and misuse

Originally intended to help companies monitor where their software was being used, it is generally used today to gain access to or information about devices and systems. Searches can notify companies of weaknesses in their own databases. The most common vulnerabilities are default, system-wide passwords and logins, user-generated passwords such as “12345678”. These predictable entry points, coupled with the massive amount of devices whose username is “admin”, can easily allow outside access to an entire network.

Shodan users have been able to defrost hockey rinks in Denmark, reconfigure traffic control systems, and, more personally, access individual’s webcams and remotely access their screens.

Securing your devices

Insulating yourself or at least certain devices from Shodan searches can be simple enough. A device that isn’t connected to the public internet will not be searchable. Some devices are much more reliant on internal communication through educational or corporate networks, and may not need public internet access. Obviously this is not the case with most personal devices. Secure passwords are the next step. Any program or network that provides a default password or login should be changed after logging in. Not doing so is a blatant invitation for a device to be found on shodan (and accessed by a third party). A Shodan search for “default password” provided over 61,000 results at the time of writing. In some cases the username and password were the same. 

Shodan’s investigative reach

Shodan itself is only a port scanner; it searches for processes that can be initiated, but does not initiate anything itself, and is therefore legal and widely used for security and legal data mining. In the same way that Google offers an overwhelming feeling of access to information, Shodan’s tagline, “The search engine for security/the web/webcams/refrigerators/power plants/buildings” should be reason enough to consider how much you or someone else can know about any of your devices that are connected to the internet.