What is Shodan?

Having a life without ‘Google’ is hard to imagine today. We would be lost without the popular search engine in our lives. The popular retort “Google it” is always on our lips for any query posed by anybody. While Google searches for web sites, there is another search engine that is slowly gaining prominence. This is ‘Shodan’. ‘Shodan’ is a search engine for ‘IoT’ or ‘Internet of things’.

Internet of things or ‘IoT’:

Before we start discussing ‘Shodan’ let us first explain ‘IoT’. Recall, that we have already discussed ‘IoT’ in an earlier post. ‘Internet of things’ can be defined in two words – “connect” and “monitor”. Devices, buildings, vehicles will be embedded with sensors to enable them to connect with each other and also exchange data with each other.  IoT also enables the user to remotely turn on appliances and devices.
Wikipedia defines IoT as follows: “The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items – 
embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data” (Internet of things). “Smart refrigerator”, “smart lights” and “smart coffeemaker” are a few examples of IoT devices.

Why Shodan?

“Shodan” launched in 2009, and originally conceived in 2003 is the brain child of John Matherly who was a computer security whiz.  By means of ‘Shodan’ one can search for servers, routers, power plants, smart TVs, refrigerators, traffic lights, baby monitors and anything that can be tracked on the Internet (sound scary?)  

It was originally created so that organizations could keep track of customers using their products, their location and also to perform “empirical market intelligence”.

webcam-security-20160127

 The possibility of ‘Shodan’ being misused by hackers seeking to find critical infrastructure and cause monetary and physical damages is huge. However, ‘Shodan’ tries to be accountable by showing only 10 results for users not logged in and 50 results for users who are logged in. More results are shown after a fee is paid and the reason for the search is revealed. Thus each individual is accountable and other mechanisms are enabled to prevent anonymous access.

Example of search results with ‘Shodan’:

The search results of ‘Shodan’ when presented with the query of ‘default password’, is astounding. It shows the devices using the default username of ‘admin’ and default password of ‘password’ around the world. This is a hacker’s heaven wherein the devices (like traffic lights, baby monitors, medical devices) can be exploited and be controlled remotely.

Pros and cons of Shodan:

 ‘Shodan’ has been created with good intentions for use by pen testers, security professionals and researchers for data collection that will help them to make intelligent business decisions. It can also help pen testers to seek the vulnerabilities within their organization that are open to Shoden crawlers and seal them.

However, the search results can also spur hackers and devious mind individuals to seek this information and use it for more malicious purposes.

We saw ‘Shoden’ – the crawler for ‘IoT’ devices in our post today. For more information visit: https://www.shodan.io. We will discuss more technical topics in subsequent posts.

Bibliography
Internet of things. (n.d.). Retrieved from Wikipedia.

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top