Shodan is a free security tool helping defenders keep track of all the computers on their network that are directly accessible from the Internet. Shodan makes it easy to search a subnet or domain for connected devices, open ports, default credentials, even known vulnerabilities.

While most search engines only index the web, Shodan indexes internet-connected devices; from webcams, printers and routers to wind turbines, central heating systems, and even command and control systems for nuclear power plants. Using a network of 24 computers nested in service providers across the world, Shodan reaches out and methodically probes machines across the globe. It then attempts to connect to the machines. If a connection is made, Shodan “fingerprints” the machine, recording its software, geographic location and other data contained in the identification “banner” displayed by devices on the Internet.

What is striking about this is that very few of these devices have any kind of security built into them. Many devices publicly announce their default passwords or have no password authentication in place at all!

A quick search using the filter ‘port:554 has_screenshot:true’ returns a feed of images from vulnerable webcams across the world. Shodan also lets you search for devices vulnerable to specific exploits, such as Heartbleed.

Image from a vulnerable web cam in Germany

Image from a vulnerable web cam in Germany

Shodan, bad or good?

The real value of Shodan lies in helping defenders gain greater visibility into their own networks and keep track of internet-connected devices on their networks. You can’t defend yourself unless you know what you are defending.

Searchers have located command and control systems for nuclear power plants and a particle-accelerating cyclotron and even found that a city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry. With the help of Shodan, these unsecured, connected devices and services were identified and those that operate them alerted to their vulnerability before they could be utilised by threat actors.

Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It is free to use, though the number of results is capped to just 10 results without an account, and 50 with an account.

Bad actors may use it as a starting point but cybercriminals typically have access to botnets that are able to achieve the same task without detection.

A Word from Shodan’s Creator

John Matherly, creator of Shodan said, “Shodan illuminates the rapid convergence of the real world and cyberspace, and the degree to which machines that millions of people depend on every day are becoming vulnerable to intrusion and digital sabotage. It also shows that the online world is more interconnected and complex than anyone fully understands, leaving us more exposed than we previously imagined.”