When we don’t find it on Google, we declare it doesn’t exist. But as per Founder Shodan, that statement is not essentially true. He believes that when something is not searchable on Google, that’s when probability of finding it on Shodan is much higher than usual.
Shodan may be the world’s most unique and scariest Search engine very unique to its kind. Shodan instead of looking for content on the web, goes through the back resources and tries to find assets like Servers, printers, webcams, routers and even iPhones connected to the internet.
(Shodan is experiencing heavy traffic may be slow at times)
Shodan crawls the 500 million devices that are connected to the internet 24×7. Shodan can quickly list down all the security cameras, home automation systems, Traffic lights, spy cameras and even remote controlled heating systems connected to the internet. Although it only provides the IP addresses and open ports, but this information is enough for anyone with enough knowledge to eavesdrop their operation.
On Shodan, one can find anything from control systems in gas fuel stations, water supply, and even Nuclear power systems. This includes something as critical as Nuclear accelerator exposed to the public internet waiting to be abused from an international level.
Even though such devices have some sort of security built into them, but as per Cybersecurity researchers, theses are far from keeping such systems secure.
Shodan showcases how discoverable such devices are, and how prone we are to all kinds of attacks from around the globe. to give you an example, if you search for “default password” on Shodan, it will reveal thousands of servers, system, printers and routers configured with default user “admin” and default password “password”. To access these resources, all you have to do is fire up your browser and open the IP address. And you can login with default credentials.
(click for full image)
Shodan is actively used by Security researchers and unethical hackers equally. They are able to quick look up for water heaters, automated door locks, temperature control, etc and take over them in minutes.
Shodan for Pentesters (from DEFCON 18)
It doesn’t stop here. In some countries (name anonymous) the whole Traffic control system can be taken over and monitored from the web. Pentestesters have reported to have been successfully controlling over Traffic control system in such countries.
So Shodan sounds very scary isn’t it? Yes it is. but there’s a limit t it. By default it lists only 10 results. If you Sign-up, search results go upto 50. If you need to go further, Shodan would ask you for a justification and a fee that won’t fit everyone’s pocket.
When Josh Matherly, creator of Shodan, was asked how he feels about leaking this information to public hands, he confidently admitted that this information was already widely available but was harder to search. He just made it easier, but the whole intent is to raise the awareness so that these devices evolve and become more secure over time. Till then, you guard your boundaries yourself!
Learn more about Shodan searches.