In April 2013, CNN introduced Shodan, a search engine for Internet-connected devices, to the world by publishing an article titled, Shodan: The Internet’s Scariest Search Engine. CNN described how Shodan was used to find vulnerabilities: “… control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle accelerator cyclotron using Shodan.”
The article said that these devices had almost no security; the lack of security was due to two main reasons. First, most of these IoT devices were manufactured cheaply in an effort to remain competitive in the marketplace. Second, internet connectivity and cybersecurity were absent from the initial design of these devices.
But the Shodan scare and the dismal state of IoT device security dates back to 2013; ever since, Shodan has been synonymous with Internet searches of connected devices. Surely, by now we have learned a thing or two about cybersecurity and attack surface management. Right?
Nine years after that infamous article was published, Shodan is yet trends. It remained a popular search item on Google in 2021, with Cognyte research from the same year finding it the subject of 75 news articles and over 4,000 Dark Web hacking forum posts, mostly related to scanning activities. of vulnerabilities and malware. While Shodan remains the most popular site of its kind, competitors like BinaryEdge, Censys, and ZoomEye are making a name for themselves in the domain. These search engines typically work by scanning the entire IP range for connected devices, allowing users to search for device information including open ports, SSL certifications, vulnerabilities, etc.
These search engines are still primarily used to scan the Internet for open devices and their vulnerabilities. This type of scanning is used by both security researchers and threat actors. And while there are still several devices to be found, there aren’t as many as there used to be; fewer sensitive devices can be found or accessed this way.
Security researcher using Shodan to find exposed AD drivers Source: https://twitter.com/lkarlslund/status/1511727317365800963
Another step that has been taken to secure the Internet is the implementation of SSL certificates, which have become almost mandatory for websites to work properly in browsers. according to the website Web CourtThere are about 176,000,000 SSL certificates on the Internet today, which is an increase of about 10% from last year. While this is an encouraging statistic, using search engines like Shodan revealed that in most cases, the IP of many devices is still directly accessible. In fact, attackers have successfully bypassed the use of SSL in several different social engineering attacks.
Using Shodan to find vulnerabilities
An interesting trend in recent years is the use of IoT search engines like Shodan in other aspects of cybersecurity research and attack surface management. These search engines are widely used by security researchers to detect databases that were accidentally exposed to the Internet, allowing anyone to access and download their content, and subsequently find vulnerabilities. Shodan can be used to detect and locate malware command and control servers, devices used by threat actors to control malware. In several cases, security researchers were able to detect these servers, disable them, or even take control of them, potentially undermining attackers’ operations.
A query in Shodan used to detect malware command and control servers
Shodan and his ilk may be more than just terrifying internet search engines. While these search engines can be used by bad actors to find anything from smart refrigerators to internet-connected boats, their power can also be used for good. Security teams, SOCs, and CISOs can use these tools to better understand their organization’s exposure to the outside world. Such an understanding can help focus teams’ responses to security events, direct them when working with other departments in the organization, and improve resource allocation decisions.
These search engines can also help security researchers and law enforcement agencies (LEAs) in the battle against cyber attacks. Organizations can use Shodan and its competitors to map national risks, detect botnets and command-and-control servers for malware, monitor raw servers, detect data leaks before they become breaches, and more.
When the good guys use the same tools as threat actors to find their own vulnerabilities, they harm attackers at different stages of the attack: reconnaissance, harvesting, command and control, and exfiltration. This strategy can minimize the effectiveness gap between attacker and defender and give organizations a fighting chance to stop attacks in their tracks.