Shodan: How to Avoid your IoT devices from Being Hacked
By Joan Rodríguez.
Shodan is a search engine created by Swiss computer scientist John Matherly that allows to locate any device connected to the Internet with any security hole, like for example an open dock or security camera.
You may have ended up here by looking for a Shotokan Karate style kata. Or you may have searched Heian Shodan! on Google, but this post isn’t about that.
Shodan has nothing to do with Karate, but with a search engine for devices connected to IoT instead.
Which devices I have access to?
With the rise of automation, the current amount of devices connected is immense. Shodan works as a web page with filters by city, type of dock… and browsing it is as easy as any other web navigation.
So, the answer of which devices you can access is quite simple: each and every one of them that has not had security policies applied. That is, the ones that have usernames and passwords by default like: “admin/admin”, “1234 or that have left certain docks open and exposed to the Internet.
Cybersecurity first.
At Santander, one of our rules is cybersecurity by design, which means that every solution we develop, we think how to make it secure from the first begining.
Accessing unsecured webcams through Shodan
One of the most compromising information we can access from the home of Shodan’s webpage are the unsecured webcams. You don’t need to be a hacker, just by clicking “Top Voted” and selecting “Webcam” we can see a list of unprotected cameras.
On the left of the page a world map appears with different shades according to the places where you can find more or less devices with vulnerable information. That is, devices without security.
You can filter by Country, Service, Organisation or by Product. On the right side you find the results of the filtering, showing the type of device with its geolocation and a trace showing the existing communication with the device.
For example, if you enter in the first VIDEO WEB SERVER you can see with extraordinary detail its geolocation. When zooming in on the map, you can even see the building where that device is located and the ASN (Access Service Node) that supplies Internet connection to it.
⚠ Careful: if you enter any of them you may find confidential information. The fact that they are not protected does not mean you are authorized to use them.
That’s it, any type of device can be found in Shodan, even ATMs or ships navigating in the middle of the ocean. It is pretty scary, but it has an easy solution.
First rule to protect your devices
Many things we purchase are connected to the Internet. It’s the era of the Internet of things. Just like some search engines like Shodan allow you to access unprotected cameras, they also enable us to check whether we have an unprotected device. And protecting it. Though ideally, the thing would be to do so after taking it out of the box.
To start off, set a username and password different from the default ones. In each device you will have a different way of carrying this process out, but it will take you about 2 minutes. Enter through the website in the device and change the default username and password of, for example, your webcam. Do the same with all those devices you have connected to the Internet and with username/password accesses: the robot vacuum, the oven, lighting, the fridge… They’re all susceptible of being hacked if they’re unsafe.
Extra protection will take you about 2 minutes but will save you from having bigger problems in the future. For the router case, I recommend you to set it so that only a few MAC directions can enter it. It’s the only way to ensure that only authorized devices can access them.
How to check whether your device is on Shodan
To check if any of your devices are on Shodan is quite easy. If you want to find out if your computer is currently in Shodan you can put the public IP of your computer in the Shodan search engine and if you are sure you will get a result like this:
To know what your IP is, just ask Google “what is my IP” and the first result is your public IP:
Conclusion
I hope that after reading this post none of your devices show up on Shodan. If they do, remember the recommendations above: avoid default usernames and passwords.
The more people know about the existence of Shodan, the greater the awareness and less vulnerable we will be.
Before you go:
Clap if you liked it 👏, comment and share this article to reach more community 🧞.
Would you like to be part of our technology project? Find our open vacancies worldwide here 👉 https://www.betechwithsantander.com/en/home
