Shodan (Sentient Hyper-Optimised Data Access Network) is a search engine designed to map and gather information about internet-connected devices and systems.
Shodan is a search engine, like Google, but instead of searching for websites, it searches for internet-connected devices. From routers and servers to the Internet of Things (IoT) devices, such as thermostats and baby monitors, to complex systems that govern a wide range of industries, including energy, power, and transportation.
Applications of the software include market research, vulnerability analysis, and penetration testing, as well as hacking.
Shodan can find anything that connects directly to the internet — and if your internet-facing devices aren’t protected, Shodan can tell hackers everything they need to know to break into your network.
But Shodan wasn’t designed by hackers, and hackers aren’t usually the ones using it. Shodan is a crucial resource used by cybersecurity experts to help protect individuals, enterprises, and even public utilities from cyber attacks.
Anyone can search for any internet-connected devices using Shodan, and Shodan will let you see if something is or isn’t publically available. But keep in mind that searching with Shodan is a little more complicated than a basic Google search.
What Shodan do?
Shodan attempts to grab the system’s banner directly, gathering the data by way of the associated server’s ports. Banner grabbing is a key step for penetration testing as it helps identify vulnerable systems. Shodan also searches corresponding exploits in the search platform’s exploit section.
Shodan supports Boolean operators and provides filters to improve the efficiency of searching. The search engine provides 50 results for free and offers paid subscriptions for more extensive results.
Since almost every new device now has a web interface (maybe even your refrigerator) to ease remote management, we can access innumerable web-enabled servers, network devices, home security systems, etc.
Shodan can find us webcams, traffic signals, video projectors, routers, home heating systems, and SCADA systems that, for instance, control nuclear power plants and electrical grids. If it has a web interface, Shodan can find it!
Although many of these systems communicate over port 80 using HTTP, many use telnet or other protocols over other ports. Keep that in mind when trying to connect to them.
History of Shodan
John Matherly came up with the idea of searching Internet-connected devices in 2003 and launched Shodan in 2009. It quickly became apparent that hackers could use the tool to find vulnerable systems and that, furthermore, many systems all over the world were readily accessible and inadequately protected from hardware attacks, industrial espionage, and sabotage. The name Shodan has come from a character in video game series called System Shock.
How Does it Work?
Shodan works by requesting connections to every imaginable internet protocol (IP) address on the internet and indexing the information that it gets back from those connection requests. Shodan crawls the web for devices using a global network of computers and servers that are running 24/7.
An IP address is your device’s digital signature. It’s what allows Google to tailor searches to your location. And it allows all internet-connected devices to communicate with each other.
Internet-connected devices have specific “ports” that are designe to transmit certain kinds of data. Once you’ve established a device’s IP address, you can establish connections to each of its ports. There are ports for email, ports for browser activity, ports for printers and routers — 65,535 ports in all.
When a port is set to “open”, it’s available for access — this allows your printer to establish a connection with your computer, for example. The computer “knocks” at the open port, and the printer sends a packet of information called a “banner” that contains the information your computer needs to interact with the printer.
Shodan works by “knocking” at every imaginable port of every possible IP address, all day, every day. Some of these ports return nothing, but many of them respond with banners that contain important metadata about the devices Shodan is requesting a connection with.
Banners can provide all sorts of identifying information, but here are some of the more common fields you will see in a banner:
- Device name: What your device calls itself online. For example, Samsung Galaxy S21.
- IP address: A unique code assigned to each device, which allows the device to be identified by servers.
- Port #: Which protocol your device uses to connect to the web.
- Organization: Which business owns your “IP space”. For example, your internet service provider, or the business you work for.
- Location: Your country, city, county, or a variety of other geographic identifiers.
Some devices even include their default login and password, make and model, and software version, which can all be exploited by hackers.
What Can You Find on Shodan?
Any device connected to the internet can potentially show up in a Shodan search. Since Shodan went public in 2009, a pretty large community of hackers and researchers have been cataloging the devices they’ve been able to find and connect with on Shodan — things like:
- Baby monitors
- Internet routers.
- Security cameras.
- Maritime satellites.
- Water treatment facilities.
- Traffic light systems.
- Prison pay phones.
- Nuclear power plants.
However, Shodan does reveal just how much of our information is publicly available. If your webcam is internet-facing, and you haven’t changed its default logins, hackers can access it without your knowledge. In fact, webcams are among the most commonly searched terms on Shodan’s “Explore” page.
What Is Shodan Used For?
Shodan is most commonly used to help users identify potential security issues with their devices. Businesses and consumers both use more and more internet-connected devices every day. This is especially true due to the rise in remote working in recent years. As we become more plugged in, our chances of falling victim to a malicious attack get higher. Shodan can help users to reinforce their security in a variety of ways:
- Home Security. Discover how many devices in your home are publicly accessible (chances are your printer and your baby monitor don’t need to connect with the entire internet!).
- Shodan keeps track of recent exploits aimed at specific device types or using particular software. You can easily discover if your business may be vulnerable to a security exploit. (You can even set up an RSS feed to notify you of recent IoT exploits.) It is a simple matter to create a Shodan search to list all (at the time of writing) 597,611 unprotected devices using Microsoft-IIS/6.0.
- Academic Research. Academics and cybersecurity professionals can use Shodan to analyze what kind of devices are connecting to the internet, what kind of software they’re using, and identify trends in security, device usage, and the overall makeup of the internet.
- Infrastructure Management. By using Shodan, government and private sector professionals can ensure that all of their systems, from traffic systems to power grids, are secure. And that all backdoors have been closed. Shodan can also be useful for finding legacy computer systems that are redundant or unnecessary.
- Market Research. Businesses can track the distribution of their devices or software using Shodan. Whether that’s Google tracking how many internet connected devices are running Android or a thermostat company trying to figure out how many of its smart thermostats are still running.
- Enterprise Security. Shodan can serve as an incredibly helpful tool for a company’s IT team by identifying every endpoint in the enterprise’s system and ensuring all of the banners are as secure as possible.
Can Shodan Expose Your Private Data?
Yes, absolutely. But it’s not likely. Shodan has made identifying IoT devices accessible to anyone with an internet connection and a web browser. And because a shocking number of devices connecting to the internet are unprotected. The potential for your webcam and other devices to be hacked without your knowledge is high.
Unfortunately, there are many individuals out there who will use Shodan with malicious intent. They will attempt to hack baby monitors, webcams, and security systems. And once they have access to a device in your network, they can violate your privacy, install malware on your system, and steal your identity.
But the good news is that Shodan can only discover devices that have open ports — most home routers don’t need to have open ports, so your computer and router probably won’t appear on it. It’s very important to check for your IoT devices. These are often set up to automatically provide communications with the greater internet.
Is Shodan legal?
One of the first questions the uninitiated ask is, “Is it legal?” CT Access’s Scott Hirschfeld, answering from a technical point of view, says it is. Because Shodan is just a “massive port scanner” and simply exposes vulnerable devices (does not actually use the information it discovers), it is legal. “Port scanning is not a violation of the Computer Fraud and Abuse Act, because it does not meet the requirement for damage concerning the availability or integrity of the device.” Popular scanners like nMap and Nessus can do pretty much the same job.
Who can use Shodan?
Anyone can use it and it is free for users without an account. Although searches have a limit of up to two pages of results. The most expensive subscription plan is $899 a month with unlimited results.
How to protect your devices from Shodan
There are a number of ways to protect your devices but the best practice is to use a VPN.
The home user should not rely on their ISP for complete protection:
- Install a VPN. It is not necessarily going to cost you big bucks; many are free.
- Never use default configurations, e.g. passwords, usernames and SSIDs
- Preferably buy a router directly from the manufacturer rather than from your ISP as manufacturers are usually more up-to-date with patches; it is, after all, their primary business
- Always configure your software correctly, and keep it patched and up-to-date
- Always use HTTPS on your IoT devices and multi-factor authentication where available
Find out if your devices are vulnerable
To get started, you will need your public IP address.
To find it, simply type, “what is my IP address” in Google.
Find your computer in Shodan, type “net:[your public IP address]” (without the quotes) in the Shodan search box.
If your ISP is doing its job, you will get a 404 Not Found status message.
If you are vulnerable, Shodan will return the details of your device. Hackers may not know your public IP address. But if you are using a default username and password, they could find you by searching for devices that use default login details.
Should you panic about Shodan?
Most people do not worry too much that applications like Facebook and browsers like Google know more about them than their own mothers do, even though they should. You do not want to show up in a Shodan search but it is not, as we have seen, too difficult to protect yourself.
Devices using default configurations are at the most risk from cybercriminals using Shodan or any other software designed to sniff out insecure device configurations. It is not just Shodan that is scary. Google dorks – SQL search queries that search a website’s index for information – were developed before Shodan arrived on the scene in 2009. These queries can also be used to find vulnerable information on your website, e.g. a document containing sensitive data. To get started with Shodan, the Shodan Knowledge Base is comprehensive, and a useful place to learn how to use the engine and effectively protect yourself, as well as have fun learning some IoT facts and trivia.