{"id":11430,"date":"2016-02-29T09:00:50","date_gmt":"2016-02-29T14:00:50","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=11430"},"modified":"2020-02-26T11:05:39","modified_gmt":"2020-02-26T16:05:39","slug":"shodan-censys","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/shodan-censys\/11430\/","title":{"rendered":"Shodan and Censys: the ominous guides through the Internet of Things"},"content":{"rendered":"<p>Look around \u2014 we are living in the Internet of Things. In our day-to-day life, we encounter things connected to the Internet, starting with our home Wi-Fi routers and leading up to traffic light management systems and street security cameras. Since they are connected, all of them can be found in two worlds \u2014 both in the real world and in the Web.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06022834\/shodan-iot-search-FB.jpg\" rel=\"attachment wp-att-11433\"><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06022834\/shodan-iot-search-FB.jpg\" alt=\"Shodan and Censys: the ominous guides through the Internet of Things\" width=\"1280\" height=\"1280\" class=\"aligncenter size-full wp-image-11433\"><\/a><\/p>\n<p>And like there is Google to help you find the data you are looking for on the Internet, there are also special search engines that help you find these connected devices. Say hello to <a href=\"https:\/\/www.shodan.io\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Shodan<\/a> and <a href=\"https:\/\/censys.io\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Censys<\/a>!<\/p>\n<p>Shodan is the first (and probably the foremost) search engine for the Internet of Things \u2014 it\u2019s been around for more than 7 years. It was named after the <a href=\"https:\/\/en.wikipedia.org\/wiki\/SHODAN\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">main antagonist in the computer game series System Shock<\/a> \u2014 a highly villainous artificial intelligence called Shodan. Real-world Shodan is not as relentless, but it is capable of doing harm. But before we get to the bad news, let\u2019s find out how does the search engine actually work.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Nice wrap up of <a href=\"https:\/\/twitter.com\/hashtag\/IoT?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#IoT<\/a>-related talks at <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2015?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2015<\/a>: \"Internet of Crappy Things: <a href=\"https:\/\/t.co\/ORygHSJs9W\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/ORygHSJs9W<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/568726530391543809?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 20, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In certain sense Shodan is like a guy who walks throughout the city and knocks on every door he sees. But instead of doors Shodan \u201cknocks\u201d on every <a href=\"https:\/\/en.wikipedia.org\/wiki\/IPv4\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">IPv4 address<\/a>, and instead of some city there is the whole world.<\/p>\n<p>If you ask that guy about a particular type of doors or about doors in a particular part of the city \u2014 he certainly would know something and would provide you the information: how many of those doors are there, who answers them and what do they say. Shodan gives you the same information about those IoT items: how are they called, what type are they, and is there a web interface one can use. It\u2019s not totally free \u2014 Shodan requires a subscription, which is relatively cheap.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06022838\/shodan-search-example.png\" rel=\"attachment wp-att-11431\"><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06022838\/shodan-search-example.png\" alt=\"Shodan and Censys: the ominous guides through the Internet of Things\" width=\"1439\" height=\"677\" class=\"aligncenter size-full wp-image-11431\"><\/a><\/p>\n<p>There is no problem on knocking on doors unless you find out that there are a lot of doors with no locks and no one who can stop the bad guys from breaking in. In the world of IoT these doors are represented by unprotected routers, IP cameras and other things that use default logins and passwords. Once you\u2019ve managed to enter their web-interface and figure out the login\/password \u2014 you can gain full access to them. And it\u2019s not rocket science since the information about default logins and passwords for different connected devices can usually be found on the websites of their manufacturers.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">How will the Internet of Things affect cybersecurity? \u2013 <a href=\"http:\/\/t.co\/fWScmf4QfQ\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/fWScmf4QfQ<\/a> <a href=\"http:\/\/t.co\/sAk1mcZPg5\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/sAk1mcZPg5<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/586174972156108800?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>If it\u2019s an IP camera, you can see everything it sees and even control it if it supports something like that. If it\u2019s a router, you can change its settings. If it\u2019s a baby monitor \u2014 you can <a href=\"https:\/\/www.kaspersky.com\/blog\/kid-safety-iot\/11066\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">talk to the poor baby in a scary voice<\/a>. It\u2019s all up to your moral standards.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/parents?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#parents<\/a> Is that connected baby monitor exposing your kids to a hacker? Possibly. <a href=\"https:\/\/t.co\/H2nKD5ck86\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/H2nKD5ck86<\/a> <a href=\"https:\/\/t.co\/jmgJdwuDj5\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/jmgJdwuDj5<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/687693599321001984?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 14, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>But there are other things that can be found with Shodan \u2014 like, for example, an unprotected X-ray machine, which allows you to see the pictures it takes.<\/p>\n<p>Exploring Shodan is rather interesting as many people doing it are curious to know what they can discover. Some have found water park facility controls, while others stumbled upon a nuclear plant. Let\u2019s add <a href=\"https:\/\/www.kaspersky.com\/blog\/internet-of-crappy-things\/7667\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">car washes<\/a>, heat pumps, <a href=\"https:\/\/www.kaspersky.com\/blog\/atm-jackpotting-explained\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ATMs<\/a>, and pretty much everything else you can imagine that has an internet connection. Our expert Sergey Lozhkin has stumbled upon some medical equipment, but that\u2019s <a href=\"https:\/\/www.kaspersky.com\/blog\/hacked-hospital\/11296\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">another story<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">The list of exposed medical devices <a href=\"https:\/\/twitter.com\/scotterven?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@scotterven<\/a> found using <a href=\"https:\/\/twitter.com\/hashtag\/Shodan?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Shodan<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2016?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2016<\/a> <a href=\"https:\/\/t.co\/GXNHNsl8mC\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/GXNHNsl8mC<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/697071165878181888?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 9, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>If an insecure IP camera can only potentially harm someone\u2019s privacy, other insecure connected things like the aforementioned water park facility controls or some <a href=\"https:\/\/www.kaspersky.com\/blog\/train-hack\/10946\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">onboard train systems<\/a> are capable of turning a rather big area into a local apocalypse, if they end up operated by the wrong hands. That\u2019s why manufacturers and system administrators of such critical infrastructure have to be extremely careful with the security of these connected things.<\/p>\n<p><post href=\"https:\/\/www.facebook.com\/Jesper.JJ.Jurcenoks\/posts\/947780215301354\"><\/post><\/p>\n<p>For a long time Shodan was the only IoT search engine. In the year 2013 a free rival called Censys emerged (unlike Shodan\u2019s fees). It is also a search engine for the IoT relying on the same basic principles, but, as its creators say, more precise when it comes to searching for vulnerabilities. Oh, yes, Censys can actually give you a list of the devices with a particular vulnerability, for example, those vulnerable to <a href=\"https:\/\/www.kaspersky.com\/blog\/heartbleed-howto\/4431\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Heartbleed<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Great explanation of the heartbleed bug, from the always amazing <a href=\"https:\/\/twitter.com\/xkcd?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@xkcd<\/a> <a href=\"http:\/\/t.co\/zVdNQixlaE\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/zVdNQixlaE<\/a> <a href=\"http:\/\/t.co\/j5jn9dFD3I\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/j5jn9dFD3I<\/a><\/p>\n<p>\u2014 Josh Long (@starbuxman) <a href=\"https:\/\/twitter.com\/starbuxman\/status\/464500766527352832?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 8, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Censys was created by a group of scientists from the University of Michigan as an instrument to make Internet more secure. In fact, both Shodan and Censys are meant for security researches, but as the duo gains more and more attention, there certainly can be a lot of people who would try to use it for more nefarious purposes.<\/p>\n<p>Neither Shodan nor Censys are likely to be used by some serious cybercriminals \u2014 the real big bad guys have had botnets for a while, which can serve the very same purpose yet yield more power. It took Shodan\u2019s creator John Matherly only 5 hours to <a href=\"https:\/\/www.reddit.com\/r\/dataisbeautiful\/comments\/2evjkz\/i_pinged_all_devices_on_the_internet_heres_a_map\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ping and map<\/a> all the devices on the whole Internet, and a botnet utilising hundreds of computers would probably do that even faster.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Shodan?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Shodan<\/a> shows thousands of exposed ATMs potentially vulnerable to a network attack <a href=\"https:\/\/twitter.com\/_Endless_Quest_?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@_endless_quest_<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2016?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2016<\/a> <a href=\"https:\/\/t.co\/9E3SSYwG89\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/9E3SSYwG89<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/697078900187332608?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 9, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>But there are a lot of other people who already have tried to misuse Shodan and Censys to play bad tricks and pranks on other people. And while the problem with the IoT security is mostly for the manufacturers to solve, there are a few things that you can do about it to secure those connected things that actually belong to you. We\u2019ll have our experts walk you through them in one of our upcoming blogposts in the \u2018<a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/iot-search\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Internet of Things Search<\/a>\u2018 series.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Shodan and Censys are the search engines for the Internet of Things and this duo is capable of wreaking havoc in a lot of different ways<\/p>\n","protected":false},"author":696,"featured_media":11432,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[1461,1134,794,1462,187,1459,97,1460,268],"class_list":{"0":"post-11430","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-censys","10":"tag-internet","11":"tag-iot","12":"tag-iot-search","13":"tag-passwords","14":"tag-search-engines","15":"tag-security-2","16":"tag-shodan","17":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/shodan-censys\/11430\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/shodan-censys\/6776\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/shodan-censys\/6831\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/shodan-censys\/6747\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/shodan-censys\/7827\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/shodan-censys\/7599\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/shodan-censys\/11053\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/shodan-censys\/6231\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/shodan-censys\/6307\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/shodan-censys\/7133\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/shodan-censys\/10506\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/shodan-censys\/11053\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/shodan-censys\/11430\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/shodan-censys\/11430\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/censys\/","name":"Censys"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=11430"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11430\/revisions"}],"predecessor-version":[{"id":33643,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11430\/revisions\/33643"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/11432"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=11430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=11430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=11430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}