What’s In Shodan? Analyzing Exposed Cyber Assets in the United States
By Numaan Huq, Stephen Hilt, and Natasha Hellberg
The United States is home to millions of unsecured and exposed cyber assets. By “unsecured” and “exposed” we don’t necessarily mean that these devices have already been compromised. Rather, this means they are vulnerable to cyber attacks due to inadequate security or poor configuration. Some cyber assets may even have remote access enabled for troubleshooting purposes, but this leaves machines susceptible to attacks.
Scanning the Internet for security flaws on these cyber assets is a tedious process, but it’s necessary if you are looking to fix these said flaws and protect devices and systems from possible compromise. Instead of crawling the Internet for specific terms in websites, we can use tools like Shodan™ to easily search for exposed cyber assets. To those who are unfamiliar with Shodan, it’s an online search engine that indexes cyber assets or Internet-connected devices. Shodan is able to show any connected device’s IP address and reveal other details such as application software and firmware version numbers.
In our own analysis of February 2016 Shodan scan data, we were surprised to see results that were related to several Industrial Control Systems (ICS) device and/or equipment protocols. ICS devices are used to operate industrial and related processes like heating, ventilation, and air-conditioning (HVAC), power generation, water treatment, and the like. You can see samples of these below:
Figures 1-2. Shodan search results revealing device details
If these devices are exposed across the Internet, attackers can use a variety of available tools and techniques (Nmap, Metasploit, etc.) to gather this type of information on the system. This is typically considered their “recon” phase. The data they are able to collect then provides them a means to compromise systems, steal and leak sensitive data, launch ransomware campaigns, or even attack critical infrastructure. The fact that these devices appear in Shodan results also tell us that they have open ports, which makes them accessible to bad guys.
For our research, we paid close attention to exposed cyber assets in the top 10 largest U.S. cities by population. Here are some of our findings:
- Among the 10 most populated cities in the U.S., Los Angeles has the most number of exposed cyber assets, with more than four million exposed and potentially unsecured devices. Meanwhile Houston came a close second with more than 3.9 million unsecured devices.
- Web servers are one of the top most exposed cyber assets. As we’ve seen recently, attackers usually go for web servers first. Aside from web servers being Internet-facing by design, compromised servers can be leveraged to attack users who are connected to them. Therefore, companies and organizations hosting content on these servers, and even consumers viewing their content, are at risk. With this information, securing web servers should be any organization’s top priority.
- Lots of unpatched and vulnerable servers were found in the U.S. government as well as in the education, healthcare, and public utilities sectors. The numerous attacks and breaches that took place in these sectors serve as proof that having a vulnerable web server makes companies susceptible to attacks. In contrast, we only found a few exposed devices in the emergency services and financial sectors.
- Firewalls, webcams, routers, and wireless access points (WAP) make up the bulk of exposed devices found in the Shodan data. These exposed devices, even when connected to a secured network, may allow attackers to perform lateral movement. These devices may also be used to propagate malware and perform distributed denial-of-service (DDoS) attacks.
Knowing that there are millions of exposed cyber assets all over the U.S.—many in critical sectors such as government, healthcare, and finance—organizations should take better stock of their cyber assets in order to prevent attacks or mitigate compromise.
For a more in-depth look at the data and findings we are presenting at today’s RSA conference, you can check out our research “U.S. Cities Exposed in Shodan.” Our papers tackle exposed cyber assets by city and by critical sectors. There, we also give up-to-date recommendations on how to better secure networks and connected devices used in homes and enterprises.