Beyond Shodan: Supplement Shodan to Find More Vulnerable IoT
Countless new IoT devices connect to the internet and internal networks daily. A shocking number of these devices use weak or vulnerable protocols and ports and easily discovered default logins. Shodan (available at shodan.io) is a free tool that can search for real, live vulnerable hosts within any internet-facing IP range. While useful, it solves only part of the problem as it does not work for IoT devices connected to internal networks. That’s where IoT Secure can help, and like Shodan, IoT Secure offers a free version.
Vulnerable IoT devices on internal networks are one of the fastest-growing IT threat areas companies face today. Many of these devices can’t run agents for monitoring, can’t be patched, and are resource-constrained and crash under the weight of a vulnerability scan. So, securing them falls outside traditional measures, often leaving organizations significantly exposed.
To understand how best to protect vulnerable IoT devices on internal networks, let’s take a look at what makes Shodan successful for those that connect to the internet.
Using Shodan to Identify IoT Devices and Problems
Most organizations use cameras to monitor their physical space, and many of them have upgraded to network-connected cameras. As these connected cameras have become more commonplace in the modern network, they’ve also become increasingly easy to find, see, and exploit online.
Let’s look at Shodan search results in hundreds of easily accessible cameras to demonstrate IoT security threats using a search for the Linux UPNP “AV Tech” service, a known weak IP-based camera web interface. The below search within Shodan shows over 180,000 affected devices, the vast majority of which can be accessed with the default username and password combination “admin/admin” combination. Here is a sample of the search results for AVTech hosting cameras that are accessible via the internet:
The impact of this IoT threat is that bad actors can access the camera’s video stream. With that access, they can own the device and potentially use it for unauthorized access to the internal network and potentially send data outside the organization.
For another example, let’s take a quick look at routers connected to the internet that use default passwords. To do this, all one must do is search for the term “default passwords,” and you will get a list of just under 50,000 devices along with the existing default password that is in use. Again, the risk is that a bad actor can capture your network packets and own your router.
Beyond Shodan (and Vulnerability Scanners) – IoT Threats on the Internal Network
The same IoT threats that Shodan can find exposed to the internet also exist on devices on the internal network. No one wants IoT devices susceptible to ransomware or device takeover on their internal network. But unmanaged devices remain a problem. The question is: How do you find them?
But I have a vulnerability scanner and do monitoring to find vulnerable IoT.
Great start, but there are significant gaps.
Simply put, traditional security tools cannot protect IoT devices from even the most common security threats. There are a few good reasons why traditional security tools fail:
- Unmanged and IoT devices typically don’t support agents, so:
- They are hard to monitor because doing so typically means manually researching device communications and building/maintaining security rules. Often, this just doesn’t scale.
- Vulnerability scanners can’t run in-depth detection because they rely on agents to accurately identify the device/OS to determine the appropriate checks to run.
- IoT devices are resource constrained to only carry out their intended function, so vulnerability scans are too intrusive and commonly crash them.
- IT security teams often exclude known IoT devices on the network, like connected medical devices or industrial controls, from vulnerability scans to avoid operational disruptions that could result from a crashed device.
- Scans are not run in real-time as devices connect. Even if you do scan known IoT devices, this leaves potentially vulnerable devices on the network if they are connected in between scheduled scanning.
In summary, the above cases can leave untested and unmonitored IoT devices on the internal network that are potentially vulnerable to a host of IoT threats. These are devices that Shodan can’t see.
Getting Visibility into Vulnerable IoT That Shodan and Vulnerability Scanners Can’t See
Some of the use cases where you might need something beyond Shodan – such as IoT Secure – to help find IoT threats on the internal network include:
- Don’t know what unmanaged or unauthorized IoT devices are on your network and where they are?
- Don’t know what risks unmanaged and IoT devices are creating in your environment?
- Don’t have the time or resources to actually secure vulnerable IoT devices?
To extend the work you’re doing with Shodan on internet-facing devices for your internal networks, try IoT Secure, and:
- Automatically and continuously find, identify, categorize and track all IoT devices.
- Automatically detect IoT-specific threats in real time as devices connect.
- Test IoT devices without fear of crashing them with safe IoT vulnerability detection.
- Conduct device-level communication and behavior analysis and know when a device is behaving abnormally or exhibiting malicious behavior.
- Automatically create security policies to mitigate vulnerable IoT devices that can’t be patched.
- Integrate device and threat detail with existing tools and processes such as SIEM, NAC, Vulnerability Asset Management, etc. to gain operational efficiencies and make better security decisions.
IoT Secure deploys in minutes. For basic IoT profiling and vulnerability detection, simply connect any version of the IoT Secure IoT Security appliance, including the IoT-mini FREE Edition, to any network jack. There are no network TAP/SPAN ports, no agents, no tuning and it is 100% automated. To achieve advanced IoT profiling, vulnerability detection and behavior monitoring, simply forward DNS and DHCP logs.
To find out which one is right for you, watch this video.
Next, IoT Secure provides a real-time view into exactly what devices are on the network and where they are. It automatically profiles and displays devices by category, manufacturer, device type, ports, OS, any discovered threat detail and whether the device is managed or unmanaged. The UI supports both search and drill-down capabilities to quickly retrieve the desired result set.
Now, let’s look a few real-world examples of the types on internal IoT threats that IoT Secure finds.
The first example shows a door access controller that was using default login credentials, a very common issue for IoT and other connected devices like printers and networking equipment. In this case, a bad actor could gain admin access and completely take over the device and even lock ingress/egress into areas of the building. In the case of this vulnerable device being in a hospital, it created the potential of loss of life in an emergency situation.
Example two shows one of the most commonly vulnerable devices found when testing networks, a network enabled camera. Here, a public video feed was found on port 554. It is also common to find these camera feeds that show nurses stations, manufacturing areas, emergency or critical care rooms, pharmacy workstations and common/public areas.
This next example shows where IoT Secure actively discovered a device on the network that had come under a ICS-CERT advisory.
If you’re actively using Shodan to help monitor for vulnerable IoT devices on your web-facing networks, then you’re already ahead of the game. To extend protection across your internal networks and to address gaps in traditional security tools on unmanaged and IoT devices, then IoT Secure can help.
Exploring IoT threats on your network is free and easy to get started. Just request your free IoT-mini today here.
Beyond Shodan (and Vulnerability Scanners): Find Vulnerable IoT in Minutes, FREE