How to Use Internet of Things Search Engines
If you’ve kept up with the rapid growth of tech over the past few years, you probably know the term internet of things (IoT). According to TechTarget, the internet of things is “...a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs).”
If you’ve kept up with the rapid growth of tech over the past few years, you probably know the term internet of things (IoT). According to TechTarget, the internet of things is “...a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs).” While such devices add a lot of convenience into people’s lives, as people use more of them (smartphones, fitness trackers, smart homes, etc.), there are more and more opportunities for security vulnerabilities. This is where IoT search engines come in.
One of the first search engines of this type is Shodan, developed in 2009 by computer programmer John Matherly. The search engine’s name is derived from a character in the System Shock game series. Shodan has since grown to index a massive number of devices, which hackers (as well as ordinary users) can find on the search engine.
In the search field, search for a term like “linux” or “ip camera.” When a device shows up in a search, Shodan will show its IP address, location, open ports, ISP, and other valuable data. At times, it will even show such information as login passwords, especially if a default password is being used, like “password” or “12345.” While this may seem like a field day for illicit activity, it also helps organizations monitor the security (or vulnerabilities) of their devices.
Shodan lists some of the most popular search queries under Explore the Internet; for instance, one of these is “linux upnp avtech.” This scans for universal plug and play (upnp) AVTECH IP cameras, which, if they have a default password or a weak one, are easy to crack.
Later, Shodan introduced the service Shodan Exploits, which indexes a massive number of vulnerabilities that can be used against all types of apps and operating systems. Many of these come from databases such as Exploit Database and Metasploit. One example, for instance, is the “HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure,” which details how an unauthorized user could gain access to these printers.
As on the standard Shodan search engine, many of these can be used for nefarious reasons, but at the same time, they are also helpful for cybersecurity agencies and pen testers.
The developers of IVRE describe it as “an open-source framework for network recon, written in Python.” Therefore, it’s more than just a search engine, like Shodan. IVRE aggregates scan results from tools like Nmap and Masscan, as well as “intelligence from network captures using Zeek (formerly known as Bro), Argus and Nfdump.”
The results of such scans can then be found on IVRE, and as on Shodan, will include data such as IP addresses, open ports, and what protocols the device in question is using (TCP, UDP, etc.). In addition, it can serve as a passive DNS service, using the Zeek script passiverecon. The purpose behind this type of script is to do network reconnaissance without interacting directly with the network in question. As Infosec Institute points out:
Reconnaissance efforts can be broken up into two types: passive and active. While both versions can be effective, passive reconnaissance prioritizes subtlety (ensuring that the hacker is not detected), while active reconnaissance is used for cases where collecting information is more important than remaining undetected.
IVRE has more detailed instructions as to how to set it up for such purposes here: Passive - IVRE documentation. Of all the network reconnaissance/IoT search engines, IVRE is one of the most complex and difficult for beginners to learn. For this reason, they have a short video demonstrating some of its functions:
ZoomEye, like Shodan and IVRE, is also an IoT search engine, albeit one based in China. Like the previous two, it can be used for cybersecurity or cracking purposes, as is the case with most cybersecurity tools. One difference with ZoomEye is that it lists trending (“hot”) searches when you click the search bar, which can help you if you’ve never used it before.
At the time of this writing, one of the trending searches is described as “Citrix Endpoint Management and XenMobile,” though the actual search term used is “login_xdm_uc.jsp”. This particular search is looking for compromised logins on Citrix gateways and XenMobile device management software.
Search results list information such as a device’s IP address, location, open ports, SSL certificate data, and signature algorithm. Also as on Shodan, you can compile the search results into a report or search for related vulnerabilities. Plus, you can filter the data by search type, year, country, product, and other parameters. To boot, ZoomEye has a “statistics” feature, which breaks down all the different indexed data into user-friendly UI:
The globe in the center illustrates IP distribution, while the side menus break down the most popular searches by location (United States, China), web application (WordPress, phpMyAdmin), web server (Apache httpd, nginx), device (webcam, router), and other categories. Looking at it from this perspective is rather scary, as it reveals just how much data is available for anyone to see.
Like IVRE, Censys is more than just a search engine, though its free version allows you to search for devices, like the other search engines discussed here. In a description of its use cases, they mention that:
Security teams can't keep up with the new types of digital assets that pose security risks, and comprehensively finding them on the Internet is nearly impossible. Censys identifies your publicly accessible assets and the risks they pose—even if they can't be scanned by your Vulnerability Assessment solution.
It also offers the possibilities of monitoring remote workers' security on their devices and identifying attack surfaces, though these are only allowed on its subscription service. The search engine feature, which can be found at Censys: IPv4, has such options as searching for IPv4 hosts, websites, and security certificates. As below, it will display the hostname, network name, routing information, protocols, and a map showing an approximate geographic location.
If searching by website, you can type in a URL, such as https://torproject.org, and Censys will display information such as open ports, the TLS handshake that it uses, and whether or not the site is affected by the Heartbleed vulnerability.
Also, like Shodan, it has a feature allowing you to track devices that you have connected to the internet, although this is one of its premium features. It seems to be a good overall security tool, and its premium version is helpful in corporate settings.
There are other such tools and search engines that exist, but Shodan, IVRE, ZoomEye, and Censys are some of the best and most widely used. As noted, while the concept of having your device, in particular things like IP cameras, on display for the world is frightening, tools like these also make you aware of vulnerabilities and exploits that need to be patched, so they’re not a complete negative. Check them out; you may find something fun - or disturbing.