? Shodan, How to Avoid your Webcam and IoT devices from Being Hacked [Updated]

11/06/19 5 min. read

Shodan is a search engine created by Swiss computer scientist John Matherly that allows to locate any device connected to the Internet with any security hole, like for example an open dock.

You may have ended up here by looking for a Shotokan Karate style kata. Or you may have searched Heian Shodan! on Google, but this post isn’t about that.

Shodan  has nothing to do with Karate, but with a search engine for devices connected to IoT instead.

shodan website home

Which devices I have access to?

With the rise of automation, the current amount of devices connected is immense. Shodan works as a web page with filters by city, type of dock… and browsing it is as easy as any other web navigation.

So, the answer of which devices you can access is quite simple: each and every one of them that has not had security policies applied. That is, the ones that have usernames and passwords by default like: “admin/admin”, “1234 or that have left certain docks open and exposed to the Internet.

Cybersecurity first. Read this post to learn how to avoid a cyberattack.

Accessing unsecured webcams through Shodan

One of the most compromising information we can access from the home of Shodan’s webpage are the unsecured webcams. You don’t need to be a hacker, just by clicking “Top Voted” and selecting “Webcam” we can see a list of unprotected cameras.

shodan explore page

On the left of the page a world map appears with different shades according to the places where you can find more or less devices with vulnerable information. That is, devices without security. You can filter by country, Service, Organisation or by Product. On the right side you find the results of the filtering, showing the type of device with its geolocation and a trace showing the existing communication with the device.

shodan explore unsecured webcams

For example, if you enter in the first VIDEO WEB SERVER you can see with extraordinary detail its geolocation. When zooming in on the map, you can even see the building where that device is located and the ASN (Access Service Node) that supplies Internet connection to it.

Careful: if you enter any of them you may find confidential information. The fact that they are not protected does not mean you are authorized to use them.

shodan unsecured webcam details

That’s it, any type of device can be found in Shodan, even ATMs or ships navigating in the middle of the ocean. It is pretty scary, but it has an easy solution.

First rule to protect your devices

Many things we purchase are connected to the Internet. It’s the era of the Internet of things. Just like some search engines like Shodan allow you to access unprotected cameras, they also enable us to check whether we have an unprotected device. And protecting it. Though ideally, the thing would be to do so after taking it out of the box.

To start off, set a username and password different from the default ones. In each device you will have a different way of carrying this process out, but it will take you about 2 minutes. Enter through the website in the device and change the default username and password of, for example, your webcam. Do the same with all those devices you have connected to the Internet and with username/password accesses: the robot vacuum, the oven, lighting, the fridge… They’re all susceptible of being hacked if they’re unsafe.

Extra protection will take you about 2 minutes but will save you from having bigger problems in the future. For the router case, I recommend you to set it so that only a few MAC directions can enter it. It’s the only way to ensure that only authorized devices can access them.

How to check whether your device is on Shodan

To check if any of your devices are on Shodan is quite easy. If you want to find out if your computer is currently in Shodan you can put the public IP of your computer in the Shodan search engine and if you are sure you will get a result like this:

search your IP on Shodan

To know what your IP is, just ask Google “what is my IP” and the first result is your public IP:

what is my ip google

Check if your user or password have been stolen in Collection#1

Collection#1 til now is the biggest security breach in history, nearly 773 million email accounts along with their passwords (21 million) have been leaked.

Check if your email / password was stolen following this article:

I hope that after reading this post none of your devices show up on Shodan. If they do, remember the recommendations that I just gave you: avoid default usernames and passwords. The more people know about the existence of Shodan, the greater the awareness and less vulnerable we will be.

Joan R.R

Joan Rodríguez

Santander Global T&O

I am a superior computing engineer and I have had a great chance of working in all waterfall or agile development profiles: Developer, SW Architect, SW Evangelist, Scrum Master, Project Manager, Team Leader, QA Tester and Product Owner. I consider myself to be restless, resilient, geek and mostly, family-oriented. Currently, I am making cybersecurity developments for Group Santander.


👉 My LinkedIn profile


Other posts