A Study on Internet of Things Devices Vulnerabilities using Shodan
Keywords:Internet of Things, Vulnerability assessment, Risk Analysis, Shodan, Octave Allegro, CVE
IoT has attracted a diverse range of applications due to its adaptability, flexibility, and scalability. However, the most significant barriers to IoT adoption are security, privacy, interoperability, and a lack of standards. Due to the persistent online connectivity and lack of security measures, adversaries can quickly attack IoT systems for various adversarial operations, financial gain, and access to sensitive data. We conducted a massive vulnerability scan on IoT devices using Shodan, the IoT search engine. The discovered vulnerabilities are analyzed using the Octave Allegro risk assessment method to determine the risk level (Critical, High, Moderate, Low, None), and the results are classified based on the vulnerabilities. The research findings are intriguing, shocking, and alarming, revealing the bitter reality that IoT devices are rapidly increasing while simultaneously eroding users' privacy on a never-before-seen scale. Our search discovered 13,558 webcams with outdated components, 11,090 devices disclosing NAT-PMP information, and 16,356 connected devices responding to remote telnet access. Around 2,456 IoT devices were found with the Heartbleed vulnerability, 674 with the Ticketbleed vulnerability, and 9,241 with expired SSL certificates. Nearly 18,638 IoT consumer devices are configured with insecure default settings; 11,481 devices with default SNMP agent community names; 4,987 devices running on non-standard ports; and 4,425 Cisco devices are configured with generic or default passwords.
"That IoT - RFID JOURNAL", [Online]. Available at: https://www.rfidjournal.com/
"Auto-ID Labs", [Online]. Available at: https://www.autoidlabs.org/
"ITU-T", [Online]. Available at: http://www.itu.int/internetofthings/
"IERC-ERC on the IoT", [Online]. Available at: http://www.internet-of-things-research.eu/about_iot.htm
"Gartner", [Online]. Available at: https://www.gartner.com/
"Disruptive Civil Technologies", [Online]. Available at: http://globaltrends.thedialogue.org/
"Connected IoT devices", [Online]. Available at: https://www.eenewseurope.com/
"IoT Market growth trends", [Online]. Available at: https://www.mordorintelligence.com/
"Internet of Things Market Size, Growth - IoT Industry Report 2026", [Online]. Available at: https://www.fortunebusinessinsights.com/industry-reports/
"Unlocking the potential of the IoT - McKinsey", [Online]. Available at: https://www.mckinsey.com/
P. Schaumont, "Security in the IoT: A challenge of scale," in Proceedings of the Design, Automation, and Test in Europe, 2017, pp. 674–679. https://doi.org/10.23919/DATE.2017.7927075.
"Insight into the global threat landscape", [Online]. Available at: https://events.theregister.co.uk/paper/
J. Sathish Kumar, and Dhiren R. Patel, "A survey on internet of things: Security and privacy issues," International Journal of Computer Applications, vol. 90, no. 11, pp. 20-26, 2014. https://doi.org/10.5120/15764-4454.
M. Abomhara and G. M. Køien, "Security and privacy in the Internet of Things: Current status and open issues," Proceedings of the International Conference on Privacy and Security in Mobile Systems (PRISMS), 2014, pp. 1-8. https://doi.org/10.1109/PRISMS.2014.6970594.
T. Heer, O. Garcia-Morchon, R. Hummen, S. L. Keoh, S. S. Kumar, and K, Wehrle, "Security challenges in the IP-based Internet of Things", WPC, vol. 61, issue 3, pp. 527-542, 2011. https://doi.org/10.1007/s11277-011-0385-5.
H. Ning, H. Liu, and L. T. Yang, "Cyberentity security in the internet of things," Computer (Long. Beach. Calif)., vol. 46, no. 4, pp. 46–53, 2013. https://doi.org/10.1109/MC.2013.74.
E. Bertino and N. Islam, "Botnets and Internet of Things Security," Computer (Long. Beach. Calif)., vol. 50, no. 2, pp. 76–79, 2017. https://doi.org/10.1109/MC.2017.62.
M. A. Razzaq, S. H. Gill, M. A. Qureshi, and S. Ullah, "Security issues in the Internet of Things (IoT): A comprehensive study," International Journal of Advanced Computer Science and Applications, vol. 8, no. 6, pp. 383-388, 2017. https://doi.org/10.14569/IJACSA.2017.080650.
"Remote Exploitation of an Unaltered Passenger Vehicle - Privacy PC," [Online]. Available at: https://privacy-pc.com/articles/
"Tour the World's Webcams With the Search Engine for the Internet of Things | WIRED," [Online]. Available at: https://www.wired.com/2013/07/shodan-search-engine/
"Sony Pictures Hack Could Also Impact Sony's PS4, Phone, and TV Business," https://www.forbes.com/
"PCWorld - News, tips, and reviews from the experts on PCs, Windows, and more," [Online]. Available at: https://www.pcworld.com/article/3089346/security/
R. Hofstede, A. Pras, A. Sperotto and G. D. Rodosek, "Flow-based compromise detection: Lessons learned," IEEE Security & Privacy, vol. 16, no. 1, pp. 82-89, 2018. https://doi.org/10.1109/MSP.2018.1331021.
"The Mirai botnet explained: How IoT devices almost brought down the internet | CSO Online,” [Online]. Available at: https://www.csoonline.com/article/
"Hackers once stole casino database through lobby fish tank thermometer - Business Insider," [Online]. Available at: https://www.businessinsider.com/
"Devil's Ivy' Vulnerability Could Afflict Millions of Internet-Connected Cameras and Card Readers – WIRED," [Online]. Available at: https://www.wired.com/
"Masscan - Penetration Testing Tools," [Online]. Available at: https://tools.kali.org/
"Nmap Network Scanning - the official Nmap Project Guide to Network Discovery and Security Scanning," [Online]. Available at: https://nmap.org/book/
R. C. Bodenheim, Impact of the Shodan Computer Search Engine on Internet-facing Industrial Control System Devices, Air Force Institute of Technology Wright-Patterson AFB OH Graduate School of Engineering and Management, Master Thesis, 2014. https://doi.org/10.1016/j.ijcip.2014.03.001.
L. Eeckhout, "The Internet of Things Revolution," IEEE Micro, vol. 36, no. 6, pp. 4-4, 2016. https://doi.org/10.1109/MM.2016.93.
J. Matherly, The Complete Guide to Shodan: Collect. Analyze. Visualize. Make Internet Intelligence Work For You, Kindle, ASIN: B01CDIU880, 2016.
C. Mohan, "ARIES/KVL: A key-value locking method for concurrency control of multi-action transactions operating on B-tree indexes," Proceedings of the 16th International Conference on Very Large Data Bases, VLDB’90, 1990, pp. 392-405. https://doi.org/10.1007/978-981-10-0448-3_28.
P. Kumar and V. S. Rathore, "Improvising and optimizing resource utilization in big data processing," Advances in Intelligent Systems and Computing, vol. 436, pp. 345–353, 2016.
S. Rawat, P. Kumar, and G. Jain, "Implementation of the principle of jamming for hulk gripper remotely controlled by Raspberry Pi," Advances in Intelligent Systems and Computing, vol. 436, pp. 199–208, 2016. https://doi.org/10.1007/978-981-10-0448-3_16.
R. Bodenheim, J. Butts, S. Dunlap, and B. Mullins, "Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices," Int. J. Crit. Infrastruct. Prot., vol. 7, no. 2, pp. 114–123, 2014. https://doi.org/10.1016/j.ijcip.2014.03.001.
L. Markowsky and G. Markowsky, "Scanning for vulnerable devices in the Internet of Things," Proceedings of the 8th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS’2015, vol. 1, 2015, pp. 463–467. https://doi.org/10.1109/IDAACS.2015.7340779.
"SCADA 2017 The Future of SCADA Security: Jonathan Pollet red tiger security," [Online]. Available at: http://docplayer.net/
R. A. Caralli, J. F. Stevens, L. R. Young, W. R. Wilson, The OCTAVE Allegro Guidebook, v1.0. Cert Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213. May 2007, [Online]. Available at: http://www.cert.org/octave/allegro.html
R. A. Caralli, J. F. Stevens, L. R. Young, W. R. Wilson, Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. CMU/SEI-2007-TR-012, CERT Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213. May 2007, https://doi.org/10.21236/ADA470450.
C. Alberts, S. Behrens, R. Pethia, & W. Wilson, Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Framework, Version 1 (CMU/SEI-99-TR-017, ADA367718), Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1999. https://doi.org/10.21236/ADA367718.
S. Alfarisi, & N. Surantha, “Risk assessment in fleet management system using OCTAVE allegro,” Bulletin of Electrical Engineering and Informatics, no. 11, pp. 530-540, 2022. https://doi.org/10.11591/eei.v11i1.3241.
I. B. Wiguna, J. S. Suroso, S, Anugerah, “Information system risk management with OCTAVE alegro at Ed-Tech company,” Journal of Theoretical and Applied Information Technology, vol. 100, no. 20, pp. 6258-6271, 2022.
V. Gerardo, & A. Fajar, “Academic IS risk management using OCTAVE allegro in educational institution,” Journal of Information Systems and Informatics, vol. 4, issue 3, pp. 687-708, 2022. https://doi.org/10.51519/journalisi.v4i3.319.
M. Yu, J. Zhuge, M. Cao, Z. Shi, and L. Jiang, "A survey of security vulnerability analysis, discovery, detection, and mitigation on IoT devices," Future Internet, vol. 12, no. 2, p. 27, 2020. https://doi.org/10.3390/fi12020027.
"NAT-PMP Vulnerability", [Online]. Available at https://resources.infosecinstitute.com/
Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman, "The matter of heartbleed," Proceedings of the Conference on Internet Measurement, 2014, pp. 475-488. https://doi.org/10.1145/2663716.2663755.
H. Al-Alami, A. Hadi, and H. Al-Bahadili, "Vulnerability scanning of IoT devices in Jordan using Shodan," Proceedings of the 2nd IEEE International Conference on the Applications of Information Technology in Developing Renewable Energy Processes & Systems (IT-DREPS), 2017, pp. 1-6. https://doi.org/10.1109/IT-DREPS.2017.8277814.
J. Klein, and K. R. Walcott, "Exploiting Telnet security flaws in the Internet of Things," Future of Information and Communication Conference, Springer, Cham, 2019, pp. 713-727. https://doi.org/10.1007/978-3-030-12385-7_51.
L. Xia, C. S. Feng, Y. Ding, and W. Can, "Design of secure FTP system," Proceedings of the International Conference on Communications, Circuits, and Systems, 2010, pp. 270–273. https://doi.org/10.1109/ICCCAS.2010.5582002.
"Microsoft: Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability - Endpoint Vulnerability – FortiGuard," [Online]. Available at: https://fortiguard.com/
"A Vulnerability in Microsoft Windows SMB Server Could Allow for Remote Code Execution (CVE-2020-0796)," [Online]. Available at: https://www.cisecurity.org/
"Microsoft Server Message Block RCE Vulnerability – CISA," [Online]. Available at: https://www.us-cert.gov/ncas/
How to Cite
LicenseInternational Journal of Computing is an open access journal. Authors who publish with this journal agree to the following terms:
• Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
• Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
• Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.