IoT and the Risk of Internet Exposure: Risk Assessment using Shodan Queries

Since its introduction several years ago, Shodan has been used in several research projects related to security assessment of IoT devices publicly facing the Internet. Despite the fact that many of the queries that can expose those devices are publicly known, yet subsequent assessments continue to indicate the existence of instances of those vulnerabilities. In this paper, we conducted a remote security assessment based on an extended dataset from original public Shodan queries (with known terms to expose vulnerabilities). Based on our own assessment for the terms in the public Shodan queries, we updated the list to cover other important query terms that were reported for remote back-door access. Results showed that many of those public queries in the original Shodan list can still exploit several systems and devices facing the Internet. Similarly, many of the newly added queries indicate existing vulnerabilities in some live systems in the US in particular and also worldwide. Vulnerabilities related to default or trivial passwords in IoT devices were reported in SHINE and other assessment projects. Nonetheless, many of those vulnerabilities that are easy to fix, still exist in publicly visible IoT devices.