*Article* **Teaching and Learning IoT Cybersecurity and Vulnerability Assessment with Shodan through Practical Use Cases**

#### **Tiago M. Fernández-Caramés 1,2,\* and Paula Fraga-Lamas 1,2,\***


Received: 28 April 2020; Accepted: 19 May 2020; Published: 27 May 2020

**Abstract:** Shodan is a search engine for exploring the Internet and thus finding connected devices. Its main use is to provide a tool for cybersecurity researchers and developers to detect vulnerable Internet-connected devices without scanning them directly. Due to its features, Shodan can be used for performing cybersecurity audits on Internet of Things (IoT) systems and devices used in applications that require to be connected to the Internet. The tool allows for detecting IoT device vulnerabilities that are related to two common cybersecurity problems in IoT: the implementation of weak security mechanisms and the lack of a proper security configuration. To tackle these issues, this article describes how Shodan can be used to perform audits and thus detect potential IoT-device vulnerabilities. For such a purpose, a use case-based methodology is proposed to teach students and users to carry out such audits and then make more secure the detected exploitable IoT devices. Moreover, this work details how to automate IoT-device vulnerability assessments through Shodan scripts. Thus, this article provides an introductory practical guide to IoT cybersecurity assessment and exploitation with Shodan.

**Keywords:** IoT; cybersecurity; Shodan; teaching methodology; use case based learning; security audit; vulnerabilities; cyber-attacks; vulnerability assessment
