*6.3. Automating Attacks*

#### 6.3.1. Shodan APIs

Shodan web interface provides a fast way to perform general evaluations on IoT devices or on very specific use cases. However, to automate use case analysis, the APIs provided by Shodan are more appropriate.

Currently, Shodan provides APIs for Python, Ruby, PHP, C#, Go, Haskell, Java, Node.js, Perl, PowerShell, and Rust. Two specific APIs are defined: a Representational State Transfer (REST) API and a streaming API. The REST API is aimed at interacting with Shodan through GET, POST, DELETE, and PUT requests. The streaming API is able to exchange data that is embedded into JavaScript Object Notation (JSON) files. Shodan also provides an additional REST API for exploits [75], which normalizes exploit information after collecting it from multiple vulnerability data sources.

#### 6.3.2. Teaching Shodan Scripting

In order to learn how to automate the manual steps described in Section 6.1, the following tasks can be performed by students/learners:


For instance, the following steps would be needed to perform the previous four tasks when using Python:


Listing 1: Example of Python script to automate Shodan queries.

```
1
2 import shodan
3 from time import sleep
4
5 SHODAN_API_KEY = "[INSERT HERE YOUR API KEY]"
6 api = shodan.Shodan (SHODAN_API_KEY)
7
8 query = 'webcamxp'
9
10 try :
11
12 # Step 2 - Search using Shodan API
13 results = api.search(query)
14 print ('Total number of results: {}'. format (results['total']))
15
16 for result in results['matches']:
17
18 # Step 3 - Print IP and country for every obtained result
19 print ('IP: {}'. format (result['ip_str'])) # The IP for each result is printed
20 #print(result['data ']) # To print raw data for each result
21 host = api.host(result['ip_str'])
22 print ('- Country: {0}'. format (host.get('country_name', 'n/a')))
23 print ('')
24 sleep(1) # A 1-second delay is necessary to respect Shodan API restrictions
25
26
27 # Step 4 - For each device IP, vulnerabilities and exploits are listed
28 try :
29 if str (host.get('vulns')) != 'None':
30 print ('-------------------- Exploit list --------------------')
31 for vulnerability in host.get('vulns'):
32 exploits = api.exploits.search(vulnerability)
33 sleep(1)
34 print ('Found {0} exploits for vulnerability "{1}" \n'. format (
35 exploits.get('total'), vulnerability))
36
37 except shodan.APIError as erro:
38 print (
39 'Error during exploit query: "{0}"'. format (query))
40 print ('Shodan error: {0}'. format (erro))
41
42 except shodan.APIError as e:
43 print ('Error: {}'. format (e))
```
#### *6.4. Practical Teaching Results*

During the last years, the previously described methodology was taught at the University of A Coruña to students of the cybersecurity master program. Each student received three individual Shodan queries and had to first apply the methodology described in Section 6.1.1, and then learned to automate such queries through scripts, following the steps indicated in Section 6.3.2.

As a reference, the following paragraphs summarize the results obtained by the students of the 2020 class where 16 students (two women and fourteen men) took part in the course. Most of them were recent graduates from computer science and electrical engineering programs with good coding skills and basic knowledge on cybersecurity, but almost no previous experience on IoT. They also had no previous practical experience with Shodan.


As an example, Table 1 summarizes some of the most relevant results obtained by the students. The following are the main conclusions that can be withdrawn from such results:


**Table 1.** Summary of the most relevant results obtained by the students of class 2020.

1. Mootools-based webcams:

	- **–** All the 20 analyzed webcams required no credentials to view their content.
	- **–** Seven of the webcams were used as surveillance cameras in industrial scenarios, while 4 of them were aimed at watching road traffic in specific areas. In addition, 5 of the

cameras were used as home surveillance systems. The other 4 webcams were used for monitoring public spaces.

	- • Shodan query: *title:"powered by insteon"*
	- • Relevant results:
		- **–** Only 19 results were obtained. Most of the IPs were located in Taiwan and were deployed in homes.
		- **–** Of the 19 IoT systems, 15 of them required no credentials to interact with the smart home system.
	- • Shodan query: *title:"Centrale" Pragma: "no-cache, no-store"*
	- • Relevant results:
		- **–** Several of the analyzed systems made use of the default credentials, so attackers could access the alarm system and enable or disable it at will.
	- • Shodan query: *title:"Status & Control"*
	- • Relevant results:
		- **–** A relevant number of the studied IoT systems either used the default user or administration credentials, so a remote attacker could easily watch and manipulate the thermostat.
	- • Shodan query: *http.title:"Tesla PowerPack System"*
	- • Relevant results:
		- **–** Some of the analyzed IoT systems could be accessed as administrator by making use of the default credentials. However, most of the systems found through Shodan were actually classified as honeypots.
	- • Shodan query: *title:"Network Camera VB-M600" "200 ok server: vb"*
	- • Relevant results:
		- **–** Of the 20 analyzed systems, nine of them could be accessed with no credentials, while four made of use of the default credentials.
		- **–** The software used by these systems were affected by 359 vulnerabilities documented through already published CVEs. Such vulnerabilities were essentially related to the use of outdated versions of Linux and Apache Tomcat.
	- • Shodan query: *"product:TwonkyMedia UPnP" http.title:"Twonky Server"*
	- • Relevant results:

**–** All the devices found through the indicated Shodan query were completely open, so remote attackers can access the shared media content.

Given these results, as one of the students indicated in his report, "it can be concluded that Shodan is a really powerful cybersecurity tool that is able to expose IoT device misconfigurations and vulnerabilities in an easy and fast way; the possibility of using Shodan for automatic IoT vulnerability assessments emphasizes the importance of taking care of security during IoT device installation and configuration, and makes it necessary to patch their software periodically".

Finally, it is worth mentioning that, during the course, there were no major problems respect to the use of Shodan. The only relevant issues arose in relation to the following two topics:


#### *6.5. Preventing Shodan-Based Attacks on IoT Devices: Best Practices*

The previous sections show that Shodan is a really powerful tool for performing IoT cybersecurity audits and attacks. In the case of the former, an auditor can give the following recommendations to prevent the audited IoT devices from being attacked through Shodan:

	- **–** Never use default or really common credentials (e.g., "admin", "1234").
	- **–** Try to use long usernames and passwords to avoid brute-force attacks.
	- **–** Update credentials periodically.
	- **–** Keep IoT device firmware updated.

#### *6.6. Additional Course Topics*

This article described the content, structure, and methodology applied to a 6-week course that, due to time restrictions, is focused on detecting vulnerable IoT devices that are publicly exposed on the Internet. However, a complete IoT cybersecurity program should extend the proposed syllabus and address other relevant topics, like:

