Since October, 2010, Shodan has consistently made waves in the information security world.
For a quick review, Shodan is a computer search engine; essentially a searchable database of pre-scanned IP addresses with service banners from various system services like Web servers, SNMP, Telnet and more.
Like any security tool, Shodan can be leveraged by both malicious attackers and legitimate security operations to gain insights into the public IP exposure of an organization, and the results are often surprising.
Indeed, the DHS ICS-CERT has published multiple alerts directly referencing Shodan (and ERIPP) warning of the potential information gathering risks from malicious use of this resource and how misuse can pose threats to critical infrastructure like SCADA and ICS systems exposed on the public Internet.
The following advisories have a Shodan focus, and several other ICS-CERT product vulnerability advisories directly mention Shodan as a threat multiplier:
- ICS-ALERT-10-301-01 – CONTROL SYSTEM INTERNET ACCESSIBILITY (28 Oct. 2010)
- ICS-ALERT-11-343-01—CONTROL SYSTEM INTERNET ACCESSIBILITY (9 Dec. 2011)
- ICS-ALERT-12-046-01—INCREASING THREAT TO INDUSTRIAL CONTROL SYSTEMS (15 Feb. 2012)
In addition, many news articles and security conference presentations on Shodan's capabilities have helped to spread the word and have made Shodan an indispensable tool for penetration testing. In fact, just last month Shodan was on the front page of the Washington Post.
After a couple of years, Shodan is now mainstream. My take on this is how I put it in a tweet - "Organizations not using Shodan by now should just go back to sleep..."
Enter the Shodan App
Given the popularity and capability of Shodan, it should come as no surprise for knowledgeable security folks that a Shodan App added to the iTunes store on 9 July, 2012 was developed by Erran Cary (currently doing an internship with Rapid7).
Frankly, I was surprised that someone had not done this Shodan app sooner, but nonetheless it's a fine project and kudos to Erran for taking the initiative, and hopefully Rapid7 will be supportive of his Shodan app project. And a tip o' the hat to Apple for approving the app due to Erran's persistence.
Despite its coolness, from a pragmatic operational and penetration testing standpoint the Shodan app is not going to be my "go-to" means for executing Shodan queries.
This is not because of the app in and of itself, but rather the testing platform and queries that I do for my style of research.
I tend to use the Web-based and API scripted queries on a full computer rather than a iPhone/iPad for a number of reasons, but in a pinch or on-the-fly demo I'll be reaching for the Shodan app -- no question!
That said, I do not want to dismiss the value of the Shodan app.
I may have a few humble suggestions on how adding some other capabilities to the Shodan app could make this a more useful smartphone-based security tool.
Clearly, from an security awareness raising perspective the Shodan app is just the ticket to drive home the realities of how security tools and resources are becoming more portable and easier to use!