Shodan Reveals Exposed Cyber Assets
Using Shodan data, the Trend Micro Forward-looking Threat Research (FTR) team assessed which types of cyber assets found in cities across the globe are the most exposed. When a cyber asset like a webcam or a printer is searchable, threat actors can look for means to compromise the device or find out whether the device itself or its software version is known to be vulnerable. Affected parties can use the results of our research to justify investments such as the implementation of the necessary security measures that will better protect their data and assets from future compromise.
What is Shodan?
Shodan is an online search engine that catalogs cyber assets or internet-connected devices. Shodan finds and lists devices and systems such as webcams, baby monitors, medical equipment, industrial control system (ICS) devices, home appliances, and databases, among others. Shodan collates and makes searchable both device metadata and banner information that internet-connected devices and systems are freely sharing over the public internet—and with anyone who queries them.
What are exposed cyber assets?
We define “exposed cyber assets” as internet-connected devices and systems that are discoverable on Shodan or similar search engines, and can be accessed via the public internet. When a certain device or protocol is exposed, it does not necessarily mean that the cyber asset is automatically vulnerable or compromised.
However, since an exposed device is searchable and visible to the public, attackers can take advantage of the available information on Shodan in order to mount an attack. For instance, an attacker may check if the associated software of a device is vulnerable, or if the admin console’s password is easy to crack.
Cities Exposed Worldwide
We have looked at different developed countries in the world to see whether exposure levels differ across countries and in what ways. We have been able to analyze the exposed cyber assets in the United States, Western Europe as a region, the United Kingdom, France, and Germany. Click on the thumbnails to access the PDF reports.
Western European Cities Exposed New
We presented data on exposed cyber assets in the top 10 most populous cities in Western Europe—London, Berlin, Athens, Madrid, Rome, Paris, Stockholm, Oslo, Amsterdam and Lisbon. London and Berlin had more than 2.5 million exposed systems while Amsterdam and Madrid had numbers in the region of a million.
United Kingdom Cities Exposed New
We presented data on exposed cyber assets in the top 10 most populous cities in the United Kingdom—London, Manchester, Birmingham-Wolverhampton, Leeds-Bradford, Glasgow, Liverpool, Southampton-Portsmouth, Newcastle Upon Tyne-Sunderland, Nottingham, and Sheffield. London had the most number of exposed cyber assets in the U.K.―a little over 2.5 million. Manchester followed with around 320,000 and Glasgow with around 160,000.
French Cities Exposed New
We presented data on exposed cyber assets in the top 10 most populous cities in France—Paris, Marseille, Lyon, Toulouse, Nice, Nantes, Strasbourg, Montpellier, Bordeaux, and Lille. Paris had the most number of exposed cyber assets (around 400,000), followed by Marseille and Lyon (around 32,000 and 26,000 respectively).
German Cities Exposed New
We presented data on exposed cyber assets in the top 10 most populous cities in Germany—Berlin, Hamburg, Munich, Cologne, Frankfurt, Stuttgart, Duesseldorf, Dortmund, Essen, and Leipzig. Berlin had the most number of exposed cyber assets at around 3 million followed by Frankfurt (1.9 M).
US Cities Exposed
We presented data on exposed cyber assets in the top 10 largest U.S. cities by population—New York City, Los Angeles, Chicago, Houston, Philadelphia, Phoenix, San Antonio, San Diego, Dallas, and San Jose. Los Angeles, Houston, Chicago, and Dallas each had more than 2 million exposed cyber assets that make them vulnerable to exploitation and compromise.
For each research project, we answered the following questions:
- Which capital or city has the most number of exposed cyber assets?
- What are the most common connections, operating systems, and exposed and vulnerable products/software and device types in this country/region?
Then for each capital or city, we drilled down to analyze:
- Different exposed device types such as webcams, network-attached storage (NAS) devices, routers, printers, Voice over IP (VoIP) phones, and media recording devices
- Different exposed web services like email databases and other database types like MySQL, PostgreSQL, CouchDB, and MongoDB
- Different exposed services like NTP, UPnP, SNMP, SSH, RDP, Telnet, and FTP
Lastly, we also went into detail about what home office owners and enterprise network defenders can do to safeguard their networks from attacks that different threat actors can launch.
At no point during the research did we perform any scanning or attempt to access any of the internet-connected devices and systems. All published data, including screenshots, were collected via Shodan. Note that any mention of brands in this research does not suggest any issue with the related products but only that they are searchable in Shodan.
Furthermore, the analysis was done using February 2017 data, so given the fluid nature of the internet, the actual state of exposure may change.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale