Shodan is an online search engine that catalogs cyber assets or internet-connected devices. Many cyber assets are exposed in Shodan for a number of reasons, including poor configuration. This level of exposure can become a serious security concern when hackers take advantage of them to steal data, launch ransomware or distributed denial-of-service (DDoS) attacks, or gain entry into networks.
Using Shodan data, Trend Micro researchers Numaan Huq, Stephen Hilt, and Natasha Hellberg assess which devices, servers, and critical sectors in the US are the most exposed. Affected parties can use this information when implementing the necessary security measures that will better protect their data and assets from future compromise.
EXPOSED DEVICES
- Webcams
- NAS Devices
- Routers
- Printers
- Phones
- Exposed Media Devices
Webcams
Webcams are attractive targets for attackers not only because they can be used for surveillance but also because many webcams don’t come with an auto-update function. This means they are rarely patched and can be easily exploited. Houston, Texas is one of the biggest US cities with the most number of exposed webcams, while GeoVision GeoHTTPServer is the most exposed product.
D-Link DCS-930L webcam http interface
Avtech AVN801 network camera
NAS Devices
NAS devices are popular solutions for backing up and storing data, as well as sharing files in collaborative work environments. Compromised NAS devices can lead to potential data theft and loss. Although there are relatively few exposed NAS devices in the US, most of them are located in Phoenix, Arizona. The most exposed NAS device is the Seagate GoFlex SSHD.
Synology DiskStation NAS ftpd
Adaptec/IBM ServeRAID Management http config
Mediabolic http config
Routers
Despite manufacturers' efforts to release firmware upgrades and security patches for their routers, only a few users ever really install these fixes. These make routers exposed and vulnerable. Compromised routers can be abused to steal credentials, redirect users to malicious sites, or generate network traffic in DDoS attacks. Cisco routers, which dominate the Shodan results, are typically installed by Internet service providers (ISPs) in customers’ homes. Houston, Texas has the most number of exposed routers.
Linksys wireless-G WAP http config
DD-WRT milli_httpd
MikroTik router ftpd
D-Link DLS-2750U ftp firmward update
Printers
Printers can be a treasure trove of information for attackers seeking to go much deeper into a network or steal and sell insider information. An office printer, for example, handles confidential documents containing financial, customer, and sales data, as well as intellectual property. Los Angeles, California has the most number of exposed printers; Debut embedded HTTPD is the most exposed product.
HP-ChaiSOE
Brother/HP printer ftpd
Allegro RomPager
HP LaserJet CP1205nw or P1606 httpd config
HP JetDirect ftpd
Phones
Many companies are switching to voice over internet protocol (VoIP) phones because they make calling overseas cheaper; this is why Free Private Branch Exchange (FPBX) dominate Shodan results. Phones can be compromised to disrupt voice communications or eavesdrop on conversations. San Jose, California has the highest concentration of unsecured phones in the US.
VoIP phone
VoIP adapter
Telecom-misc
Phone
Exposed Media Devices
Most media devices found on Shodan are digital video recorders (DVRs). DVRs can be security risks if attackers can access saved or live surveillance footage, or abuse them for lateral movement in a network. Chicago, Illinois has the most number of exposed DVRs, while TiVo To Go HTTPD is the most exposed product.
Panasonic DVR slinger httpd config
Dedicated Micros Digital Sprite 2 DVR telnetd
AMX NetLinx A/V control system ftpd
EXPOSED SERVERS AND DATABASES
- Web Servers
- Email Servers
- MySQL
- PostgreSQL
- MongoDB
- MS-SQL
- Medical PACS
- Medical EHR
Web Servers
Web servers are Internet-facing by design and are riddled with vulnerabilities, which attackers can take advantage of. A compromised Web server can be used to redirect visitors to malicious websites, or host malicious content and illegal data. Apache HTTPD type is the most exposed product, while Los Angeles, California has the most number of exposed web servers.
nginx
Microsoft IIS httpd
Email Servers
Email servers (especially those used by organizations handling critical data) provide a wealth of confidential information that cybercriminals can monetize. Attackers can also target these servers to disrupt email services and severely cripple business operations. Los Angeles, California has the most number of exposed email servers, while Exim SMTPD is the most exposed product.
Postfix smtpd
Sendmail
Microsoft ESMTP
MySQL Databases
Databases make for choice targets given the variety of sensitive information they store such as financial, customer, sales, and inventory data; PII; credentials; and other information used by business applications.
From the Shodan data, we found that MySQL was the most popular database exposed on the Internet. Most of these exposed databases are concentrated in Los Angeles, California.
PostgreSQL Databases
Databases make for choice targets given the variety of sensitive information they store such as financial, customer, sales, and inventory data; PII; credentials; and other information used by business applications.
Chicago tops the list as one of the biggest cities with the most number of exposed PostgreSQL databases.
MongoDB Databases
Databases make for choice targets given the variety of sensitive information they store such as financial, customer, sales, and inventory data; PII; credentials; and other information used by business applications.
MongoDB returns banner information, including stored table names. This makes it easy for attackers to figure out what type of data is stored in the exposed MongoDB databases.
MS-SQL Databases
Databases make for choice targets given the variety of sensitive information they store such as financial, customer, sales, and inventory data; PII; credentials; and other information used by business applications.
Compared to other US cities, Los Angeles, California has the highest concentration of exposed MS-SQL databases.
Medical PACS Databases
A picture archiving and communication system (PACS) database is mainly used in the medical industry for economic storage and convenient access to images taken for various medical procedures like CT scan, X-Ray, MRI, or ultrasound. If these records ever fall into the wrong hands, they can be used for defamation, blackmail, or extortion. Chicago, Illinois has the most number of exposed PACS servers, while Apache HTTPD is the most exposed server software.
Microsoft IIS httpd
nginx
Medical EHR Databases
An electronic health record (EHR) database is mostly similar to PACS and is often used interchangeably. It stores patient data such as medical histories, laboratory test results, and insurance information. Houston, Texas has the most number of exposed EHR databases, while Apache HTTPD is the most exposed server product. Apache has plenty of known vulnerabilities that attackers can exploit, giving them access to the said data. The volume of available patient health records for sale in Deep Web marketplaces may indicate regular compromise of such systems.
Microsoft IIS httpd
nginx
Apache Tomcat/Coyote JSP engine
EXPOSED CRITICAL SECTORS
- Government
- Emergency Services
- Healthcare
- Utilities
- Finance
- Education
Government
Lafayette, Louisiana and Saint Paul, Minnesota have more exposed government cyber assets than the US capital, Washington DC. Firewalls make up almost half of the sector’s most exposed devices.
WAP
Specialized
Webcam
Router
Security-misc
Printer
Switch
VoIP phone
Print server
Emergency Services
Houston, Texas and Lafayette, Louisiana are the top two cities with the most number of exposed cyber assets, with firewalls (55.65%) and printers (25%) making up the bulk of it.
Printer
Router
Webcam
WAP
Switch
Security-misc
Specialized
PBX
Terminal Server
Healthcare
The US healthcare sector has the least number of exposed cyber assets compared to the other sectors, with firewalls (69.10%) being the most exposed. Despite this, however, Shodan data reveals multiple unpatched servers running in healthcare organizations.
Security-misc
Router
Specialized
Printer
Switch
WAP
Webcam
Utilities
Most exposed cyber assets in this sector are located in small cities and towns instead of big cities. Clarksville, Tennessee has the most number of exposed assets in this sector, while wireless application protocol (WAP) is the most exposed cyber asset.
Firewall
Webcam
Router
Security-misc
Specialized
Storage-misc
Printer
PBX
VoIP phone
Finance
Shodan found very few exposed printers and webcams, as well as very few unpatched vulnerable servers running in the US financial sector. New York City has the highest number of exposed financial cyber assets. Like with the other sectors, firewalls are the most exposed devices.
Security-misc
Router
PBX
WAP
Switch
Specialized
Printer
VoIP phone
Webcam
Education
With 65,000, Philadelphia, Pennsylvania has the most number of exposed cyber assets in the education sector. Like the rest of the sectors printers, firewalls, and webcams made the bulk of these exposed devices, along with multiple unpatched servers.
Firewall
Specialized
Webcam
Print Server
Router
Switch
Media Devices
WAP
VoIP Phone
It must be noted that while we say ‘unsecured’ and ‘exposed’, this do not necessarily mean that the listed cyber assets are compromised, rather they are simply poorly configured and are thus vulnerable. As such, there may still be time for the owners of these unsecured cyber assets to secure them and prevent further attacks.
For complete and detailed information on this research, as well as up-to-date and actionable steps organizations and even home users can take to better secure their networks and connected devices, you can check out our research papers below.
DOWNLOAD FULL REPORTS
ERRATUM: The article and research paper mistakenly mentioned Lafayette, Indiana when published. It has been corrected to Lafayette, Louisiana.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Addressing CAPTCHA-Evading Phishing Threats With Behavior-Based AI Protection
Analyzing the Risks of Using Environment Variables for Serverless Management
LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds