A Study on Internet of Things Devices Vulnerabilities using Shodan

Q3 Computer Science

International Journal of Computing Pub Date : 2023-07-01 DOI:10.47839/ijc.22.2.3084

V. Rajasekar, S. Rajkumar

{"title":"A Study on Internet of Things Devices Vulnerabilities using Shodan","authors":"V. Rajasekar, S. Rajkumar","doi":"10.47839/ijc.22.2.3084","DOIUrl":null,"url":null,"abstract":"IoT has attracted a diverse range of applications due to its adaptability, flexibility, and scalability. However, the most significant barriers to IoT adoption are security, privacy, interoperability, and a lack of standards. Due to the persistent online connectivity and lack of security measures, adversaries can quickly attack IoT systems for various adversarial operations, financial gain, and access to sensitive data. We conducted a massive vulnerability scan on IoT devices using Shodan, the IoT search engine. The discovered vulnerabilities are analyzed using the Octave Allegro risk assessment method to determine the risk level (Critical, High, Moderate, Low, None), and the results are classified based on the vulnerabilities. The research findings are intriguing, shocking, and alarming, revealing the bitter reality that IoT devices are rapidly increasing while simultaneously eroding users' privacy on a never-before-seen scale. Our search discovered 13,558 webcams with outdated components, 11,090 devices disclosing NAT-PMP information, and 16,356 connected devices responding to remote telnet access. Around 2,456 IoT devices were found with the Heartbleed vulnerability, 674 with the Ticketbleed vulnerability, and 9,241 with expired SSL certificates. Nearly 18,638 IoT consumer devices are configured with insecure default settings; 11,481 devices with default SNMP agent community names; 4,987 devices running on non-standard ports; and 4,425 Cisco devices are configured with generic or default passwords.","PeriodicalId":37669,"journal":{"name":"International Journal of Computing","volume":"13 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.47839/ijc.22.2.3084","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"Computer Science","Score":null,"Total":0}

引用次数: 0

Abstract

IoT has attracted a diverse range of applications due to its adaptability, flexibility, and scalability. However, the most significant barriers to IoT adoption are security, privacy, interoperability, and a lack of standards. Due to the persistent online connectivity and lack of security measures, adversaries can quickly attack IoT systems for various adversarial operations, financial gain, and access to sensitive data. We conducted a massive vulnerability scan on IoT devices using Shodan, the IoT search engine. The discovered vulnerabilities are analyzed using the Octave Allegro risk assessment method to determine the risk level (Critical, High, Moderate, Low, None), and the results are classified based on the vulnerabilities. The research findings are intriguing, shocking, and alarming, revealing the bitter reality that IoT devices are rapidly increasing while simultaneously eroding users' privacy on a never-before-seen scale. Our search discovered 13,558 webcams with outdated components, 11,090 devices disclosing NAT-PMP information, and 16,356 connected devices responding to remote telnet access. Around 2,456 IoT devices were found with the Heartbleed vulnerability, 674 with the Ticketbleed vulnerability, and 9,241 with expired SSL certificates. Nearly 18,638 IoT consumer devices are configured with insecure default settings; 11,481 devices with default SNMP agent community names; 4,987 devices running on non-standard ports; and 4,425 Cisco devices are configured with generic or default passwords.

查看原文本刊更多论文

基于Shodan的物联网设备漏洞研究

物联网由于其适应性、灵活性和可扩展性而吸引了各种各样的应用。然而，物联网采用的最大障碍是安全性、隐私性、互操作性和缺乏标准。由于持续的在线连接和缺乏安全措施，攻击者可以快速攻击物联网系统，以进行各种对抗性操作、获取经济利益和访问敏感数据。我们使用物联网搜索引擎Shodan对物联网设备进行了大规模漏洞扫描。利用Octave Allegro风险评估方法对发现的漏洞进行分析，确定风险等级(Critical、High、Moderate、Low、None)，并根据漏洞对结果进行分类。研究结果有趣、令人震惊、令人担忧，揭示了一个痛苦的现实，即物联网设备正在迅速增加，同时以前所未有的规模侵蚀用户隐私。我们的搜索发现了13,558个网络摄像头的组件过时，11090个设备泄露了NAT-PMP信息，16,356个连接的设备响应远程telnet访问。大约有2456个物联网设备存在Heartbleed漏洞，674个设备存在Ticketbleed漏洞，9241个设备存在过期SSL证书。近18,638个物联网消费设备配置了不安全的默认设置;11,481个具有默认SNMP代理团体名的设备;在非标准端口上运行的设备4,987台;4425台思科设备配置了通用或默认密码。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Computing Computer Science-Computer Science (miscellaneous)

CiteScore

2.20

自引率

0.00%

发文量

期刊介绍： The International Journal of Computing Journal was established in 2002 on the base of Branch Research Laboratory for Automated Systems and Networks, since 2005 it’s renamed as Research Institute of Intelligent Computer Systems. A goal of the Journal is to publish papers with the novel results in Computing Science and Computer Engineering and Information Technologies and Software Engineering and Information Systems within the Journal topics. The official language of the Journal is English; also papers abstracts in both Ukrainian and Russian languages are published there. The issues of the Journal are published quarterly. The Editorial Board consists of about 30 recognized worldwide scientists.