Introduction
The Bournemouth 2600 hackers recently went on a Shodan Safari and realised it is crazy what you can find on the internet if you look hard enough. This includes sensitive endpoints that are not protected and allow anyone to access them without authentication.
Some of the systems a group of B2600 hackers were very interesting. This includes smart home control panels, industrial control systems (ICS), restaurant terminals, various media servers, a car wash, a shooting range target system, launderettes, medical equipment like an MRI scanner and XRay scanner.
It was also possible to find virtual private servers (VPSs) running operating systems such as Kali Linux. Multiple Chinese-speaking users also ran various games on their VPSs. Other notable findings we uncovered we defaced appliances and IP cameras.
What is Shodan?
In short, Shodan is an Internet-of-Things (IoT) Search Engine. Whereby it scans all publicly broadcasting IP addresses with open ports and running services. An handy aspect of Shodan is that it displays screenshots of the scanned system and indexes them in the search engine.
Research Disclaimer
B2600 is a group of ethical researchers who performed this research within the law. Seeing as it is obvious we are located in Bournemouth, we made sure to adhere to UK law, i.e., the Computer Misuse Act 1990 law against unauthorised access. During our research we did not access any systems but spent our time reviewing screenshots and artifacts indexed by Shodan.
Our Findings
For the rest of this blog, we shall share some of the systems we found on Shodan to demonstrate the types of devices exposed, theoretically for all of the world to see. While we are ethical researchers, cybercriminals or even nation state threat actors could easily take advantage of these misconfigurations for their own objectives. Therefore, this blog serves as a generic warning to all organisations and end users of IoT devices not to expose them to the internet.
Not So Smart Homes
Remember this scene from Mr Robot? Well we found all sorts of Home Assistant control panels exposed on Shodan. Which, if exploited could be used to do things like turning the lights off and on, changing temperature controls of the house, and only god knows what else.
Tap Water Troubles
In 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about pro-Russian hacktivists targeting and compromising small-scale operational technology (OT) systems in North American and European water and wastewater systems, dams, energy, and food and agriculture sectors.
On Shodan, however, it was possible to find one of these water systems exposed in the US:
Hacking the Hackers
A quite frankly funny finding was that users of Kali Linux, the OS of choice for penetration testers, was regularly found exposed on Shodan. Remember aspiring hackers, there's no place like 127.0.0.1.
Looks like Cybercrime
We found evidence on some systems without authentication of various people connecting to them and writing little messages. While this seems good spirited, this could in-fact be considered committing cybercrime as unauthorised access to a vulnerable system was gained and exploited.
Server Defacements
In December 2024, CISA also warned about the CyberAv3ngers, a threat groups reportedly affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). The adversary had been exploiting Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) and human machine interfaces (HMIs).
While scanning around on Shodan, we uncovered one of these compromised systems which had been defaced by CyberAv3ngers who uploaded this politically charged wallpaper on the system.
Les Petits Restos
We managed to find French restaurants who had their waiter order terminals exposed. In theory, a would-be attacker could add food to various bills of customers at the diner.
Vidya Gaem
Chinese people playing video games also appeared on several occasions which was unusual to us. Perhaps they had created VPSs outside of the Great Firewall to be able to play past the CCP permitted three hour time windows.
Car Wash
This one doesn't really need any introduction. It is a literal car wash that was available via Shodan.
The Wild West
You know how Americans love to shoot their guns? Well the people of Utah obviously need some sort of automatic target shooting system to fulfil their needs. That was also exposed on Shodan.
Washing Machines Live Longer With Shodan
You may not expect to see washing machines on the internet, but we found not one but two launderettes on Shodan. One was in the Netherlands and the other in South Korea.
Medical Systems
One of the more concerning findings we uncovered was medical equipment exposed to the internet. This included expensive MRI scanners and XRay machines. The thought of these being exploited by a cybercriminal (possibly while in use) was a terrifying prospect.
Blowing in the Wind
One notable finding we came across was a Wind Turbine Control Panel by the company Nordex. It may also be worth noting that there was some news reports a couple years ago from now about Nordex wind turbines being hacked as well.
Sludge Detected?
We're not even sure what a sludge monitor is, but we found one anyways.
Milking it
We found a milk tank used to collect from a diary herd (we believe)
Weed Farm
We couldn't believe it ourselves when we found an IP camera monitoring a cannabis grow house on Shodan.
Conclusion
For some of the things we found via our Shodan Safari we couldn't believe our own eyes. It is truly remarkable you can find when hunting around as a group on Shodan. I recommend anyone reading this blog trying it themselves for fun, just to see what you can find.