Shodan Safari, where hackers heckle the worst devices put on the internet

NelsonG · January 21, 2019

If you leave something on the internet long enough, someone will hack it.

The reality is that many device manufacturers make it far too easy by using default passwords that are widely documented, allowing anyone to log in as “admin” and snoop around. Often, there’s no password at all.

Enter “Shodan Safari,” a popular part-game, part-expression of catharsis, where hackers tweet and share their worst finds on Shodan, a search engine for exposed devices and databases popular with security researchers. Almost anything that connects to the internet gets scraped and tagged in Shodan’s vast search engine — including what the device does and internet ports are open, which helps Shodan understand what the device is. If a particular port is open, it could be a webcam. If certain header comes back, it’s backend might be viewable in the browser.

Think of Shodan Safari as internet dumpster diving.

From cameras to routers, hospital CT scanners to airport explosive detector units, you’d be amazed — and depressed — at what you can find exposed on the open internet.

Like a toilet, or prized pot plant, or — as we see below — someone’s actual goat.

GOATCAM (.nl)https://t.co/G8i0MhZ71G #shodansafari

— Morbid Angel (Codename: DRAKO) (@m0rb) November 13, 2018

The reality is that Shodan scares people — and it should. It’s a window into the world of absolute insecurity. It’s not just exposed devices but databases — storing anything from two-factor codes to your voter records, and where you’re going to the gym tonight. But devices take up the bulk of what’s out there. Exposed CCTV cameras, license plate readers, sex toys, and smart home appliances. If it’s out there and exposed, it’s probably on Shodan.

If there’s ever a lesson to device makers, not everything has to be connected to the internet.

Here’s some of the worst things we’ve found so far. (And here’s where to send your best finds.)