I've started collecting screenshots for a few services, most notably VNC, and something stuck out at me:

The top 5 ports where VNC is running with authentication disabled are:

1. 5900 (default port): 4,029
2. 5901: 3,995
3. 84: 25
4. 83: 14
5. 13579: 7

Out of ~8,000 results, 50% of the results came from services that were operating VNC on a non-standard port. It's not unusual to see common services running on different ports, but that was a surprising amount. My guess is that a lot of people change the default port thinking that it will hide their service. Because Shodan scans for 250+ different ports however, there's a small chance that Shodan will discover it anyways. And for a lot of the popular protocols, Shodan actually also crawls for one-off ports (thank you to @Viss for that idea).

I've seen this sort of behavior in other services as well, this isn't limited to VNC. If you've read my previous blog posts this might sound familiar to you. In fact, I observed much of the same when looking at SSH. For SSH, the choice of ports is a bit wider but in general people don't work well as random number generators.

Furthermore, this sort of behavior can be observed across the industries. For example, you might know that Shodan crawls the Internet for industrial control systems (ICS). One of the most popular protocols in ICS is called Modbus that runs on port 502. At the moment, there are about 17,000 devices listening to Modbus on the default port. It turns out there are also 700 devices listening on port 503, again a one-off sort of situation.

If you're looking to hide your service putting it on a different port is a temporary band-aid at best and a false sense of security more than anything.

Shodan has been in the news for the past few years largely due to the discoveries that security researchers have made with it. Whether it's webcams or wind farms there isn't a shortage of things that get connected to the Internet every day. And every time these discoveries are announced the news article will end by saying that the relevant authorities have been notified, especially in the case of industrials control systems. Most readers assume that since the problem has been identified the fix would be straight-forward - just take the system off the Internet!

Why is this on the Internet?!

What isn't made clear to a lot of people is that finding out who owns some of these devices can be very difficult and time-consuming. For example, lets take a look at the results for one of the most popular industrial control system protocols: Modbus. There are roughly 12,500 results at the moment and a banner looks like:

The given device doesn't include any information on the model/ firmware its running and all we can tell based on its IP is that it's located in Russellville, USA. The IP address is owned by the CenturyLink ISP so that doesn't tell us much more about which business is actually operating the device. When you look at Modbus results in aggregate the general issue becomes clear:

A huge amount of industrial control systems are located on mobile networks. For Modbus, it looks like 10% of devices are on the Verizon Wireless network! With websites you usually have Whois information or even a contact page that lets you notify the owner if a security problem is found, but that doesn't exist for the vast majority of non-web devices/ services. So when it comes to tracking down who owns the device you're faced with the problems that:

1. The device IP doesn't tell you anything about who owns it
2. The location of the device is very rough and not always reliable
3. The data the device returns doesn't tell you who made or installed it

I think a lot of people overestimate the capabilities that exist to actually track down who owns/ operates Internet-connected control systems but hopefully I've shown at least a few issues that make it surprisingly hard to take these things offline.

I've recently added the ability to search for devices in Shodan based on the state they're located in. This provides the interesting possibility to start comparing the security posture of US states by looking at what sort of things they expose publicly. To start off, I will be taking a look at how prevalent industrial control systems (ICS) are in the various states.

Shodan currently crawls for roughly 15 different ICS protocols on more than 20 ports and within the past week or so has discovered ~40,000 of them that are publicly accessible on the Internet worldwide. I presented on a few of these protocols at 4SICS in October 2014, and you can download the data and view the maps that were generated for the talk.

Lets start taking a look at the US in particular though: so far in May Shodan has discovered 20,445 ICS devices in the US. This is definitely a lower bound and more will be discovered until the end of the month (many ICS devices have high latencies - more on that later).

The most popular protocol is Tridium's Fox, followed by BACnet and Modbus. Fox and BACnet are commonly used by building management systems (BMS), while Modbus is used across a wide range of products. The full Top 10 Protocols are as follows:

1. Tridium Fox: 7,706
2. BACnet: 4,525
3. Modbus: 1,625
4. EtherNet/IP: 1,578
5. ProConOS: 1,018
6. General Electric: 956
7. OMRON FINS: 777
8. Mitsubishi: 615
9. Red Lion: 551
10. Codesys: 407

By faceting on state using the Shodan API we can get a breakdown of ICS devices for each US state:

The above map chart shows a breakdown of which states have the most ICS devices on the Internet. As you'd probably expect the larger, more populous states also tend to have more devices online:

1. CA: 2328
2. TX: 1422
3. NY: 739
4. MA: 559
5. IL: 552
6. PA: 482
7. OH: 466
8. NJ: 465
9. FL: 416
10. MI: 390

Bigger states have more people, more devices and therefore more control systems required to provide services. This means larger states would always be at the top of any ICS ranking, which means it's not entirely fair to compare states based on absolute numbers. So lets normalize the results and look at states based on the % of devices in the state that are control systems:

And now we get a slightly different picture. Maine is at the top of the list with 0.23% of the state's devices being industrial control systems on the Internet, followed by Hawaii (0.19%) and Nebraska (0.17%). The top 10 are:

1. Maine: 0.23%
2. Hawaii: 0.19%
3. Nebraska: 0.17%
4. Vermont: 0.17%
5. West Virginia: 0.16%
6. Montana: 0.14%
7. Rhode Island: 0.14%
8. Iowa: 0.13%
9. Arkansas: 0.12%
10. Washington DC: 0.11%

If you want to analyze the results further or look at the data yourself, check out the Shodan API documentation for information on what you can search and facet on. There are also a bunch of libraries available in Python, Ruby, NodeJS and Go to make getting started easy.

I will be keeping track of how these numbers change in the coming months/ years, especially as federal policies change and cyber insurance becomes more popular.

PS: If your browser supports WebGL you can also check out the following visualization that was generated for my talk at the Department of Homeland Security ICS Joint Working Group conference in June 2014: https://ics-radar.shodan.io/