Dangers of IoT Search Engines

When most of us need to find something online, we search through Google. But did you know there are IoT-focused online search engines? Two of the more popular sites are Censys and Shodan.

These sites were created with good intentions – internet scanning for IT professionals to identify potential security issues from vulnerable networks and devices.

Censys IoT Search Engine screen capture
Screen Capture of Censys IoT Search Engine
Shodan IoT Search Engine screen capture
Screen Capture of Shodan IoT Search Engine

The Problem: IoT System Vulnerabilities

But, it was quickly determined that the sites could be used for nefarious purposes. The shared device information is extensive enough where someone outside the organization could attempt to log in to a device. If the organization did not change the default login information – information that is often easily available online from the manufacturer – their device could now be accessed by random strangers on the internet.

Site users have identified a variety of vulnerable IoT devices – webcams, traffic management systems, medical devices, video baby monitors and more. Virtually any internet-connected device could be accessed if proper precautions are not taken. Repercussions range anywhere from privacy violations, to harassment and eminently more dangerous situations.

How can IoT user protect themselves?

Diligence is key to IoT security. Here are some suggestions from KMC’s VP of Technology Dave Bohlmann on how to protect yourself:

  • Always change the default password on your devices to something other than the default. Always.
  • If you need remote access to devices, work with the customer’s IT department to get VPN connectivity to them.
  • If IT will not get you VPN credentials, consider installing a small business VPN-capable router, and install your BMS network on the LAN side of this router, with permission from your Customer.
  • If you can, don’t make devices public-facing.
  • If you must have your devices public-facing, be sure you have changed their passwords to something other than the default, and if possible, change the default username as well.