What is Shodan telling us about ICS in Belgium?

Shodan

I have been using Shodan, “the world’s first search engine for Internet-connected devices”, since a long time. Recently I switched my free account to a membership account. A membership account allows you to do API queries with additional query filters (for example restricting search results to specific countries).

In this post I describe the results of querying the Shodan API for ICS (or related) devices in Belgium. These results are entirely based on what is available via Shodan without touching any of the affected devices.

Searching for IoT, SCADA and other stuff.

The developer API allows you to query the dataset and then parse the results offline with your own tools. I wrote a Python script that queried Shodan for a number of interesting ICS/SCADA/IoT strings, parsed the results and then stored them in a sqlite database. These are the queries that I ran with Shodan

Building Operation Automation Server 
Schneider Electric 
moxa 
eWON 
Sauter 
scada 
3S - Smart 
Honeywell 
rockwell 
title:'xzeres wind' 
html:'PIPS Technology ALPR Processors' 
port:502 
port:102 
port:20000 source address 
port:789 product:'Red Lion Controls' 
port:1962 PLC 
port:5094 hart-ip 
port:18245,18246 product:'general electric' 
port:1911,4911 product:Niagara 
port:47808 
port:44818 
port:9600 response code 
port:5006,5007 product mitsubishi 
port:2455 operating system 
port:20547 PLC 
port:2404 asdu address 
port:161 simatic 
port:3011 
port:1911 
mitsubishi 
siemens 

Because I was only interested in the results from Belgium I limited the search to country:BE.

The logic of the script was

  1. Perform the search query with api.search(expr);
  2. For every host, retrieve the details (hostname, open ports) with api.host(ip_str, history=False);
  3. If the host was not previously seen in the database, insert it in a host table and keep track of the associated domain and hostname;
  4. Parse the details of the host
    1. Add every open port to the database, but only if the combination of host+port+transport isn’t already there;
    2. Extract useful product and device information;
    3. Do this with the information available via Shodan or by simple banner parsing.

In total there were 654 unique hostnames.

Shodan results

This is not a “state of ICS in Belgium” but a snapshot of the ICS/SCADA/IoT information for Belgium that is available in Shodan. This is publicly available information.

Most popular domains

The majority of the hosts were located on the networks of Belgacom, Mobistar, Telenet and Proximus. This is to be expected as these are the largest ISPs in Belgium. Belgacom and Proximus are the same provider and Mobistar is now Orange. Also note the domain ‘telenet-ops’, which is the “OPS”-network of Telenet, and the results for Infrax, a utility company for gas, electricity and cable television.

Open ports per host

The majority of the hosts only had one or two open ports. Note that there are a lot of hosts that have 35 or more open ports.

Top 10 open ports

It is not a surprise to see that the most popular open ports are

  • tcp/80 (http)
  • tcp/8080 (most often http)
  • tcp/443 (https)

Other ports that are returned as “open” are

  • ModBus (tcp/502)
  • Rockwell (tcp/44818)
  • Moxa (tcp/4800)
  • Niagara (tcp/1911)

Rockwell Automation, Moxa and Niagara provide ICS or IoT automation control systems. Typically these are the type of systems you do not want to be publicly available to the whole world.

Device type

The majority of the ports did not return a device type according to Shodan.

Vendor ID

Similar to the device type, the majority of the ports did not return a vendor ID according to Shodan.

Product name

I had to do some extra parsing for extracting the product names.

  1. Try the product name provided by Shodan
  2. If still empty, if it’s http, return the HTTP banner
  3. Or extract the first string that’s returned in the data object from Shodan

Despite extra parsing efforts a lot of the open ports did not return a product name. Nevertheless there are some interesting product names to observe like the devices from Siemens, Moxa (automation) and eWON (Industrial VPN Routers: Remote Access & Data Services).

Shodan images

I also made use of the Shodan feature to retrieve the screenshots captured by Shodan. Only one screenshot was found in the result set. I did not made use of the ‘history’ feature of Shodan to retrieve older screenshots.

Conclusion

Retrieving the result set for ICS/SCADA/IoT related queries in Belgium returned some interesting results

  • A lot of Rockwell, Moxa and Niagara ICS devices are publicly available. A lot of these devices had their fair share of problems, as reported by ICS-CERT; Based on the network port (this isn’t conclusive but still a good indicator) and product name there are
    • 109 ModBus devices
    • 97 Rockwell automation devices
    • 95 Moxa embedded devices
    • 88 eWON ICS remote access devices
    • 87 Niagara ICS control systems
    • 72 Siemens S7 devices (the overview by product name revealed 116 Siemens devices)
    • 54 3S remote management ICS devices
  • It seems none of these devices had proper filtering rules (ACLs) in front of them, otherwise Shodan would not be able to track them; There might be other protection measures involved but having these devices wide open makes them vulnerable for further vulnerability testing.

Leave a Reply

Your email address will not be published. Required fields are marked *