Shodan is a really useful tool for, well, all sorts of research. Not only can you quickly determine what the public-facing security impact of a new vulnerability is going to be, you can find all sorts of control systems attached to the Internet that shouldn’t be. Searching for random control-systems related terms sometimes even steers a researchers towards new and interesting equipment to test.
John Matherly, who runs Shodan, is constantly tweaking settings and adding features (and new scan types) to help the security community. [On a personal level I can’t thank him enough for teaching me all of the tricks that I’m writing about here].
Two of the recent changes made ended up being really helpful for finding some of the most vulnerable ICS systems: telnet options searching and bannerless telnet searching. The latter of these is only available to folks who pay for API access, but it opens up some rather interesting critical infrastructure to locatability.
Way back in 2012 we did Project Basecamp. The ‘Biggest Loser’ of Project Basecamp, purely on the number of red ‘X’ security failures, was General Electric’s D20ME RTU. (I should mention that GE has made strides in improving the line with the release of their D20MX, but the D20ME line will remain forever vulnerable). Back then, I really wanted to be able to search for the D20 on Shodan but couldn’t. This was because the D20 only supports Telnet, and it supports it in a way that Shodan didn’t support. Until now.