Router Security Shodan Query My Router Website by     
Michael Horowitz 
Home | Site Index | Bugs | News | Security Checklist | Tests | Resources | Stats | About | Search |
See my June 17th blog: Debunking the New York Times on Router Security and VPNFilter
 

Shodan promotes itself as a search engine that lets you see which computing devices on your network are directly accessible from the Internet. That's a bit of a stretch, but it is, nonetheless, a useful security checkup. Technically, it reports on open TCP/IP ports in your router and offers some information about the software behind those ports. It may be possible to link this software information to a specific device connected to the router.

In the best case, there should be no ports open. This page generates a Shodan Query of your router for you.

All the computing devices in a home share one public IP address and it is assigned to the router. All your other computers, tablets, phones, IoT devices, etc. have private IP addresses that are normally not visible to the outside world. However, routers and IoT devices that support UPnP can be configured (I would argue "abused" in the better term) to make make devices in your home directly accessible from the Internet. Hello bad guys.

Your public IP address is: 54.161.49.216

Click the link below to see what Shodan knows about your public IP address. It opens in a new browser window/tab.

Your Customized Shodan Query: www.shodan.io/host/54.161.49.216

Not that it matters, but your router may also have a public name.

Your public router name: ec2-54-161-49-216.compute-1.amazonaws.com

Not all routers are assigned a name, this is left up to the Internet Service Provider. Many ISPs assign names that include their name. For example, some Spectrum customers have public names that end in rr.com because in the old days Time Warner called their Internet service Road Runner. Comcast names in the U.S. often end with XX.comcast.net where XX is a two letter abbreviation for the state where the router is located. Sometimes an ISP will assign a name exactly the same as the IP address. The public name does not matter because you normally do not directly address your router when away from home. A more technical name for this, is Reverse DNS. Shodan refers to the public name as "Hostnames."

Notes About Shodan

This query is keyed off your public IP address. If you load this page from a device connected to a VPN, then the public IP address is that of a VPN server, not your router. Hiding the public IP address of your router is a core function of a VPN. With that in mind, you could use this page as a poor man's VPN tester. You better, see a different public IP address with the VPN connected and disconnected.

Likewise, if this page is loaded from a computer connected to the TOR network, the public IP address will be that of the TOR exit node and not the router.

Finally, be aware that the Shodan report of your current public IP address may be for someone else's router.

Your current IP address may not have been your IP address yesterday or last week or last month. Most consumer Internet connections have dynamic (i.e. variable) IP addresses. When it changes, is up to your Internet Service Provider. Most of the time, you could care less about your public IP address. But, for Shodan testing, it matters. Shodan may have last checked the IP address you are currently assigned, a week or two ago (look for the "Last Update" field on the left side). At the time Shodan last checked, your current IP address may have been assigned to someone else. Thus, this could all be a waste of time.

The format of the Shodan Last Update timestamp can be confusing. In the example below

   2017-03-08T03:21:44.262872

The date is March 8, 2017, not August 3, 2017. Everything after the T is a timestamp.



Finally, Shodan does not query every IP address. You may well get a Not Found error as shown at the right. That's fine. Note that the error message is wrong. What is not found, is an IP address, not a website.


About Shodan Reports

The goal, for most people, with a Shodan Report is to have NO open TCP/IP ports. You are most secure with all ports closed. One reason that every article about router security says to disable Remote Administration, is that it opens a port.

The big upside to Shodan is that it can show ports that were opened by IoT devices using the miserably insecure UPnP and NAT-PMP protocols. It also shows ports that are open as backdoor into the router for an Internet Service Provider. There are two examples of this below. While I am no fan of consumer routers, at least they don't come with ISP backdoors built into them. Shodan also shows some information about the open port(s) and its report is a bit more approachable for non-techies.

A downside to Shodan is that it does not show anything about closed ports that it tested. Ports are not simply open or closed, they can be Open, Closed or Stealthed. For that level of detail, there are many other websites that report on TCP/IP ports listed on the Test Your Router page.

Sample Shodan Reports

To see a sample Shodan Report, two reliable IP addresses are those of OpenDNS (208.67.222.222) and Google DNS (8.8.8.8). Each server has a single open port, 53, for DNS.

One port you do not want to find open is 7547. It is often left open on devices given out by an ISP so that they can remotely access the box. Technically, this port is used by a remote management protocol known as both TR-069 and CWMP. Many times this has been abused by bad guys to hack the router. In April 2017 it was reported that Shodan found over 41 million devices with port 7547 open.

Shodan report with port 7547 open

Another port you do not want to find open is 4567. It seems that both CenturyLink and Verizon (and probably other ISPs) use this as a back door into the router. See here, here, here and here.

Shodan report with port 4567 open

Most press coverage of Shodan focuses on finding specific vulnerable devices, rather than reporting on a home router. The example below is thus a more typical usage of Shodan. From analyzing the response to queries on port 8443, Shodan was able to learn that the thing it found was an Avtech AVN801 network camera.

Shodan finds a network camera

An interesting report, shown below, is from a VPN server. It has four open ports, 80, 443, 500 and 1723. The last two are for the VPN. Port 443 is for secure HTTPS web pages. Port 80 is for insecure HTTP web pages, a strange thing to see on a VPN server.

Shodan report of a VPN server

If you run across any interesting Shodan reports, send me the screen shot.

Bullguard offers an Internet of Things Scanner that also uses your public IP address to query Shodan. But, its an HTTP site, not HTTPS - a bad look for a security tester. It also does not explain anything about the vulnerabilities it looks for.

Top 
This page was last updated: July 5, 2018 4PM CT     
Created: February 21, 2018
Viewed 6,724 times since February 21, 2018
(39/day over 174 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2018