How can you tell if your IoT devices are vulnerable to hacking, despite your best security efforts when setting them up? There is no way to be 100% sure. But there are a couple of checks you can do easily that will detect many common issues.
First, there is a site called Shodan (shodan.io). Much like search engines such as Google and Bing do for web sites, Shodan regularly scans the internet for exposed IoT devices, and makes the results searchable from a web page.
To see what Shodan has for your home network, you first need to know your IP address. For the sake of this article, we will concentrate in IPV4. Although hacking though IPV6 addresses is possible, it is presently not widespread for technical reasons. You can get the IP address of your home network by browsing to the following site: ip4.me. When you visit this site, you will see an IP address in the format “184.108.40.206” displayed. You should write down this address, or, better yet, copy it to your clipboard.
Now visit the shodan.io site. Type or paste in the IP address you found above, and click the “magnifying glass” to search. Hopefully, you will see results that look like this:
The above shows that no information was found for the IP address entered. That is a good thing. If you see something else, such as the following, there may be a problem.
If you see something like the above, there could be a problem. I say “could” because there are legitimate reasons that services can sometimes be exposed. But it’s certainly something that may warrant further investigation. Talk to your “geek” friend, or someone else knowledgeable about IoT security if you see something like this.
One thing to keep in mind is that Shodan does not scan sites in real time. Just like it may take days or even a week or more for a new web site to appear on Google or Bing, it may take a similar amount of time before Shodan is updated. So when connecting a new IoT device to your network, it’s good to check Shodan again in a week or two to make sure it still shows no results found.
Another useful site is haveibeenpwned.com. This site allows you to search for your email address to see if it appears in any publicly released (such as by the company that was compromised) list of addresses. As I mentioned before, you could have a perfectly secure IoT device. But if the company that operates the device is hacked, or another company you do business with is hacked and you used the same password, your device is still vulnerable. Most people have had at least one of their accounts exposed at one time or another. For example, here is what I see for myself when I enter one of my email addresses:
As you can see above, two business sites I have accounts with were hacked. Fortunately, I never re-use passwords, so the only thing I needed to do was change my passwords on the affected sites.
Good results from the above two sites does not guarantee that your IoT setup is secure. But it is a good first check.