Revealing the Black Box of Device Search Engine: Scanning Assets, Strategies, and Ethical Consideration

TL;DR

This paper thoroughly examines device search engines like Censys and Shodan, revealing their operational strategies, ethical issues, and the risks they pose to user privacy and security through extensive empirical analysis.

Contribution

It introduces a novel framework to trace scanner IPs, provides the first comprehensive analysis of their scanning behaviors, and highlights significant ethical concerns and privacy risks.

Findings

Scanner IPs are difficult to block or evade.

Engines often send malformed or unauthorized requests.

They publish PII and screenshots, raising privacy issues.

Abstract

In the digital age, device search engines such as Censys and Shodan play crucial roles by scanning the internet to catalog online devices, aiding in the understanding and mitigation of network security risks. While previous research has used these tools to detect devices and assess vulnerabilities, there remains uncertainty regarding the assets they scan, the strategies they employ, and whether they adhere to ethical guidelines. This study presents the first comprehensive examination of these engines' operational and ethical dimensions. We developed a novel framework to trace the IP addresses utilized by these engines and collected 1,407 scanner IPs. By uncovering their IPs, we gain deep insights into the actions of device search engines for the first time and gain original findings. By employing 28 honeypots to monitor their scanning activities extensively in one year, we demonstrate that users can hardly evade scans by blocklisting scanner IPs or migrating service ports. Our findings reveal significant ethical concerns, including a lack of transparency, harmlessness, and anonymity. Notably, these engines often fail to provide transparency and do not allow users to opt out of scans. Further, the engines send malformed requests, attempt to access excessive details without authorization, and even publish personally identifiable information (PII) and screenshots on search results. These practices compromise user privacy and expose devices to further risks by potentially aiding malicious entities. This paper emphasizes the urgent need for stricter ethical standards and enhanced transparency in the operations of device search engines, offering crucial insights into safeguarding against invasive scanning practices and protecting digital infrastructures.