A Scan-Based Analysis of Internet-Exposed IoT Devices Using Shodan Data

TL;DR

This study investigates the exposure risk of internet-connected IoT devices globally by analyzing Shodan scan data, revealing cross-country differences and developing a classification model for high-risk profiles.

Contribution

It introduces a systematic analysis of scan-observable IoT configurations across multiple countries, highlighting population-level exposure patterns and risk factors.

Findings

Cross-country differences in IoT exposure structure

Mean risky-port counts per host range from 0.4 to 1.0

Classification accuracy of about 61% for high-risk profiles

Abstract

An open measurement problem in IoT security is whether scan-observable network configurations encode population-level exposure risk beyond individual devices. An analysis of internet-exposed IoT endpoints using a controlled multi-country sample from Shodan Search and Shodan InternetDB, selecting 100 hosts identified via TCP port 7547 (TR-069/CWMP) and evenly distributed across the ten most represented countries. Hosts are enriched with scan-derived metadata and analyzed using feature-relevance assessment, cross-country comparisons of open and risky port exposure, and supervised classification of higher-risk exposure profiles. The analysis reveals consistent cross-country differences in exposure structure, with mean risky-port counts ranging from 0.4 to 1.0 per host, and achieves balanced accuracy of approximately 0.61 when classifying higher-risk exposure profiles.