Device Search Engines - Can we afford to keep ourselves honest? Or, should we be transparent that we can't?
Device search engines are useful to take an inventory of the internet facing devices. Blue team security engineers use it towards better securing the perimeter under their study, where as red team security engineers leverage it to find inroads into a facility they attempt to compromise. It is useful for organizations to keep a tab on it's own outward facing devices, off chance a device should get exposed unintentionally. Systemic arms guarding the cyber infrastructures ought to be using it heavily and it would be a bit surprising if they don't have a proprietary mechanism to keep tabs on perimeters of interest to them. There are very many other uses as well for device search engines. More important than all the above, bad actors are always scouting for entry points into organizations and they heavily rely on device search engines. This makes the device search engines a two edged sword, and it is only natural that those providing the service would want to guard it.
A list of currently available device search engines are here. Within that list, I have used Shodan and Censys. I have found the both of them to be useful and their response time to queries excellent, thus far. They both require you to create an account with them and expect you to be logged in, beyond a couple of simple queries. That is understandable, especially given the risk involved in allowing the results to be freely available. However, I did notice that the results between the engines I have used are at times widely different. While some of the differences could be explained away given the differences in algorithms, caching/purging of stale data etc., I am not entirely convinced that device search engines can escape standardization any further, if they want to guarantee the integrity and comprehensiveness of their results, that is, as well as they can be guaranteed, with its own caveats, which ought to be equivalent to that of their competitors. Technology sector is better served if multiple geographies provide search engine service (as opposed to search engine providers concentrated in one or few geographies and renting servers in varied geographies). We would also be better served with services that reconcile the results from varied providers, to help us better understand the effectiveness of the providers and the integrity of their results. But mainly, we might be at a point where there ought to be a standard and a governing body to better guide the service providers and to better serve those that enlist the service.
And having reached this crucial point, device search engines do deserve a serious scrutiny. For example, Ripple20 is a classic example of how this resource would have been handy for both those chasing the issues and unfortunately, to those hoping to negatively capitalize on it. The software in focus appear to have had a very unconventional and possibly chaotic distribution model. And to make it worse, used in health care devices, among others. The struggle in hunting for affected devices is further covered in this article and this . And this article talks about a national health cybersecurity standard but there might be a pressing need at a different level as well - a global one and in the area of device search engines. That way, the results can be guaranteed as well as it can be guaranteed, to be comprehensive and accurate.
The current covid-19 situation has only gone to further accentuate the advantages of and need to better regulate device search engine use, for it to be useful to those leveraging it positively and deter the opposite. It helped study how organizations are adapting to changes and how they are tweaking their environment to accommodate remote work needs, by studying the services and ports that are newly exposed in higher numbers, for example, the RDP port/service. It appears, not too long ago, countries have started scanning their IP space, to get a handle on vulnerable devices in their geography. There is an overlap in what they do and how a more disciplined device search engine space could help better streamline the process.
Lastly, a pressing need for autonomous providers from varied geographies, to keep us honest, cannot be stressed enough. I remember reading about telegram, albeit in a very different context, and how they kept themselves honest and delivered on their commitment to their customers, by jumping through hoops and slipping through the gates, when that is what it took. Do we have mavericks among us to be able to do that in this context and to keep us honest? Because, among other things, playing stooges all the time is starting to get pretty damn boring.