A Scan-Based Analysis of Internet-Exposed IoT Devices Using Shodan Data

TL;DR

An analysis of internet-exposed IoT endpoints using a controlled multi-country sample from Shodan Search and Shodan InternetDB, selecting 100 hosts identified via TCP port 7547 and evenly distributed across the ten most represented countries reveals consistent cross-country differences.

Abstract

An open measurement problem in IoT security is whether scan-observable network configurations encode population-level exposure risk beyond individual devices. An analysis of internet-exposed IoT endpoints using a controlled multi-country sample from Shodan Search and Shodan InternetDB, selecting 100 hosts identified via TCP port 7547 (TR-069/CWMP) and evenly distributed across the ten most represented countries. Hosts are enriched with scan-derived metadata and analyzed using feature-relevance assessment, cross-country comparisons of open and risky port exposure, and supervised classification of higher-risk exposure profiles. The analysis reveals consistent cross-country differences in exposure structure, with mean risky-port counts ranging from 0.4 to 1.0 per host, and achieves balanced accuracy of approximately 0.61 when classifying higher-risk exposure profiles.

Figures (5)

• Figure 1: Average risky ports per host for TR-069–exposed devices (TCP port 7547) by country under fixed sampling conditions. Circle size reflects the mean risky-port count per host.
• Figure 2: Threshold-based comparison of mean risky service exposure across country groups for TR-069–exposed hosts.
• Figure 3: Radial visualization of mean risky service counts per host across country groups in the TR-069 dataset.
• Figure 4: Confusion matrix showing classification performance for predicting high-exposure IoT hosts using scan-derived features.
• Figure 5: Streamgraph depicting variation in exposure composition across country groups based on scan-derived service indicators.