INFO: Device Identification Report

DESCRIPTION LAST UPDATED: 2023-12-06

DEFAULT SEVERITY LEVEL: INFO

This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our Internet scan types. Discovered devices are classified by vendor, model and device type based on scan signatures that have been developed as part of the European Union INEA CEF VARIoT project.

This is a device population report – no assessment is made on the vulnerability state of the device. The report is intended for recipients to get a better understanding of device population types on networks they are responsible for. Please note the assessment is based only on what was publicly accessible from the Internet.

Please note that a specific IP may identify as different devices by different scans due to port forwarding. The report contains the port number of the scan that resulted in a device classification.

In some cases, false positives may be possible. If you suspect a false positive, please contact us with details of the report.

The report was announced in a blog here.

You can track latest devices identified on the Shadowserver Dashboard.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report comes in two versions, IPv4 and IPv6

Severity levels are described here.

Filenames: device_id, device_id6

This report was enabled as part of the European Union INEA CEF VARIoT project.


Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • severity
    Severity level
  • ip
    IP of the detected device
  • protocol
    Protocol of the response
  • port
    Port response was received from
  • hostname
    Hostname of the device (may be from reverse DNS)
  • tag
    Array of tags. For example, iot or vpn
  • asn
    AS of the detected device
  • geo
    Country of the detected device
  • region
    Region of the detected device
  • city
    City of the detected device
  • naics
    North American Industry Classification System Code
  • hostname_source
    Source of the hostname
  • sector
    Sector of the IP in question
  • device_vendor
    The identified device vendor
  • device_type
    Device classification (for example, router, firewall, nas, video-system etc)
  • device_model
    The identified device model
  • device_version
    Device version, if any

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","device_vendor","device_type","device_model","device_version"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,5683,node01.example.com,coap;iot,64512,ZZ,Region,City,0,ptr,,"QLC Chain",,"QLink Resource",2
"2010-02-10 00:00:01",medium,192.168.0.2,udp,5683,node02.example.com,coap;iot,64512,ZZ,Region,City,0,,,"QLC Chain",,"QLink Resource",2
"2010-02-10 00:00:02",medium,192.168.0.3,udp,5683,node03.example.com,coap;iot,64512,ZZ,Region,City,0,,,"QLC Chain",,"QLink Resource",2

Our 124 Report Types