Live dashboard

Counts below are the latest monthly snapshot, generated by querying Shodan's host-count endpoint per category against country:IS. Numbers refresh on the first of every month.

Heartbleed, twelve years later

CVE-2014-0160 was published on 7 April 2014. It affected OpenSSL 1.0.1 through 1.0.1f and let any unauthenticated TCP client read up to 64 KB of process memory from the server it talked to. The fix was a single OpenSSL upgrade. The disclosure came with a logo, a website, and global news coverage. Patches landed within 24 hours on every major distribution.

Iceland still has eight hosts where the vulnerability is detectable in the banner. They are not big infrastructure — Shodan's free tier does not give us hostnames or organizations — but they are servers that someone, somewhere, is responsible for. Each one of them, queried right now, will return arbitrary bytes from its own memory: whatever the kernel last allocated to that process. That can include passwords typed in by another user a moment earlier.

The honest reading is not that Heartbleed is a current crisis — it is that legacy systems do not get retired on the schedule we tell ourselves they do. The same mechanism that left these hosts running for twelve years will leave 2026 vulnerabilities running into 2038.

By sector — who carries the exposure

The per-organization data, broken out by sector, gives a different picture than the national totals. The dashboard above includes a sector filter so you can see this directly. The headline numbers below are aggregated from individual ASN snapshots.

Banks and payment processors are clean. Across all 23 monitored categories, the six ASNs operated by Iceland's banks and payment processors show no exposed RDP, no Telnet, no Heartbleed, no databases, no industrial protocols. Five expired TLS certificates and one OWA path appear. The financial sector has hardened its perimeter.

Government has one specific finding and is otherwise clean. The fourteen ASNs operated by Iceland's public sector — ministries, municipalities, public utilities, the state broadcaster, road authority, airport operator, emergency services, the national registry — show only twelve expired TLS certificates, two FTP hosts, and one Fortinet device. The single anomaly is the capital city's ASN: 36 SMB-listening hosts. SMB exposure to the open Internet is the kind of thing that ransomware historically catches first, so this one number deserves attention from whoever runs that environment.

Healthcare and media are clean. The single ASN classified as healthcare shows only two expired TLS certs. The two media-classified ASNs combined have only two FTP hosts and one expired cert.

Research and education shows lab-network exposure. The research-and-university network — operating one ASN and serving most Icelandic higher-education and research institutions — carries 32 expired TLS certs, 25 VNC, 21 RDP, 17 FTP, 13 PostgreSQL, 12 Telnet and 4 BACnet hosts. This is the mixed-bag exposure typical of academic networks where labs run their own servers under looser policies. Not a critical-infrastructure finding, but worth flagging since it sits on the public infrastructure layer.

The bulk of exposure lives in telco customer pools and hosting customer environments. The fourteen telco ASNs (the major and minor Icelandic ISPs) account for the majority of RDP exposure (189 of 311), most Telnet (43 of 74), most SMB (75 of 174 once Reykjavík city is set aside), and almost all the Fortinet devices (208 of 224). The seven hosting ASNs carry most of the cleartext-mail problem (1,245 of 1,400 IMAP+POP3 hosts), most of the MySQL exposure (528 of 616), most VNC (147 of 228), and the bulk of expired TLS (937 of 2,002). These are not the operators' own machines — they are customers, sub-allocated IP space, or shared hosting tenants. The exposure exists where the policy floor is lowest.

The Heartbleed finding concentrates further. Of the nine Iceland hosts where CVE-2014-0160 is detectable, seven sit within two ASNs operated by a single IT services integrator. The remaining two are split between a privacy-focused hosting provider and a backbone telco. Heartbleed in Iceland in 2026 is not a country-wide problem; it is a legacy environment problem at one IT services company. The fix path is therefore narrow and tractable — it is one phone call to one operations team.

Names are deliberately omitted in the public dashboard. The 71 Iceland-allocated ASNs are classified into sectors (bank, gov, health, telco, hosting, IT-services, education, etc.), and the dashboard shows totals at sector level only. Individual organization data exists in the underlying database but is not exposed via public API or rendered in the page. The contact path is editorial — admin@1881.is — for organisations that want to see their own exposure summary.

Cleartext mail ports — what is reachable, and what that does not yet tell us

On port-listening alone: 744 Iceland hosts have IMAP port 143 open, 655 have POP3 port 110 open. Together that is roughly 1,400 mail-protocol listeners on the unencrypted ports. The encrypted alternatives — IMAPS on 993 and POP3S on 995 — have been the standard since the early 2000s.

What this does not say: that those servers actually accept cleartext credentials in practice. Most modern mail servers on port 143 will negotiate STARTTLS — an in-protocol upgrade to encryption — and a correctly configured client will refuse to send credentials before that upgrade completes. In that common case, the open port is not a cleartext-credential transmission. The fact that the port is listening at all does, however, leave room for misconfigured clients, downgrade attacks, or operators who have left the cleartext path enabled deliberately. The cleanest configuration is for the server to refuse pre-STARTTLS commands; without per-host probing, we cannot tell from a port-count which servers are configured that strictly.

The sectoral data tells the more useful story: 1,245 of the 1,400 cleartext-mail listeners (88%) sit on hosting-provider ASNs. These are shared mailboxes for hosting customers, not the mail systems of banks, government, or healthcare. The remaining 12% is distributed across IT-services and telco — and again, mostly customer-pool space rather than the operators’ own infrastructure.

Databases on the open Internet

The combined count is striking: 401 MySQL, 112 PostgreSQL, 32 MSSQL, 52 Redis, 28 MongoDB, 32 Elasticsearch — 657 database services with a TCP listener reachable from anywhere on the Internet. None of these are normally meant to be Internet-facing. The standard architecture puts the database in a private network behind the application server; the application is what talks to the public.

A reachable database does not automatically mean a compromised database — most of these are likely to require authentication. But the historical record is unkind. In 2017 alone, more than 30,000 MongoDB instances were ransom-attacked because they were both exposed and configured without auth by default. Redis has a similar reputation — for years, default installs accepted commands from anyone who could reach the port.

Industrial controllers on Iceland-allocated IPs

42 Modbus, 26 BACnet, and 9 IPMI hosts. Modbus is a 1979 industrial control protocol — pumps, valves, programmable logic controllers, sensor networks. BACnet is the building-automation equivalent — HVAC, lighting, access control. Both protocols were designed for serial-link factory floors and trusted networks; neither has built-in authentication. Once you can reach the port, you can read the registers, and in many cases write to them.

A Modbus device on the open Internet usually means one of two things: it is a small industrial deployment that nobody set up properly, or it is a larger one where someone exposed the controller for remote access without putting a VPN in front. Either way the failure mode is direct — there is no further authentication layer. The 9 IPMI hosts are server BMC controllers, the out-of-band management chips that can power-cycle a server, mount remote ISOs, and reset BIOS passwords; multiple historical CVEs allow remote code execution on the BMC itself.

What this is and is not

This is a count of services with TCP listeners reachable from outside Iceland on Iceland-allocated CIDRs. It is not a count of compromised systems. Many of these hosts will be properly hardened — Redis with a long password, MySQL bound to private interfaces and falling through the public listener, Modbus behind a VPN that Shodan happens to scan past. The number is an upper bound for risk, not a count of incidents.

It is also a snapshot. Some of these hosts will go away by next month — replaced, retired, firewalled. Others will appear. The point of running this every month is to track that motion: is the cleartext-mail count falling? Is Heartbleed actually decaying toward zero? Is the industrial-controller exposure stable, growing, or migrating to different protocols? The first month gives a baseline; the second month gives a delta; by the sixth month, a real story.

Methodology and limitations

Three distinct metric types are mixed under the “attack surface” label. They mean different things and we try to keep them separated in the prose.

• Vulnerability-confirmed: Vulnerability-confirmed: Shodan’s vulnerability database matched the host’s banner version against the affected version range for a specific CVE. Heartbleed (CVE-2014-0160) is the only category in this article that uses this filter (vuln:CVE-2014-0160). When this metric reports 9 hosts, those 9 are explicitly flagged as vulnerable by Shodan. Banner suppression on a vulnerable host means it would not show up here; the count is a lower bound.
• Port-exposure: Port-exposure: Counts of services with TCP listeners reachable from outside Iceland on a given port (port:3389 RDP, port:23 telnet, port:3306 MySQL, etc.). Says nothing about patch state, software version, or whether authentication is required. A host appearing in port-exposure may be hardened, may have strict authentication, may even be an intentional honeypot. The bulk of categories in this article are this type.
• Condition-based: Condition-based: Observable property of the TLS handshake itself, independent of any specific CVE. Expired-cert (ssl.cert.expired:true) and self-signed (ssl.cert.issuer.cn:"localhost") are condition-based. The host is identifiable as having that property at scan time.
• Source: Shodan dev-tier host-count endpoint. Free, consumes 0 query credits. 25 categories tracked.
• Cadence: Monthly snapshot, first day of each month at 06:00 UTC. Per-organization sectoral snapshot runs on the same cadence at 04:00 UTC; takes ~25 minutes for ~1,600 (target × ASN) queries on the free Shodan tier.
• Aggregation only in the public dashboard: No individual IPs, hostnames, or organizations are published in the public API or article body. Per-(category × sector) totals only. Per-organization data exists in the underlying database for the editorial team to investigate specific findings; an organization that wants to see its own exposure summary can email admin@1881.is.
• Iceland-allocated, not Iceland-physical: Shodan's country:IS filter reports hosts on Iceland-allocated CIDRs. Some of those hosts are physically located elsewhere via sub-allocation. Numbers reflect IP-block ownership, not physical location.
• Sectoral classification source: 71 Iceland-routed ASNs from RIPE Stat, classified manually into 13 sectors based on the registry holder name (bank, gov, telco, hosting, IT-services, etc.). The classification is editorial — Shodan does not provide sector tags directly. Some ASNs sit on the boundary (e.g., FlokiNET classified as hosting but operates privacy-focused infrastructure that overlaps with telco-style services).