Note that Shodan doesn't try to authenticate with the devices - not even using default credentials. This is different than what Japan is proposing; they want to try various default credentials to identify devices that could be used for various attacks (ex. Mirai).