April 19, 2013
Rather than crawl websites like a traditional search engine, Shodan navigates back channels tracking servers, webcams, printers, routers and other devices connected to the Internet. Each month, it gathers information on roughly 500 million connected devices and services. CNNMoney calls Shodan “the scariest search engine on the Internet.” As we move closer to the Internet of Things, it raises questions about how easy it may be to hack anything that is connected to the Internet.
“When people don’t see stuff on Google, they think no one can find it. That’s not true,” says John Matherly, creator of Shodan.
“It’s stunning what can be found with a simple search on Shodan,” suggests CNNMoney. “Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.”
The article cites examples of control systems that cybersecurity researchers located using Shodan, including a water park, gas station, hotel wine cooler, crematorium — even nuclear power plants and a particle-accelerating cyclotron.
“What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them,” notes the article.
Searching for “default password” reveals numerous devices that merely use “admin” as a user name and “1234” for a password. Some connected systems require no credentials at all.
“It’s a massive security failure,” said HD Moore, chief security officer of Rapid 7.
During last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he could easily defrost a hockey rink in Denmark and shut down the controls for a car wash. “A city’s entire traffic control system was connected to the Internet and could be put into ‘test mode’ with a single command entry,” according to the article. “And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.”
“You could really do some serious damage with this,” Tentler said.
For now, Shodan is primarily used for good. Matherly limits searches to 10 results, and 50 if the searcher has an account. For more access, Matherly requires additional information and a payment.
“Penetration testers, security professionals, academic researchers and law enforcement agencies are the primary users of Shodan,” writes CNNMoney. “Bad actors may use it as a starting point, Matherly admits. But he added that cybercriminals typically have access to botnets — large collections of infected computers — that are able to achieve the same task without detection.”
Most cyberattacks so far involve stealing money and intellectual property, rather than destroying buildings or traffic systems. “Security professionals are hoping to avoid that scenario by spotting these unsecured, connected devices and services using Shodan, and alerting those operating them that they’re vulnerable.”