Shodan: Hacking anything connected to the Internet
“When people don’t see stuff on Google, they think no one can find it. That’s not true.”
That’s according to John Matherly, creator of Shodan, the scariest search engine on the Internet.
Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. (Shodan’s site was slow to load Monday following the publication of this story.)
Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.
It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.
Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.
What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.
“You can log into just about half of the Internet with a default password,” said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes. “It’s a massive security failure.”
A quick search for “default password” reveals countless printers, servers and system control devices that use “admin” as their user name and “1234” as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.
In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan search engine to find control systems for evaporative coolers, pressurized water heaters, and garage doors.
He found a car wash that could be turned on and off and a Danish hockey rink that could be unzipped at the click of a button. The entire city traffic control system was connected to the internet and I was able to put it into “test mode” with a single command input. We also found a control system for a hydroelectric power plant in France where two turbines each produce 3 MW.
If it falls into the wrong hands, it’s scary.
“This can do really serious damage,” Tentler said modestly.
So why are all these devices connected with some safeguards? Anything designed to connect to the Internet, such as an iPhone-controlled door lock, is generally considered difficult to find. Security is a retrofit.
The bigger problem is that many of these devices shouldn’t be online at all. Companies often buy, for example, a system that can use a computer to control a heating system. How do you connect your computer to the heating system? Many IT departments inadvertently share them with the rest of the world by simply connecting them both to a web server rather than connecting them directly.
“Of course, these things aren’t secure. They don’t belong to the Internet in the first place,” Mazari said.
Fortunately, Shodan search engine is almost exclusively and permanently used.
Mazari, who completed Shodan search engineas a pet project over three years ago, limits search results to 10 without an account and 50 with an account. If you want to see everything Shodan offers, Matherly needs more information about what you want to achieve and payments.
Intrusion testers, security experts, academic researchers, and law enforcement agencies are Shodan’s primary users. Motherly admits that bad actors may use it as a starting point. But he added that cybercriminals usually have access to a botnet (a large collection of infected computers) that can perform the same tasks undetected.
To date, most cyberattacks have focused on the theft of money and intellectual property. The bad guys haven’t tried to do any harm by blasting buildings or killing city traffic lights.
Security experts work around this scenario by using Shodan to find these unsecured connected devices and services and warn anyone operating them that they are vulnerable. I want to In the meantime, there are too many horrifying things connected to the internet that are insecure and cannot be said to be waiting to be attacked.