Shodan: The scariest search engine on the Internet; Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet

April 11, 2013 Leave a comment

Shodan: The scariest search engine on the Internet

By David Goldman @CNNMoneyTech April 8, 2013: 1:41 PM ET

NEW YORK (CNNMoney)

“When people don’t see stuff on Google, they think no one can find it. That’s not true.”

That’s according to John Matherly, creator of Shodan, the scariest search engine on the Internet.

Unlike Google (GOOGFortune 500), which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. (Shodan’s site was slow to load Monday following the publication of this story.)

Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.

“It’s a massive security failure,” said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes.

quick search for “default password” reveals countless printers, servers and system control devices that use “admin” as their user name and “1234” as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

Scary stuff, if it got into the wrong hands.

“You could really do some serious damage with this,” Tentler said, in an understatement.

So why are all these devices connected with few safeguards? Some things that are designed to be connected to the Internet, such as door locks that can be controlled with your iPhone, are generally believed to be hard to find. Security is an afterthought.

A bigger issue is that many of these devices shouldn’t even be online at all. Companies will often buy systems that can enable them to control, say, a heating system with a computer. How do they connect the computer to the heating system? Rather than connect them directly, many IT departments just plug them both into a Web server, inadvertently sharing them with the rest of the world.

“Of course there’s no security on these things,” said Matherly, “They don’t belong on the Internet in the first place.”

The good news is that Shodan is almost exclusively used for good.

Matherly, who completed Shodan more than three years ago as a pet project, has limited searches to just 10 results without an account, and 50 with an account. If you want to see everything Shodan has to offer, Matherly requires more information about what you’re hoping to achieve — and a payment.

Penetration testers, security professionals, academic researchers and law enforcement agencies are the primary users of Shodan. Bad actors may use it as a starting point, Matherly admits. But he added that cybercriminals typically have access to botnets — large collections of infected computers — that are able to achieve the same task without detection.

To date, most cyberattacks have focused on stealing money and intellectual property. Bad guys haven’t yet tried to do harm by blowing up a building or killing the traffic lights in a city.

Security professionals are hoping to avoid that scenario by spotting these unsecured, connected devices and services using Shodan, and alerting those operating them that they’re vulnerable. In the meantime, there are too many terrifying things connected to the Internet with no security to speak of just waiting to be attacked.

Filed under TMT Trends

Unknown's avatarAbout bambooinnovator
Kee Koon Boon (“KB”) is the co-founder and director of HERO Investment Management which provides specialized fund management and investment advisory services to the ARCHEA Asia HERO Innovators Fund (www.heroinnovator.com), the only Asian SMID-cap tech-focused fund in the industry. KB is an internationally featured investor rooted in the principles of value investing for over a decade as a fund manager and analyst in the Asian capital markets who started his career at a boutique hedge fund in Singapore where he was with the firm since 2002 and was also part of the core investment committee in significantly outperforming the index in the 10-year-plus-old flagship Asian fund. He was also the portfolio manager for Asia-Pacific equities at Korea’s largest mutual fund company. Prior to setting up the H.E.R.O. Innovators Fund, KB was the Chief Investment Officer & CEO of a Singapore Registered Fund Management Company (RFMC) where he is responsible for listed Asian equity investments. KB had taught accounting at the Singapore Management University (SMU) as a faculty member and also pioneered the 15-week course on Accounting Fraud in Asia as an official module at SMU. KB remains grateful and honored to be invited by Singapore’s financial regulator Monetary Authority of Singapore (MAS) to present to their top management team about implementing a world’s first fact-based forward-looking fraud detection framework to bring about benefits for the capital markets in Singapore and for the public and investment community. KB also served the community in sharing his insights in writing articles about value investing and corporate governance in the media that include Business Times, Straits Times, Jakarta Post, Manual of Ideas, Investopedia, TedXWallStreet. He had also presented in top investment, banking and finance conferences in America, Italy, Sydney, Cape Town, HK, China. He has trained CEOs, entrepreneurs, CFOs, management executives in business strategy & business model innovation in Singapore, HK and China.

Leave a comment