In the past, operating a car wash, controlling a city’s traffic light grid and running a nuclear particle accelerator might have been jobs for different days, if not entirely different careers. With Shodan, a search engine for connected devices, an enterprising person might be able to run all three in an afternoon from his or her living room. In fact, any device connected to the internet could be discovered by a Shodan user, leading a recent CNN article to dub the service “the scariest search engine on the internet.”
Shodan, created by programmer John Matherly as a hobby, runs 24 hours a day, indexing the IP addresses and metadata of internet-connected devices such as routers, printers, servers, industrial control systems, traffic lights, building automation systems and more. According to CNN, the service currently provides a view of approximately 500 million devices and services. While a Google search would never turn up obscure systems such as the controls for a nuclear particle accelerator at the University of California at Berkeley, Shodan can and has.
Users without an account have limited functions available to them, and getting an account requires both payment and a screening about how you plan to use the service, CNN noted. As a result, the most shocking Shodan discoveries have been made by security professionals or academic researchers.
Nonetheless, the list of devices found is extensive and diverse, including building control systems, a wide variety of home electronics using the universal plug and play (UPnP) protocol and industrial control systems used in power plants and water treatment facilities. Independent security researcher Dan Tentler gave a talk at 2012’s Defcon cybersecurity conference in which he demonstrated his use of Shodan to access controls for everything from a city’s traffic control system to a hydroelectric power plant in France.
“You could really do some serious damage with this,” he said, according to CNN.
Improving security in a searchable world
Part of the problem of Shodan is that most of the devices it is able to find were never designed with internet connectivity in mind. Many industrial or building control systems were implemented decades ago, before the internet existed, while other devices, such as doors or refrigeration units that can be controlled with an iPhone, don’t include much security because it is assumed that they are hard to find.
“Of course there’s no security on these things,” Matherly told CNN. “They don’t belong on the Internet in the first place.”
Many IT departments simply plug connected systems into a web server rather than directly into the computer used to control them, for instance. Additionally, when configuring connected devices, home users and IT departments alike have a tendency to leave default login credentials in place.
“You can log into just about half of the Internet with a default password,” HD Moore, chief security officer of Rapid 7, told CNN. “It’s a massive security failure.”
An anonymous researcher known as pr0f explained to the Washington Post in an article last year that he had been able to hack a South Houston, Texas, water plant in 10 minutes using a Shodan search and entering the default password. Additionally, the supervisory control and data acquisition (SCADA) systems used to manage large pieces of critical infrastructure have been identified as one of the largest sources of zero-day vulnerabilities in recent years. In research carried out by Digital Bond, backdoor flaws enabled hacks that took less than a day to figure out, the same Post article noted.
Any organization that manufactures devices that could be connected to a network may want to take note of these types of incidents. With a search engine making it possible to scan a wide range of systems, eliminating vulnerabilities and instituting controls that limit access are of paramount importance. Using tools such static analysis software, developers can identify potential problems before they arise. By assuming any device with an internet connection is discoverable, vendors can focus on software security and decrease the likelihood of a critical attack.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.