Is Shodan Really the World's Most Dangerous Search Engine?
Apr 26 2013
At this point, people probably associate the internet with wasting time more than they do with saving it. But as we get ever-lazier, we're figuring out to use the internet to do things like connect garage doors to the internet, set temperature levels on fridges, do timed shut-downs on wireless routers and basically make it possible to control every element of domestic life from a phone app. All of these devices need to be on the internet to operate and Shodan – a privately developed search engine – has been busy sniffing them out.
The software crawls the internet to find every connected device. Alongside fridges and wireless routers, it has found the control panels of power and utility systems, volatile scientific equipment, crematoriums and even a dam facility in France. Meaning that, with the right sadistic know-how, someone could track down these devices, access them and cut power to a whole city, flood a town or send a power plant into a melt-down at the click of a button.
Finding the back passages to internet-connected devices isn’t anything new. Not so long ago, a guy called Adrian Hayter proudly gave the world a website that collates internet-enabled CCTV camera feeds. But Shodan's discoveries present problems that are potentially more destructive than privacy issues, so I called up John Matherly, the search engine's creator, to find out the possible implications of his software.
VICE: Hi John, when did you start working on Shodan?
John Matherly: I started off with a £100 Dell machine in my free time and it slowly continued over three years. When I first started, I would maybe add 10,000, 100,000 records a month, and now I’m adding hundreds of millions a month. The speed of which I’ve been able to crawl the internet has accelerated a lot.
Woah, that is a lot. So what is Shodan’s purpose?
Well, it's ended up being used for something a bit different to what I designed it for. Basically, I created Shodan so companies could track where their software is being used. What ended up happening is that security researchers were able to use it to find all this software, all of these devices out there.
Computer researchers have been doing vulnerability analysis for a long time on power plants and all these systems, but before Shodan they had no real empirical data to say, "This is an actual threat." Shodan ended up being used to provide an empirical basis for their argument – proving where it's possible to remotely access software systems at, say, a power plant or a dam.
Does Shodan work in a similar way to Google?
It’s similar, yeah. Google crawls URLs – I don’t do that at all. The only thing I do is randomly pick an IP out of all the IPs that exist, whether it’s online or not being used, and I try to connect to it on different ports. It’s probably not a part of the visible web in the sense that you can’t just use a browser. It’s not something that most people can easily discover, just because it’s not visual in the same way a website is.
Controls for a crematorium that you can access from your computer. NBD.
So what kind of things are connected to the internet that you could access? Anything you didn’t expect to find?
Well, the cyclotron – a particle accelerator – was one. It’s theoretical physics equipment, it’s very, very volatile and it should never have been online. Then there are all these weird things, like crematoriums. Those are really creepy. You see the patient’s name pop up and there are different settings – like, there’s an infant setting. There’s no authentication needed, no passwords, nothing.
Yeah, that's creepy. But also kind of morbidly fascinating. Is there anything else?
CCTV cameras are very popular, just because it’s something that the average person can pick up on. People like the idea of finding some random office that they can look into. There was also a huge megawatt hydro-electric dam discovered in France that was online. Interestingly enough, that dam had a history of failures. The town near it had a flooding incident because the dam failed.
Shouldn’t things like power plants have better secured systems?
One of the reasons they’re in this problem in the first place is because they’re trying to save money. The internet didn't even exist when many of these plants were built, so they’ve just bought an adapter to hook their system up to the internet and save some money getting it properly set up. So they obviously didn’t think about the security and now they’re kind of dealing with the repercussions of that.
And you said lots of things don’t require passwords?
Yeah, that’s right. And even the devices that do require authentication mostly use default credentials, so you just go on Shodan and you can search for the default password and access them as easily as that.
Controls for a water treatment facility, which, again, you can technically access from your bedroom.
So nowadays we’re seeing everything connected to the internet, right?
This year is supposed to be the year of "the internet of things". As in, most devices come with internet connectivity now. But what people probably don't realise when they connect their webcam to the internet to see their baby from work, say, or do all these things on their phone, is that there are security implications. Just because you can’t find yourself on Google, doesn’t mean that you’re not searchable and findable.
So what are your concerns?
There are different levels of security issues. The webcams are probably a minimal threat, but obviously they can affect privacy. Small devices aren't technically a national security issue by themselves. But my argument is that if you can compromise, like, a hundred thousand of them, then it actually becomes a national security problem because, if you have control over that many devices in a single country, then you can actually do a lot of damage. So it definitely becomes more critical depending on the numbers.
Does it surprise you that something serious hasn’t happened already?
I think people underestimate the amount of technical knowledge you actually need to go from discovering to successful exploitation. And the second thing is that you don’t know how long the system was actually affected. You could compromise these systems, put something dormant in them and, whenever you want to use it for a strategic purpose, you have the ability to get in there again.
So there might already be a virus lying dormant in a potentially important utility system?
Yeah, there could very well be. I mean, you do need some domain knowledge – you can’t just be a 16-year-old kid and take over a power plant, it’s not that easy. You might be able to find it with Shodan, but going from there to actually installing your own code usually requires actual knowledge of the device, especially bigger things like power plants.
So what stops a hardened criminal using Shodan to cause mayhem?
The people who actually know what they’re doing and hope to do illegal things won’t be using Shodan, because they don't want to have their actions traced. Shodan isn't an anonymous service. If you use Shodan and want more than 50 results – and 50 is not a lot – you have to start giving me payment information and personal information. If someone wants to do something really illegal, they’re going to use botnets to gather that information for them instead.
More hacker stuff: