Shodan has burst from the shadows into the spotlight, courtesy of a profile in CNN that describes it as “the scariest search engine on the Internet.” Indeed, delving into what it can do is sure to generate some uncomfortable — even fearful — possibilities.
Shodan searches for and indexes things that are connected to the Internet — a category that can include anything from servers, webcams, printers and routers to refrigerators and home security systems. Add to that list traffic lights, security cameras, and control systems for water parks, gas stations, nuclear power plants and a particle-accelerating cyclotron, as the CNN article notes.
Shodan’s creator, John Matherly, has built controls into the search engine to discourage its use for nefarious purposes. To get to the meaty part of the database, users have to be registered and pay for results. Security professionals, law enforcement officials and academic researchers reportedly are the main users of the data.
Still, one can surmise these safeguards could be circumvented without much difficulty — and the site is so user-friendly, it almost begs to be used. You can find devices based on city, country, host name, operating system or IP address. Another worry: Now that Shodan is in the public eye, how long before copycats with very different aims in mind create something quite similar?
Action Movies, Spy Novels
How hard would it be to use Shodan — or a lookalike — to find the Internet-connected device that controlled, say, a rival restaurant’s refrigeration system, then access it, gain control of it, and warm things up the night before a big event? Or have a little fun blowing out a rival company’s sound system at a product launch?
Or worse? That’s the stuff of action movies and spy novels, and right now it’s not likely to be a reality, said Steve Durbin, global vice president of the Information Security Forum.
“If the guidelines that Matherly says are in place are actually in place, it should be difficult to get a huge amount of information to do the sorts of things you are talking about,” he told TechNewsWorld.
As for the worst-case scenario — targeting a building or nuclear plant or utility as part of a terrorist attack — “there are probably easier ways to get at these structures than by these devices,” Durbin said.
A Real Risk
Not everyone is so complacent that the search engine doesn’t pose an immediate threat.
“This is a real set of risks,” said Win Treese, associate director at Boston Unversity’s Hariri Institute for Computing.
“More and more devices of all kinds are being attached to the Internet, directly or indirectly. Until recently, there had been isolated incidents with some of them, or proof-of-concept attacks,” he said.
Throw a search engine into the mix, “and it becomes much easier to find a target to attack,” Treese told TechNewsWorld.
Weak Industrial Design
It is true that most people haven’t thought much about how these devices are actually computers connected to the Internet, Treese noted, so any wake-up call is a good.
Yet this thought process needs to extend beyond the isolated printer or router to the broader security picture.
“Many people think they have an isolated network, when, in fact, it is connected to the broader Internet, possibly with a firewall,” Treese said. “Because it is so easy to interconnect networks, it can happen without a full realization of the problem. This has been a big issue, I suspect, with industrial and infrastructure control systems that were originally isolated, but now are more exposed on the Internet in unexpected ways.”
Build It and They Will Come
What is really worrisome is that Shodan is just one example of this new reality, Andrew Storms, director of security operations for Tripwire, told TechNewsWorld.
Any device connected to the Internet is bound to be discovered and cataloged — and the recent increases in computing power, especially elastic computing delivered via the cloud, “are making it easier and cheaper than ever for anyone to do exhaustive searches that discover Internet-enabled devices and data,” he said.
It is tempting to classify Shodan as tool designed for hackers and cybercriminals, but it’s really no different from Google or even Facebook’s new Graph Search, Storms said.
“Both of these search tools are routinely used by attackers to craft effective phishing campaigns,” he pointed out. “Ultimately, Shodan is just another discovery tool that can be used for both good and evil.”