'Scary' search engine can find millions of agency back doors
- By John Breeden II
- Apr 12, 2013
Most search engines, such as Google’s, find things that want to be discovered. Websites go to a lot of effort to bring in visitors, the equivalent of putting out the red carpet and a big sign that says "Free Lobster Buffet." But a lot of things that are connected to the Internet don't want visitors -- say, a local printer, or the control valves on a power plant, or devices using machine-to-machine code to watch over some aspect of an agency.
Devices whose operators want them left alone use their obscurity as a cloak. If they don't put up a flag that says "find me," they are ignored by typical search engines. But not the one run by Shodan, which specializes in discovering the undiscoverable. It's designed to find all the things you thought that isolation made safe, potentially giving access to your agency through a million back doors.
CNN Money recently called Shodan, “the scariest search engine on the Internet.” Editors there did some quick searches and found traffic lights, home heating systems and security cameras. Apparently, security expects also have used Shodan to discover the command and control system of a nuclear power plant and a particle-accelerating cyclotron.
What makes this issue potentially dangerous is that many of the devices found by Shodan have no security, because they were never designed to host visitors, other than perhaps an authorized user once or twice over the unit's lifetime. Most others have default passwords, which the Shodan site helpfully points out how to find.
Launched in 2009, Shodan (an acronym for Sentient Hyper-Optimized Data Access Network) crawls the Web and logs every undiscovered device it finds. The site says that it catalogs more than 500 million devices every month.
The owner of Shodan does try to limit the site's effectiveness as a terrorist or hacker tool. Search results are limited to just 10. A subscription is required for 50 results per search. Apparently there is a hidden level of access, that delivers unlimited results, but users have to convince the site’s owners of the validity of the search, and likely pay another fee.
But the limitations are more an annoying than a real barrier. I spent a few hours searching for devices and found that with a refined search, those 10 results are more than enough. For example, I was able to discover a security network for a jail in Canada. More locally, one of those flashing information signs at a business popped up in just a few minutes of trying.
As reported by CNN, traffic networks are quite easy to find using Shodan, especially once familiar with how cities name devices on their grids. In fact, by understanding the naming conventions and knowing the IP ranges, a dedicated hacker might be able to do almost anything within a specific city.
Power and water plants and other parts of the infrastructure are potentially vulnerable. In 2010 ICS-CERT issued a warning about it, specifically for SCADA (supervisory control and data acquisition) systems used in industrial settings.
It might be easy to say that such a site should be shut down. But the technology is out there already, and at least Shodan operates in the light. Also it’s potentially dangerous only because the devices it finds aren’t secured or are protected by default passwords, and it could be put to good use.
Agencies sometimes do penetration testing on their systems to identify weaknesses. Shodan could be another tool, looking for unsecured devices, those protected by default passwords and those devices that don’t really need to be connected to the Internet.
Look around your office right now. See all those devices? How many of them are potential back doors for hackers? Even if you don't know the answer, Shodan does.