City traffic controls have Internet connections

'Scary' search engine can find millions of agency back doors

Most search engines, such as Google’s, find things that want to be discovered. Websites go to a lot of effort to bring in visitors, the equivalent of putting out the red carpet and a big sign that says "Free Lobster Buffet." But a lot of things that are connected to the Internet don't want visitors -- say, a local printer, or the control valves on a power plant, or devices using machine-to-machine code to watch over some aspect of an agency.

Devices whose operators want them left alone use their obscurity as a cloak. If they don't put up a flag that says "find me," they are ignored by typical search engines. But not the one run by Shodan,  which specializes in discovering the undiscoverable. It's designed to find all the things you thought that isolation made safe, potentially giving access to your agency through a million back doors.

CNN Money recently called Shodan, “the scariest search engine on the Internet.”  Editors there did some quick searches and found traffic lights, home heating systems and security cameras. Apparently, security expects also have used Shodan to discover the command and control system of a nuclear power plant and a particle-accelerating cyclotron. 

What makes this issue potentially dangerous is that many of the devices found by Shodan have no security, because they were never designed to host visitors, other than perhaps an authorized user once or twice over the unit's lifetime. Most others have default passwords, which the Shodan site helpfully points out how to find.

Launched in 2009, Shodan (an acronym for Sentient Hyper-Optimized Data Access Network) crawls the Web and logs every undiscovered device it finds. The site says that it catalogs more than 500 million devices every month.

The owner of Shodan does try to limit the site's effectiveness as a terrorist or hacker tool. Search results are limited to just 10. A subscription is required for 50 results per search. Apparently there is a hidden level of access, that delivers unlimited results, but users have to convince the site’s owners of the validity of the search, and likely pay another fee.

But the limitations are more an annoying than a real barrier. I spent a few hours searching for devices and found that with a refined search, those 10 results are more than enough. For example, I was able to discover a security network for a jail in Canada. More locally, one of those flashing information signs at a business popped up in just a few minutes of trying.

As reported by CNN, traffic networks are quite easy to find using Shodan, especially once familiar with how cities name devices on their grids. In fact, by understanding the naming conventions and knowing the IP ranges, a dedicated hacker might be able to do almost anything within a specific city.

Power and water plants and other parts of the infrastructure are potentially vulnerable. In 2010 ICS-CERT issued a warning about it, specifically for SCADA (supervisory control and data acquisition) systems used in industrial settings.

It might be easy to say that such a site should be shut down. But the technology is out there already, and at least Shodan operates in the light. Also it’s potentially dangerous only because the devices it finds aren’t secured or are protected by default passwords, and it could be put to good use.

Agencies sometimes do penetration testing on their systems to identify weaknesses. Shodan could be another tool, looking for unsecured devices, those protected by default passwords and those devices that don’t really need to be connected to the Internet.

Look around your office right now. See all those devices? How many of them are potential back doors for hackers? Even if you don't know the answer, Shodan does.

About the Author

John Breeden II is a freelance technology writer for GCN.

Reader Comments

Tue, Apr 16, 2013 Micky

Hey Ralph, Im pretty sure your phone needs to be connected to the Internet or it might not work, especially if you are on a PBX. Things this search engine can find (I fooled around with it a bit) are mostly devices that do need some human intervention from time to time, like a traffic signal. If it gets out of sync or needs to be tested, someone has to log into it. That means that someone could probably change the signal lights and all that, but I dont know what we could do to stop them other than add security to all of these necessary machines. I'm pretty surprised that most of the ones I found were wide open.

Mon, Apr 15, 2013 Ralph

This kind of reminds me of the start of a Steven King book. I wonder if the phone will suddenly leap up and try to strangle me, only it will not be some alien intelligence but a hacker calling the shots. Seriously, if something does not need to be connected to the Internet, UNPLUG IT.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above