Shodan and the Scary Side of Search
September 25, 2013
Search can be a lot of things, but “terrifying”? Yes, I’m afraid so. Forbes describes a thoroughly modern, search-related threat in, “The Terrifying Search Engine that Finds Internet-Connected Cameras, Traffic Lights, Medical Devices, Baby Monitors, and Power Plants.”
You may have heard the story about the hacked baby monitor, through which one truly deplorable individual viewed and harassed a sleeping two-year-old who was tucked into her own bed. In this piece, journalist Kashmir Hill examines the search engine Shodan, which she says probably facilitated that digital predator. Such a trespass is just the tip of the chill-inducing iceberg. She writes:
“Shodan crawls the Internet looking for devices, many of which are programmed to answer. It has found cars, fetal heart monitors, office building heating-control systems, water treatment facilities, power plant controls, traffic lights and glucose meters. A search for the type of baby monitor used by the Gilberts reveals that more than 40,000 other people are using the IP cam–and may be sitting ducks for creepy hackers. . . .
“Shodan’s been used to find webcams with security so low that you only needed to type an IP address into your browser to peer into people’s homes, security offices, hospital operating rooms, child care centers and drug dealer operations. Dan Tentler, a security researcher who has consulted for Twitter, built a program called Eagleeye that finds webcams via Shodan, accesses them and takes screenshots. He has documented almost a million exposed webcams.”
Scary stuff, but that is not all. The article notes that many modern buildings that house everything from apartments to businesses to government facilities have security, lighting, and HVAC systems connected to the Internet, where they could be hijacked. Even entire power grids could be usurped. The unnerving possibilities seem endless.
Like many scary things, Shodan can also be used for good. Folks working in security, academia, law enforcement, and white-hat hacking have used the tool to find susceptible devices and see that they are secured. It is also at least a bit comforting that the FTC is aware of Shodan’s capabilities and the vulnerabilities it reveals. The takeaway for consumers, of course, is to pay close attention to locking down devices from our end, with things like obscure user names (not “admin”!) and hard-to-guess passwords. Better yet, at least for now, we may wish to tune out the growing siren song that promises convenience through universal connectivity. The cost could be too high until security is significantly improved.
The programmer that developed and now runs the search engine, John Matherly, originally envisioned it being used by corporations for, let’s call it, competitor research. The sharp turn into creepy territory, though, does not seem to bother him. In fact, he seems to see this development as a good thing, shining light on inadequate security practices at companies that sell internet-connected devices. See the article for more about the man behind Shodan and the hornets’ nest that he has soundly thwacked.
Cynthia Murrell, September 25, 2013