| Shodan: The scariest search engine on the Internet [message #47669] |
Tue, 09 April 2013 11:10 |
CyberkNight
Messages: 1606
Registered: July 2012
Karma: 0
|
Senior Member |
|
|
"When people don't see stuff on Google, they think no one can find it. That's not true."
That's according to John Matherly, creator of Shodan, the scariest search engine on the Internet.
Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet's back channels.
It's a kind of "dark" Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. (Shodan's site was slow to load Monday following the publication of this story.)
Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.
It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.
Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium.
Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.
What's really noteworthy about Shodan's ability to find all of this -- and what makes Shodan so scary -- is that very few of those devices have any kind of security built into them.
"You can log into just about half of the Internet with a default password," said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes. "It's a massive security failure."
A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all -- all you need is a Web browser to connect to them.
In a talk given at last year's Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.
He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city's entire traffic control system was connected to the Internet and could be put into "test mode" with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.
Scary stuff, if it got into the wrong hands.
"You could really do some serious damage with this," Tentler said, in an understatement.
So why are all these devices connected with few safeguards? Some things that are designed to be connected to the Internet, such as door locks that can be controlled with your iPhone, are generally believed to be hard to find. Security is an afterthought.
A bigger issue is that many of these devices shouldn't even be online at all.
Full article: http://money.cnn.com/2013/04/08/technology/security/shodan/i ndex.html
Megalextoria
|
|
|
|
Members
Search
Help
Register
Login
Home
