Where the name was derived, SHODAN means Sentient Hyper-Optimized Data Access Network – the villain and fictional artificial intelligence in the cyberpunk role-playing games (RPG) namely System Shock and System Shock 2.
The name Shodan was used by John Matherly when he created what is now considered the scariest search engine on the Internet. According to Matherly, it is simply not true that if Google can’t find stuff on the Web, no one can. In fact, Shodan navigates the Internet’s back channels which, is very much unlike Google which crawls the Web as they search for websites. Shodan is said to be a ‘dark’ kind of Google which looks for webcams, routers, servers, printers and all the peripherals and stuff connected to and that make up the Internet.
Shodan: Collecting Information from Everything Connected to the Net
Shodan, running 24/7 has the ability to collect information on about 500 million connected devices and services every month. And they’re all interesting stuff – traffic lights, home automation devices, heating systems, and security cameras, if connected to the Internet will be easy to spot.
So far, using Shodan, searchers and cybersecurity researchers were able to:
-
Find control systems for a water park, a hotel wine cooler, gas station, and a crematorium
-
Locate command and control systems for nuclear power plants and a particle-accelerating cyclotron
Judging from these great “finds”, what would really be noteworthy about Shodan’s “locator” ability is that very few of those devices have any kind of security built into or around them, which indicates a massive security failure, as attested by HD Moore, chief security officer of Rapid 7 who uses a Shodan-like database privately for his own research.
If you make a quick search for “default password”, you will be shown search results of countless servers, printers, and system control devices that use default passwords as “admin” or “1234”. Some connected systems don’t even require password. With just a web browser, you are able to connect to them without difficulty.
Some other results obtained by Dan Tentler, an independent security penetration tester when he used Shodan include:
-
Finding a car wash that could be turned on and off
-
Finding a Denmark hockey rink that can be remotely defrosted
-
Finding a city’s entire traffic control system that can be put to a “test mode” with one command entry
-
Finding a control system for hydroelectric plant in France with two turbines generating 3 megawatts each.
Scary Picture of Shodan’s Power
Do you get the picture? It’s very scary and seriously alarming. What if Shodan is used for other purposes? And why are those devices connected with almost no security? If any consolation, there are some things that are designed to be connected to the internet like door locks that can be controlled using iPhone are believed hard to find.
What’s probably more alarming is how people are being careless and negligent when it comes to security consciousness. Most of the devices make use of systems that allow remote control or manipulation from a remote place. If done right, the device should run on its own server and not plugged directly into a web server which practically shared the device and the system with the rest of the world. If done this way, where the rest of the world can gain access to the device and the system, you can’t really talk about security. They don’t have business to be on the Internet in the first place.
Having seen such vulnerability, Shodan creator Matherly made sure that Shodan is almost exclusively used for good purposes. After completing his pet project three years ago, Matherly limited the searches to just 10 results without an account and 50 with an account. Matherly places his personal involvement if someone wants to see what Shodan has to offer. He requires more information about the intents and purposes of such search with corresponding payment.
In the event that cyber criminals have turned their fancy in blowing up a building or shutting down a city’s traffic light system, Shodan is expected to be used to avoid such scenario by spotting the unsecured, connected devices and alerting those operating them on their vulnerability. Hopefully, the detection will be quicker than the cyber criminal’s identification of potential target unsecured devices and systems. In the meantime, attention should be directed to those devices connected to the Internet that are bare and open to security attacks.
Meta description: Shodan, said to be a ‘dark’ kind of Google, has the ability to collect information on about 500 million connected devices and services every month. This poses security problems for unsuspecting operators who had their system wired to the internet.
Image Credits: Google Images