Hacker Search Engine Becomes the New Internet of Things Search Engine

Hacker Search Engine Becomes the New Internet of Things Search Engine

Shodan Screenshot

At DEFCON 17 in 2009, John Matherly debuted a search engine named Shodan (after the villainous computer in the cult-classic video game, System Shock). Shodan was received with some alarm in the media, who named it “The world’s scariest search engine.”

Google finds web sites; Shodan finds devices

Where Google and other search engines index websites by looking at the body of the returned content, Shodan works by indexing HTTP headers and other “banner” information leaked from various devices. Shodan fingerprints the devices and indexes them by country, operating system, brand, or dozens of other attributes.

Today, Matherly is pleased to say that Shodan is becoming the new search engine for the Internet of Things. The same mechanics that allow Shodan to find Cisco routers in Connecticut enables it to find webcams, video billboards, license-plate scanners, those giant wind turbines, and many other devices.

The flexibility of Shodan makes for many curious searches. In one showcase example, Matherly used Shodan to locate Internet-accessible license plate readers, and found that 1.3% of motorists in Detroit use novelty license plates such as: SEWTHIS, GOODDAY, and my favorite, EMBALMR.

The powers of Shodan can be used for good. Manufacturers can use Shodan to locate unpatched versions of their software in IoT devices. And Sales can use it to identify new customer opportunities. One Shodan query shows the number of HP printers in need of toner across ten different universities. Hint: Staples, you might want to visit the University of Minnesota.

Consumer-grade security concerns

Though Shodan queries can be constructive or humorous, there is still security to consider. Whether Matherly intends it to or not, Shodan is already exposing the sham of consumer-grade security that we all suspected would be a hallmark of The Internet of Things.

Shodan can’t see everything in the Internet of Things—it’s going to find devices that look like “connectable” servers on the Internet. The vast majority of IoT devices will be sensors sending data one way through “smart hubs” (IoT-aware routers) in home networks that NAT the connections up to the cloud. In theory, the IoT hubs will protect the sensor from prying eyes on the Internet.

Except, according to Matherly, IoT hubs have a suboptimal security posture. Many still have telnet enabled(!) with default passwords or no passwords at all. Shodan can find these hubs if they are exposed directly to the Internet. And if someone were to access the hub from the Internet, he may be able to monitor the sensor data passing through it. That could be a problem for homes that log motion-sensor data to the cloud. An eavesdropper could use the sensor data to determine if someone were home or not.

Hacking (or just logging in) to an exposed home router is going a step beyond just running a Shodan search. Extrapolating threats like these leads us right back to the original media fear: that Shodan would be used as a go-to, DiY attacker search engine but this time, against the new consumer infrastructure.

Used by researchers and white hats, Shodan will act as an antiseptic to the murk of the consumer-grade security of the Internet of Things during these early days. When responsible disclosure is applied by researchers, they, and IoT manufacturers, can then work to track patches and upgrades across the Internet. A virtuous cycle of vulnerability scanning can then improve the IoT security posture for everyone.

– Securityweek.

July 19, 2015 / by / in , , , , , ,

Leave a Reply

Show Buttons
Hide Buttons

IMPORTANT MESSAGE: Scooblrinc.com is a website owned and operated by Scooblr, Inc. By accessing this website and any pages thereof, you agree to be bound by the Terms of Use and Privacy Policy, as amended from time to time. Scooblr, Inc. does not verify or assure that information provided by any company offering services is accurate or complete or that the valuation is appropriate. Neither Scooblr nor any of its directors, officers, employees, representatives, affiliates or agents shall have any liability whatsoever arising, for any error or incompleteness of fact or opinion in, or lack of care in the preparation or publication, of the materials posted on this website. Scooblr does not give advice, provide analysis or recommendations regarding any offering, service posted on the website. The information on this website does not constitute an offer of, or the solicitation of an offer to buy or subscribe for, any services to any person in any jurisdiction to whom or in which such offer or solicitation is unlawful.