When people need to find something online, most fire up their browsers and point Google to a set of keywords and phrases, and hope for the best. And if the desired results don’t come up, they figure it’s probably not online for them to find. Au contraire. Just because Google doesn’t give up the goods, doesn’t mean they don’t exist. Shodan can call up myriad things that fly below the radar — stuff like traffic lights, security cameras, home automation devices, heating systems and anything else that’s connected to the Internet, but aren’t necessarily at the top of typical search results.
Using Shodan, you can uncover systems controlling water parks, gas stations, hotel wine coolers, crematoriums and more pretty easily. But don’t blame the tool. Sure, Shodan puts it right out there, but the lack of appropriate security is what makes them available. And that’s the learning lesson here.
If you neglected to change any of your logins from the default, here’s food for thought: A search for “default password” results in countless printers, servers and system control devices that still have “admin” and “1234” as their username and password. Others don’t even have logins at all, not even cursory authentication. Once people find that and get in, all manner of crazy things can happen — no real hacking required.
And it goes far beyond personal or business accounts. Someone even discovered command and control systems for a nuclear power plant and a particle-accelerating cyclotron using the search engine, as well as a French hydroelectric plant and a city traffic control system. The online traffic system was found to be easily manipulated — the user could’ve put it in “test mode” by entering a simple command.
Shodan is the brainchild of John Matherly, who created this dark search engine a little over three years ago. People can use the site for free, but the limit is 10 results and 50 if you open an account. Need more? Then you’ve got to pay for it and answer a pile of questions about what you’re looking for and why.
The “why” is key here. Bona fide black-hat hackers have other ways that are far less detectable, leaving Shodan mostly in the hands of security professionals, researchers and law enforcement, who typically use the service to alert companies and organizations about these security vulnerabilities. But that doesn’t mean some rogue Shodan user won’t do harm.
In fact, with the opportunity and access so frighteningly wide open, it’s probably just be a matter of time.