Shodan search engine exposes built-in vulnerabilties
By Byron Acohido, ThirdCertainty
Shodan is a search engine that finds and indexes computing devices connected to the Internet, such as routers, webcams, power plant controls, refrigerators and smartphones. It can be used for benign, or nefarious, purposes. ThirdCertainty asked Shodan’s creator, John Matherly, to outline Shodan’s capabilities.
3C: How does Shodan work?
Matherly: Shodan works by visiting every possible IPv4 address and finding out what sort of software is running on that IP. Depending on the type of software that is detected Shodan can figure out what sort of device is running the software. For example, if Shodan discovers that a device is running software that is only used in factories then it can conclude that the device is probably part of a control system.
3C: So what is it best at finding.
Matherly: It’s important to understand that Shodan is a very different type of search engine than Google. Google lets you find websites — Shodan lets you find devices. Shodan excels at providing an empirical picture of the Internet for whatever device you’re interested in.
3C: Shodan was used to uncover MBIA’s misconfiguring of it’s Oracle web server. Did that surprise you?
Matherly: The Oracle web server misconfiguration wasn’t surprising at all. These sorts of issue come up across the board all the time and they’re symptomatic of a greater issue that is lack of security awareness and understanding. These same problems arise in control systems, web cams, routers and anything else that requires the end-user to make good decisions in order for the device to be secure.
3C: What gave you the idea to launch Shodan?
Matherly: The original purpose of Shodan was to provide a market research tool that would let companies understand who their customers are, which products are most popular, how well users are patching their systems and alike. There existed a similar service that offered that sort of information for web servers and I thought I could extend it to many other ports, services and devices.
3C: What did it take to create Shodan?
Matherly: Shodan has been running for five years now and it has slowly evolved from a hobby project into a tool that is used in security, economics, public policy and much more. The majority of the work has required collaborating with people that know more about a certain field, such as industrial control systems or healthcare, and work together to help identify those sorts of devices on the Internet.
And then a large chunk of my time is spent on outreach to help put the data to good use. Too often security research doesn’t reach the audience that could actually make changes, so it’s important for me to focus on not just gathering the data but also making it actionable and presentable.
3C: What are some other glaring exposures that you’ve uncovered with Shodan?
Matherly: I’m starting to see a lot more home automation systems and other consumer-level Internet of Things technology come online recently. And I’m concerned that many people don’t realize how similar an IoT device is to their regular desktop. Both can be infected by malware, both can expose your personal information and both need to get properly patched and protected.
3C: So is Shodan a tool for finding , not zero-days, but built-in vulnerabilities, perhaps?
Matherly: People in the tech community love hearing about Heartbleed and Shellshock, but the truth of the matter is that many organizations are still failing at the basics. I believe that Shodan is able to show empirically which industries, devices and companies aren’t keeping up with fundamental security practices. In many ways, Shodan is exposing the low-hanging fruit of insecure devices on the Internet. Most of the discoveries don’t require advanced skills and there are a shocking number of devices that freely advertise their default username and password.
3C: Anything else?
Matherly: Based on the observations with Shodan, we in the security world need to do a better job at helping non-security folks, especially engineers, understand how to produce safe code, think about security and improve their fundamentals before moving onto more complex security issues.