Shodan search engine exposes built-in vulnerabilties

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Shodan is a search engine that finds and index­es com­put­ing devices con­nect­ed to the Inter­net, such as routers, web­cams, pow­er plant con­trols, refrig­er­a­tors and smart­phones. It can be used for benign, or nefar­i­ous, pur­pos­es. Third­Cer­tain­ty asked Shodan’s cre­ator, John Math­er­ly, to out­line Shodan’s capabilities.

3C: How does Shodan work?

Math­er­ly: Shodan works by vis­it­ing every pos­si­ble IPv4 address and find­ing out what sort of soft­ware is run­ning on that IP. Depend­ing on the type of soft­ware that is detect­ed Shodan can fig­ure out what sort of device is run­ning the soft­ware. For exam­ple, if Shodan dis­cov­ers that a device is run­ning soft­ware that is only used in fac­to­ries then it can con­clude that the device is prob­a­bly part of a con­trol system.

 3C: So what is it best at finding.

Math­er­ly: It’s impor­tant to under­stand that Shodan is a very dif­fer­ent type of search engine than Google. Google lets you find web­sites — Shodan lets you find devices. Shodan excels at pro­vid­ing an empir­i­cal pic­ture of the Inter­net for what­ev­er device you’re inter­est­ed in.

3C:  Shodan was used to uncov­er MBIA’s mis­con­fig­ur­ing of it’s Ora­cle web serv­er. Did that sur­prise you?

Math­er­ly: The Ora­cle web serv­er mis­con­fig­u­ra­tion wasn’t sur­pris­ing at all. These sorts of issue come up across the board all the time and they’re symp­to­matic of a greater issue that is lack of secu­ri­ty aware­ness and under­stand­ing. These same prob­lems arise in con­trol sys­tems, web cams, routers and any­thing else that requires the end-user to make good deci­sions in order for the device to be secure.

John Matherly
John Math­er­ly

3C: What gave you the idea to launch Shodan?

Math­er­ly: The orig­i­nal pur­pose of Shodan was to pro­vide a mar­ket research tool that would let com­pa­nies under­stand who their cus­tomers are, which prod­ucts are most pop­u­lar, how well users are patch­ing their sys­tems and alike. There exist­ed a sim­i­lar ser­vice that offered that sort of infor­ma­tion for web servers and I thought I could extend it to many oth­er ports, ser­vices and devices.

 3C: What did it take to cre­ate Shodan?

Math­er­ly: Shodan has been run­ning for five  years now and it has slow­ly evolved from a hob­by project into a tool that is used in secu­ri­ty, eco­nom­ics, pub­lic pol­i­cy and much more. The major­i­ty of the work has required col­lab­o­rat­ing with peo­ple that know more about a cer­tain field, such as indus­tri­al con­trol sys­tems or health­care, and work togeth­er to help iden­ti­fy those sorts of devices on the Internet.

And then a large chunk of my time is spent on out­reach to help put the data to good use. Too often secu­ri­ty research doesn’t reach the audi­ence that could actu­al­ly make changes, so it’s impor­tant for me to focus on not just gath­er­ing the data but also mak­ing it action­able and presentable.

3C: What are some oth­er glar­ing expo­sures that you’ve uncov­ered with Shodan?

Math­er­ly: I’m start­ing to see a lot more home automa­tion sys­tems and oth­er con­sumer-lev­el Inter­net of Things tech­nol­o­gy come online recent­ly. And I’m con­cerned that many peo­ple don’t real­ize how sim­i­lar an IoT device is to their reg­u­lar desk­top. Both can be infect­ed by mal­ware, both can expose your per­son­al infor­ma­tion and both need to get prop­er­ly patched and protected.

3C: So is Shodan a tool for find­ing , not zero-days, but built-in vul­ner­a­bil­i­ties, perhaps?

Math­er­ly: Peo­ple in the tech com­mu­ni­ty love hear­ing about Heart­bleed and Shell­shock, but the truth of the mat­ter is that many orga­ni­za­tions are still fail­ing at the basics. I believe that Shodan is able to show empir­i­cal­ly which indus­tries, devices and com­pa­nies aren’t keep­ing up with fun­da­men­tal secu­ri­ty prac­tices. In many ways, Shodan is expos­ing the low-hang­ing fruit of inse­cure devices on the Inter­net. Most of the dis­cov­er­ies don’t require advanced skills and there are a shock­ing num­ber of devices that freely adver­tise their default user­name and password.

3C: Any­thing else?

Math­er­ly: Based on the obser­va­tions with Shodan, we in the secu­ri­ty world need to do a bet­ter job at help­ing non-secu­ri­ty folks, espe­cial­ly engi­neers, under­stand how to pro­duce safe code, think about secu­ri­ty and improve their fun­da­men­tals before mov­ing onto more com­plex secu­ri­ty issues.




Posted in Cybersecurity, Data Security, Q&A