What can you find on the Internet? Everything that can be possibly found by Google or are there corners in the Internet that even Google cannot find? The reality is that there are millions of devices that are getting connected to the Internet – and most of them have lax security.
Dan Tentler, a security researcher, demonstrated this by using Shodan, a search engine that finds every device connected to the Internet. He found devices like traffic lights, gasoline pumps, boilers, garage doors, wind farms and even crematoriums connected to the Internet. Most of them had negligible security. You can see Dan Tentler’s presentation at the end of this article.
Just like Google finds every bit of content by crawling the web, Shodan finds every device connected to the Internet – even devices that are not supposed to be connected.
Explaining the origin behind creating Shodan, John Matherly, Founder, Shodan, says, “The initial idea behind Shodan was to provide a service that offered businesses a way to empirically determine what’s on the Internet. There had been services like Netcraft that provided that information for webservers, and I hoped that Shodan could develop into a tool that could do it for FTP, SSH, SMTP and other popular services. Shodan collects the metadata of devices, also called “banners”. Researchers are able to search for devices based on the software, geographic location, operating system and a lot of other smaller aspects of a device. Many researchers use Shodan after they’ve discovered a vulnerability to see how common it is on the Internet.”
John says that the initial release of Shodan included nearly 5 million records. Today, half a billion records are added each month to the database and it keeps growing. In terms of actual devices, there are around 250 million in the database. Each of those devices may run multiple pieces of software, which Shodan keeps track of over time. There are about half a billion entries added to the database each month, or around 16 million records a day.
Started initially as a small project, Shodan’s success has surprised its creator. “I did not anticipate it becoming such a big tool in the security community. I thought a few might use it that way but that it would largely be used for market research. In hindsight, it makes a lot of sense that penetration testers would embrace something like Shodan – especially with the increasing connectivity of devices,” says John.
Debunking myths about Shodan
While security researchers have found several connected devices using Shodan, John says that Shodan cannot be used to find devices just like Google is used to find content.
“Finding such systems on Shodan is non-trivial and very rare. It’s not as simple as typing “power plant” and getting a list of power plants that you can attack. It takes a huge amount of knowledge about the specific industrial control system in order to compromise it. Many of these systems, such as power plants, require intimate knowledge of the hardware and the way it’s deployed. An average computer gets attacked within 15 minutes of being put on the Internet. If the power plants or buildings were that easy to take down, we would hear a lot more about this problem. If a person knows how to compromise a power plant, then they also have enough resources to scan the Internet themselves and find exactly what they’re looking for without using a public service like Shodan. Shodan isn’t anonymous and people that wish to perform illegal activities usually know better than to use the website.”
Today, Shodan is widely used by big businesses, universities and small businesses as a way to determine their public footprint on the Internet. “Did somebody in your company setup a webserver on your network that you didn’t know about? Do you have any devices on the cloud that you weren’t aware of? Everything is becoming connected, whether people want that or not; it’s going to happen. We’ve already started to see an explosion in device connectivity and it will make Shodan immensely more valuable as people will need a way to search through those billions of devices,” exclaims John.
Create your own Shodan search engine
John is now completely rewriting the Shodan website and offering more services to map, analyze and generate reports to get a deep insight into the Internet. For example, he has recently launched Scanhub, so that anybody can create his own Shodan search engine. He is also rolling out more features so that people can not only look at the latest data in Shodan, but also use it over time to see trends over time. For example, a security analyst could compare if devices are more secure vis-à-vis last year. Over the long term, John’s long term goal is to make Shodan a real-time map of the Internet.
Presentation
