Shodan: The Scariest Search Engine or just a Scapegoat?

The recent DDoS attack on DNS servers hosted by the management firm Dyn have brought back the focus on the challenges of the Internet of Things. This massive DDoS attack was carried out with the help of the IoT devices across the globe that were infected by the Mirai malware. As per reports, only 10% of the total devices infected were involved in this attack. When it comes to the Internet of Things, Shodan automatically comes into the limelight for it is radar that can locate IoT devices connected to the internet.

Shodan is a search engine that is specially designed to find the devices connected to the internet. It is not your typical Google or Bing that will help you with your university assignments. It’s an altogether from a different league and for different purpose. Some researchers have described Shodan as a search engine of service banners. These service banners are nothing but the meta-data that is sent back to the client by the server. This meta-data contains a variety of information including the information about the server software.

Created by John Matherly in the year 2013, Shodan is also termed as the scariest search engine on the Internet. The typical difference between our regular search engines like Google and Shodan lies in the fact that Google crawls the Web looking for websites whereas Shodan navigates the back channels of the internet. Therefore, if something is not found on Google does not mean that cannot be founded over the internet. In fact, Shodan may find it as it scans the dark part of the web. It looks up for the devices like printers, webcams, routers, coffee machines, refrigerators etc. that are connected to the internet. Just a single search on Shodan can help us find hundreds and thousands of devices. Shodansearchers have even found control systems for a water park, a gas station and even command and control systems for nuclear power plants. It is this ability of Shodan to find such systems and put them in front of hackers that makes it a scary search engine.

The problem is further compounded by the fact that most of the home devices connected to the internet still carry their default passwords or no passwords at all. The Mirai malware after identifying these connected devices attempts to access them using default passwords which are usually same for all pieces of the product or may vary from one version to the other. It’s not hard to find these default credentials. They are easily available over the internet. After accessing these devices successfully, the Mirai infects them and converts them into a botnet.

The issue with Shodan is that it exposes the vulnerable devices to the hackers. Once they get to know of it, they could use many techniques to hack them and use them for their purpose. Mirai is just one example. Such an exposure of devices to hackers could potentially jeopardize individual and national security. The command and control system of a nuclear power plant could be hacked by the state or non-state actors to trigger an emergency. A crisis could be sparked out of such act that could have serious consequences potentially threatening the entire world peace. Similarly, an IoT device at home could also be hacked to intrude into someone’s privacy. There are researchers who say hacking of IoT devices could also be used to perform murders and assassinations. Remember when Dick Cheney, the former U.S Vice President got the Wi-Fi functionality of his pace maker disabled?

So, the question is that whether Shodan is a scary engine that should be closed? Well, it is very difficult to answer this question. It is agreed by all that Shodan helps criminals to find vulnerable IoT devices. But why are these devices vulnerable and that too without any regrets? This is because of poor security standards set by the manufacturers. Moreover, consumers also seem to be less bothered about it unless they come to know someone is engaging in gluttony on their share of internet data. Unless, the lacunae are fixed by the manufacturers and consumers start following a good cyber hygiene, blaming only Shodan for such risk is merely an act of making a scape goat out of it.