Shodan: The scariest search engine on the Internet

[BrianBosworth]

"When people don't see stuff on Google, they think no one can find it. That's not true."

That's according to John Matherly, creator of Shodan, the scariest search engine on the Internet.

Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet's back channels. It's a kind of "dark" Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet.
Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.

It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

What's really noteworthy about Shodan's ability to find all of this -- and what makes Shodan so scary -- is that very few of those devices have any kind of security built into them.

"You can log into just about half of the Internet with a default password," said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes. "It's a massive security failure."

A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all -- all you need is a Web browser to connect to them.

In a talk given at last year's Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city's entire traffic control system was connected to the Internet and could be put into "test mode" with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

Scary stuff, if it got into the wrong hands.

"You could really do some serious damage with this," Tentler said, in an understatement

Shodan: The scariest search engine on the Internet - Apr. 8, 2013

[anon]

The article is correct, you'd be amazed to know how many people who leave their systems publicly reachable and virtually unsecured like this. Do some research on "Google dorks" and you'll see how serious it is.

[slikrapid]

Shodan, the scariest search engine on the Internet....Scary stuff, if it got into the wrong hands.

another exaggerated title showing a lack of responsible journalism regarding an issue of marginal seriousness/significance

Shodan searchers have found ... have even located ...that could be turned on and off and a hockey rink in Denmark that could be defrosted ... could be put into "test mode" with a single command entry

seems none of these actually provide total access/control over the internet, but rather only limited functionality for testing purposes, so its nothing particularly serious, though i agree that they shouldn't have left it accessible with default passwords, not to mention how critical systems shouldn't even be directly connected to the internet via publicly accessible communication channels (which should be obvious)

however this issue is very likely to be(come) inflated and exploited by various governments & co. in order to push more crippling legislation under the guise of bringing more security online (lets say, 'war on cyberterrorism', sound familiar?)