​Did you know about Shodan?

Shodan has been called the “scariest search engine on the internet.” It has the ability to expose and allow access to many devices including servers, computers, phones, fridges, traffic lights, security cameras and even control panels of power and utility systems. What exactly is Shodan? Shodan is a search engine, much like Google or Yahoo. The difference between Shodan and other search engines is Shodan provides information regarding devices which are connected to the internet, rather than providing information from Web sites.

Originally created to allow companies to track where their software is being used, Shodan is now more often used to gain access or general information about devices and systems. Shodan can expose vulnerable systems and provide information concerning default passwords, which will allow someone to gain access to the devices and machines. Why is Shodan so scary? It’s really not Shodan, as much as the number of devices connected to the internet with little or no security. The number of devices using default passwords is shocking, as well as the number of devices with “admin” as their username and “1234” for a password. For example, one Shodan user found a hockey rink in Denmark that could be defrosted by a click of a button, as well as a city’s entire traffic control system which could be put into “test mode” using one command entry.

Sometimes surveilling the Internet of Things can allow you to watch the watchers. A civil liberties group used Shodan to find that Internet surveillance equipment made by California-based Blue Coat Systems had been deployed in countries with harsh human rights records, including Syria, which is on a U.S. embargo list. The group used the findings to put public pressure on the company to be more ethical as to whom it sells potentially repressive products.

How can you protect your network and devices from Shodan?The first way to protect your device from being exposed by Shodan is to determine whether the device really needs to be connected to the public Internet. If this device does not need to be connected to the public Internet, disconnecting the device would take away all risk of Shodan exposing this device. Secondly, always change default passwords. Default passwords for devices are often times easily found online allowing access to your device, if you have not changed the password. By simply setting a new password, rather than using the default password, many of the devices exposed on Shodan would be safe. Thirdly, you can use Shodan to track vulnerable or exposed system or devices on your network and work to close the breaches.

Is it legal?Looking at Shodan from a technical standpoint, Shodan is a massive port scanner. Port scanning is not a violation of the Computer Fraud and Abuse Act, because it does not meet the requirement for damage concerning the availability or integrity of the device. Therefore, technically speaking, Shodan is completely legal. In other words, Shodan is only used to expose vulnerable devices and systems, but does not itself do anything with the information found to tamper with devices.

To me, this case is more of an “is it moral or not?” question rather than a “is it legal or not?” question seeing as someone can use it to find information about a network to start an attack. I am sure that all of my readers are moral...

Shodan is a useful search engine which can be used to expose and gain access to vulnerable systems. Organizations put themselves at risk by leaving devices exposed or using default or common passwords. Good security is a continuous process and best practices can minimize the threat of hackers. If you are concerned that your network might be at risk, contact Computer Technologies today.

No, I am not going to tell you how to get to Shodan on the Internet! If you think your network needs it, go find it and apply for an account.