What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches
Search engine http://www.shodanhq.com/ http://www.shodanhq.com/ Finds anything connected to the internet Named after AI in System Shock 2 (1999) “Sentient Hyper-Optimized Data Access Network “ Developed by John Matherly. Went live in 2009 Currently indexes over 500 million connected devices monthly 10,000 Industrial Control Systems
Web search engines index websites Shodan indexes metadata and banners Port 21/TCP (FTP) Port 22/TCP(SSH) Port 23/TCP(Telnet) Port 80/TCP(HTTP) “Tell me what you can tell me about yourself.”
Publicly available data “public” in that it is unprotected “Once that data is made public…it’s unclear whether it’s still protected by data security laws.” – John Matherly
Shodan API Integrate Shodan into your own software Scanhub Make your own search engine built off nmap scans Add Shodan to browser search engines Note: Scans through Shodan are not real-time. They are produced from a crawler database.
144 million web servers on Shodan Microsoft’s IIS runs 8.5 million web servers Allegro Software’s RomPager: 22 million servers OEM embedded web server Routers, switches, printers, etc.
Cameras Webcams Security cameras Home security systems Printers Refrigerators Caterpillar tractor control panels Medical Devices Car Washes Hospital fetal monitoring Critical infrastructure (water, sewage, dams, Automobile assembly lines High School lighting systems HVAC Power Dam Baby Monitors Traffic Control Systems
Baby Monitors August 2013 Baby monitor hacked Marc Gilbert heard voices from 2-yr old’s room Verbal abuse from networked baby monitor Foscam video/two-way audio cam “admin” username default New user account had been added. “Root” Likely Shodan used to discover monitor
Not all systems found are legitimate Demos Honeypots
Trend Micro created web-based simulation of an industrial control system (ICS) Water pump facility Water pump supervisory control SCADA network Purpose: to measure attacks on real-world systems Targeted 17 times in 4 months 12 to shut down water pump 5 to modify pump process Attacks came via Google and Shodan
Security researcher Eireann Leverett developing a tool to match ICSs found on Shodan to known vulnerabilities (2011) Intent to “allow defenders to assess their attack surface and prioritise the required interventions in a timely manner” Can also be used for auditing Research funded by BP
VxWorks Platform developed by WindRiver Systems (Intel) WDB agent – system level debugger UDP Port 17185 (2010) Rapid7 developer wrote a scanner for Metasploit to scan for WDB Surveyed over 3.1 billion IP addresses Discovered 250,000+ systems with WDB agent exposed Discovered massive scan in 2006 by unknown party
Universal Plug and Play (UPnP) UPnP Simple Object Access Protocol (SOAP) 2013 Rapid7 white paper “UPnP discovery requests were sent to every routable IPv4 address approximately once a week from June 1 to November 17, 2012. “ 81 million unique IPs responded 20% SOAP API Vulnerable to a single UDP packet for remote code execution
Internet Census 2012 (by “Carna Botnet”) Started as a joke: telnet login root:root on random IPs Binary uploaded to insecure devices Watchdog w/ lowest priority Scanned port 23 (Telnet) on IPv4 Stopped after a few days. Included a README Binary ran on 420,000 devices 20% of unprotected devices found 1.2 million unique unprotected devices identified by MAC Most common unprotected device is router
Internet Census 2012 Ignored: IPv6 Devices without ifconfig Devices without a shell 100k MIPS 4kce (embedded systems/game consoles) Encountered Aidra botnet (malicious)
Standard security practices Restrict public facing servers and devices Use VPN or IP filters for external access (e.g., employee working from home wants to use company printer) Always change password defaults Suppress/minimize verbose banners Test Shodan on your own devices May not find you if you’re not already indexed (esecurityplanet.com)
Shodan is the first search engine of its kind. It’s possible and likely that other search engines could be more powerful. How long before society becomes aware of what makes something findable? Need to rewire how people think about connected devices.