The world’s scariest search engine- Shodan
“When people don’t see stuff on Google, they think no one can find it. That’s not true.”That’s according to John Matherly, creator of Shodan. While Google crawls through web pages, Shodan is a search engine that searches the web for servers, webcams, printers and other such internet connected devices that make up the Internet of Things (IoT). Shodan runs and collects information on around 500 million of such devices every single month.
The Scary side of the ” WWW “
It is surprising what people have found on Shodan – from traffic lights, security cameras, home automation devices and heating systems to control systems for a water park, a gas station and even located command and control systems for nuclear power plants. While its abilities might awe you right now, it also shows how little security is enabled in such devices. A quick search of the term “default password” will direct you to printers, servers and and other devices that use “admin” as their username and “1234” as their password. Imagine finding and accessing your own machine in one such search to realize the seriousness of the problem.
The question that comes to mind – why are these devices so vulnerable ? Quite a big number of these devices should not even be on the internet. When companies design products, such as a heating system that can be controlled from your laptop, instead of connecting them directly they host the device on a web server – thereby unknowingly allowing everyone with access to the internet an opportunity to access it. Convenience comes first, security is usually an afterthought. The rapid rise of the IoT market has caused companies to increase production of such devices while security has not managed to catch up.
Shodan searches for devices using Real Time Streaming Protocol (RTSP port 554)  while crawling the web and it captures devices that do not have any security in place or have the default usernames and passwords. Fortunately for us though, Shodan only captures a snapshot instead of broadcasting a live feed of data. What that means for you and I, is that we need to begin taking our security seriously – even with devices we usually ignore.
Money usually lies at the root of such security vulnerabilities. Consumers will often choose the cheaper option that serves their purpose rather than the more expensive and secure models. Also, like we’ve mentioned, most users simply fail to change the default passwords. Even such a simple gesture will keep the device out of reach from Shodan.
On the business side, there is no authority that can set rules and regulations for IoT devices. Companies and vendors will often take benefit of this, thereby ignoring the best and safest practices which in turn lead to a lower price tag and higher profits. It is possible in the future that the US Federal Trade Commission (FTC) might come in and define regulations, but until then, we need to start taking our security seriously.