Tuesday, April 9th. by-Reema Verma
I’m sure it comes as a surprise to no one that Google is a great place to find some questionable items online, whether it’s malware, exploits, someone belly-flopping a pool of ice – whatever. However, even with as much as what Google offers, there are many things that the company doesn’t track and publish online. For those things, you need to go to Shodan, a newish search-engine designed for hackers and experimenters.It began as a hobby for a teenage computer programmer named John Matherly, who wondered how much he could learn about devices linked to the Internet. After tinkering with code for nearly a decade, Matherly eventually developed a way to map and capture the specifications of everything from desktop computers to network printers to Web servers. He called his fledgling search engine Shodan, and in late 2009 he began asking friends to try it out. He had no inkling it was about to alter the balance of security in cyberspace.
CNN Money calls Shodan “the scariest search engine on the Internet”, “When people don’t see stuff on Google, they think no one can find it. That’s not true.” That’s according to John Matherly, creator of Shodan, the scariest search engine on the Internet.
Unlike Google , For which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It’s stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them. And as we move closer to a world where everything from our refrigerators to our pacemakers are connected to the Internet in one way or another, these problems will only multiply: An “Internet of things” that lacks security built into the devices that join together to create that network could potentially put everyone at risk. The issue is that these vulnerabilities exist in the first place, not that Shodan can uncover them — as previous coverage of Shodan by David Maas in San Francisco City Beat notes: “The fact that somebody is basically shining a flashlight into a dark room shouldn’t be the part people are afraid of,” says Dan Tentler, a San Diego-based information-security consultant. “The part people should be afraid of is the fact that some genius decided to take, for example, a five-megawatt hydroelectric plant in France, put its control computer on the Internet and allowed everybody that knew about the IP address to connect to it and make changes to this dam, with no encryption or authentication to speak of.”
As with almost all technological developments, Shodan is neutral. In fact, the bad guys have a vested interest in keeping these types of vulnerabilities quiet so their exploitation will go unnoticed. With Shodan, security experts have a simpler way of identifying what networks are at risk and potentially taking them offline or improving security thus bettering the entire system. And security experts does mean hackers: While the word has taken on a lot of negative connotations in the media, hacking is a process of discovering vulnerabilities that is neutral. Just as it’s questionable to call Shodan scary because the things it uncovers are settling, decrying the process of hacking and all people that do it because they reveal problems with systems is equally objectionable.