Shodan: The eeriest search engine on the web

Do you use a surveillance camera, fitness tracker, or smart lighting? Are your smoke detectors connected to the internet to send status notifications similar to modern security systems? Today, an assumed 50 billion devices are online to allow for information sharing as well as easy monitoring and controlling. Doesn't this entail a major security risk? Shodan, the most controversial search engine on the planet, will tell you.

Shodan was created in 2009 by John Matherly and named after the artificial intelligence in the game "System Shock". Originally devised as a search engine for IoT (Internet of Things) devices, it quickly became apparent that its results are as significant as they are dangerous. For clarification: Internet of Things refers to a system of interrelated computing devices–from the ones mentioned above to industrial assembly lines, traffic light controllers, and many other everyday appliances–that have the ability to transfer real-time data over a network, usually the internet, without human interaction. These devices are assigned IP addresses just like your cellphone or PC. In many cases, network activity is human-monitored, but especially household appliances, like smoke detectors, communicate unsupervised and only notify their owners sporadically via status messages or in the event of a problem.

This approach has many advantages. It improves response times in an emergency, helps to identify bottlenecks early, and allows businesses to instantly send out repair teams when necessary. It is also essential to home automation. But there's a flipside: No software is perfect, and neither are its users! Take, for example, the small computer in a smart fridge. It usually runs on a compact operating system like FreeRTOS, mbed OS, or Zephyr, that has a reduced feature set in the interest of stability, controllability, and network connectivity. Protection against online attacks often isn't a priority during development. And that's where Shodan comes in!

Weak software or weak admin?

In simple terms: Shodan constantly scans the internet by sending queries to a whole range of IP addresses and ports (think of them as doors left open by operating system to enable network communication). IoT devices routinely respond to these queries by sending service banners (think of them as calling cards) that expose information such as device type, operating system, open ports, available services, and other configuration details. At worst, the data even includes user names and passwords. Shodan then stores the information in a large database and makes it available to users through its search interface. Here's where the controversy begins!

That's because the search index frequently turns into a list of shame, full of devices running outdated software or using inferior security settings–basically an invitation to hackers. And though the thought of having your own security camera hacked is unsettling enough, the knowledge that sensitive details on water processing plants, power grids, and power plants is also present is downright alarming. This data is accessible to anyone who completes the free registration. Paid subscribers, or users of special tools like SHODAN Diggity, get access to even more delicate, and filterable, information. Webcams, printers, routers, security cams, network switches, even industrial plant control systems, Shodan has all the details, including locations. And users can apply filters to swiftly target individual cities, device types, easily hackable OSes, even appliances that use standard passwords. Accessing a vulnerable system then usually requires little more than a web browser.

Even unauthorized access to traffic control systems is possible!

So where do the many vulnerabilities in IoT devices stem from? There are basically three problem areas. Naturally, operating systems play a major role here, and they are often hastily and cheaply adapted to a product's hardware and then never touched again after release. Considering how many security updates your PC or cellphone receive throughout the year, this already is a disaster waiting to happen! Once discovered, security vulnerabilities will remain exploitable until their underlying IoT devices stop working. Some devices don't even include the ability to update their software to begin with–and some companies simply don't care or have long gone out of business. Then there's the issue of user convenience. Many users fail to replace the default username and password, or use the common "Admin" and "1234" as credentials. You wouldn't believe how many critical systems are "protected" this way. The third problem is age, as in aged systems (like assembly lines, traffic control, hospital infrastructure) that predate the internet and were never meant to go online in the first place. When they finally were hooked up to the web, it was mostly the result of jury rigging and cheap and/or shoddy labor. You will find the unvarnished truth on Shodan!

I find the endless debate on whether to ban Shodan reminiscent of the old "don't kill the messenger" trope. After all, Shodan doesn't actively engage in hacking but only publishes facts, however inconvenient they may be. Yes, online criminals can access and abuse this information but they've had ample tools (port scanners, botnets) to obtain this data for the longest time anyway. Shodan seeks to raise an awareness for the vulnerability of the internet of things. If all it takes is a few clicks to access the security camera of a hospital room, or the control system of a water works, then we, as a society, have a problem that needs fixing! It goes without saying that using Shodan for information purposes alone is perfectly legal, while using the data to attack devices is not. And there are signs that network administrators are taking notice, if not always self-initiated, as evidenced by forum posts outlining the shock of receiving alarming messages not just from superiors but also complete strangers...

What I would like to know: What do you think about a search engine like Shodan? Should its data be readily available in the interest of public safety or kept under wraps?