Shodan - the worst Internet search engine

“If people can't find something on Google, they think no one can find it.” This is not the case, ”says John Matherly, the creator of Shodan, the scariest Internet search engine.

Unlike Google, which searches simple web sites, Shodan works with the shadow channels of the Internet. This is a kind of “black” Google, allowing you to search for servers, webcams, printers, routers, and the very different equipment that is connected to the Internet and is part of it.
')
Shodan works 24 hours a day, 7 days a week, collecting information on 500 million connected devices and services every month.

It’s just incredible what you can find in Shodan with a simple query. Countless traffic lights, security cameras , home automation systems, heating systems are all connected to the Internet and easily detected.

Users Shodan found a water park , gas station, wine cooler control systems in the hotel and the crematorium. Experts in cybersecurity using Shodan even discovered the command and control systems of nuclear power plants and the atomic particle accelerator .

And particularly noteworthy in Shodan, with its frightening possibilities, is the fact that very few of the systems mentioned have at least some kind of security system.

“This is a huge security fiasco,” says H. Moore, director of security at Rapid 7. This company has a private database like Shodan for its own research tasks.

If you make a simple search for the query "default password", you can find an infinite number of printers, servers and management systems with the username "admin" and the password "1234". Even more connected systems do not have access details at all - you can connect to them using any browser.

Independent penetration specialist Dan Tentler last year at a conference on cyber security Defcon demonstrated how he, with the help of Shodan, found control systems for evaporative coolers, pressure water heaters and garage doors.

He found a car wash that can be turned on and off, and an ice arena in Denmark that can be thawed at the touch of a button. In one city, the entire road network management system was connected to the Internet, and with just one command it could be put into “test mode”. And in France, he found a hydropower control system with two turbines, each of which generates 3 megawatts.

Dreadful things if they fall into the wrong hands.

“This can cause serious harm,” said Tentler, and he also put it mildly.

So why are all these devices connected to the network and almost not protected? In some cases, such as iPhone-controlled door locks, it is considered to be very difficult to find. And then they think about safety as a residual.

A more serious problem is that many such devices should not be online at all. Firms often buy devices that allow you to control, say, a heating system using a computer. How to connect a computer to the heating system? Instead of connecting directly to many IT departments, they simply connect the one and the other to the web server, thereby unknowingly opening them to the whole world.

“Of course, there’s simply no security on such things,” Matherly says. “But first of all, they have no place on the Internet.”

But the good thing is that Shodan is almost completely used for good purposes.

Matherly himself, who three years ago created Shodan just for fun, limited the number of requests to 10 without an account and 50 with an account. If you want to use more Shodan features, Matherly will ask you for more information about your goals - and payment.

Penetration testers, security experts, scientific researchers and law enforcement are the main users of Shodan. Matherly agrees that the Shodan can take as a starting point and the bad guys. But he adds that cybercriminals usually have access to botnets - large collections of infected computers that can do the same, but covertly.

Today, most cyber attacks are focused on stealing money and intellectual property. Bad guys have not yet tried to harm someone by blowing up a building or turning off traffic lights.

Security experts hope to prevent such scenarios by identifying these unprotected connected devices and services with Shodan and warning their owners about vulnerabilities. Meanwhile, a lot of things on the Internet without any security just sit and wait for the attack.