Not many people would have heard about SHODAN (Sentient Hyper-Optimized Data Access Network), a search engine created by computer programmer John Matherly in 2009. It is known to be the scariest search engine on the internet and its name, Shodan, comes from a character from the 1990’ game System Shock. While Google can be seen as a white hat assistant, one that provides with answers usually filtering the muddy stuff, Shodan has a way to find sensitive and vulnerable information, pretty much like anything else found in the deep web.
Shodan – There is no place to hide
Shodan can search all internet-connected devices including traffic lights, home automated devices, personal webcams, printers and routers.
So, how does it actually work? While a regular search engine, like Bing, Yahoo and Google crawls to find data on websites and indexes them, Shodan has another way to do his job. It scans device ports and takes incoming messages, also named as “banners” and indexes the whole data. Shodan tries to find all internet-connected devices, so, aside from the usual printers and routers suite (which we also believe to be sensitive info), Shodan is able to find even more: traffic lights, home automated devices, personal webcams, control systems and so forth. Practically, everything connected to the internet.
Unfortunately, the biggest problem with these devices is that they hardly come with any security measures and with the right means, they can be controlled remotely by hackers. A person experienced enough can easily take control and make a lot of mess, mostly because many of these devices were not meant to be connected to the internet (this includes garage doors, TVs, heating systems and others).
In an attempt of meeting the needs of everyone and trying to bring something in plus, like intelligent applications, product makers created this bond between internet and devices. Unfortunately, they thought that nobody could find them on the internet so they didn’t add proper security measures. For example, have a look at this website, Cryptogasm, which indexes and presents web connected (and mostly private) webcams. The developer says he used search engines like Google & Shodan to find such insecure webcams. Thankfully, this is curated.
Already on the roll
Dan Tentler, an independent penetration tester has conducted some research and was able to connect to the control system of a hydroelectric plant in France with the help of Shodan. Imagine how much harm he could have done with maybe one touch of a button.
Like any security tool, it can be used in both ways: either to do good or bad. In public, it is mostly used for doing good deeds by penetration testers, researchers and security professionals to discover vulnerable systems that can be compromised by hackers.
The service is offering 10 search results for free and for more features you will have to make a paid account. In 2012 an iOS application was also launched, from which one could do an operational and penetration test, but it was eventually removed by Apple.
Shodan is a very powerful service that can be used in many ways; it all depends on the personnel using it. The good thing is it’s mostly used used for good, by penetration testers, security professionals, academic researchers and law enforcement agencies.
Edit: Removed a sentence where Dan Tentler was misquoted.