SHODAN – Lurking In the Shadows of the Internet
Everybody knows Google: a constantly-updated and intuitively searchable database of all the content on the Internet. But not everyone knows SHODAN: a constantly-updated and intuitively searchable database of everything that’s connected to the Internet. Yes, everything – not just web servers, but also the facilities that control a nation’s power, as well as your own wireless router, printer, and webcam.
“I will have your secrets.” – SHODAN, System Shock
If the name SHODAN rings a bell, you may be thinking of the unhinged Sentient Hyper-Optimized Data Access Network from the System Shock franchise of PC games. The real-life SHODAN is unlikely to achieve malevolent self-awareness, but there’s a similarity between the two networks; they both operate on a planetary scale, and they’re both capable of exposing locations and vulnerabilities for a staggering range of computer systems.
System Shock was lauded as ‘visionary’ by hardcore gamers and critics but largely ignored by mainstream and casual gamers. Likewise, the real-life SHODAN is a visionary security tool which could escape the attention of “casual users” – basically you, me, and pretty much everybody.
“The Scariest Search Engine on the Internet.” – CNN Money
SHODAN’s potential is certainly scary. Ironically, this is partly because the structure and interface are so intuitive and streamlined. If you can perform a Google Search, you can use SHODAN to find the location of any IP address. You can find out exactly what software the server uses. You can find out the default passwords. Then just click the link to the IP, login, and take control…
This would be scary enough if we were only talking about web servers with personal and financial data. However, SHODAN shows just how many sensitive and crucial devices are currently connected to the Internet. Things like traffic lights, closed-circuit cameras, garage doors, and security systems – not to mention hydroelectric dams, experimental particle accelerators, and nuclear plant control systems.
How is this Possible?
Fundamentally. SHODAN is a “port scanner” or “banner index.” Every connected device sends out some basic info, whether it’s the MAC address* of a router or the identifying characteristics of a server. This metadata is always present, but usually hidden – just like the metadata that Google uses to index web pages. It’s not much different from the header data revealed when a WordPress plug-in lists webpage visits.
For decades, IT professionals and hackers have been familiar with software tools that can extract this kind of server metadata in order to look at specific servers and connections. SHODAN, however, indexes the information and presents it in an intuitive search-engine format.
*The Media Access Control, or MAC, address is the built in address for a particular piece of hardware.
The Devil in the Details
Searches such as “login” or “default password” will uncover countless devices that are simply waiting to be violated. This doesn’t simply mean you can log right into these addresses; the default login and password may have been changed. But even in these security-conscious times, the sad truth is that many users and even lazy IT pros leave factory settings intact. And there are a surprising number of systems – even crucial enterprise and infrastructure networks–that don’t require login and password credentials at all.
A simple visit to the SHODAN website allows 10 results from any search terms, while signed-in users get 50 results. For more than that, you’ll need to provide payment and personal information – and that’s one reassuring element. No serious black-hat hacker would provide a traceable name and bank account.
Not motivated enough to do a simple keyword search? That’s OK, SHODAN has a convenient “Browse” link to the most popular searches. Topping the list will be “Webcam,” “Netcam,” and “Cams,” all of which link you directly to someone’s webcam server. Armed with the right combination of someone else’s IT laziness and SHODAN’s banner retrieval resourcefulness, you use the default password to hack into homes, businesses, and traffic control systems all over the world.
Half of the hacker’s job is finding a loophole in the system. With a simple click on the “Exploits” tab of SHODAN’s main menu, you can do a keyword search of various exploit databases – an ever-growing collection of specific vulnerabilities in software and systems. You could probably find these loopholes through Google, if you knew exactly what to look for, but SHODAN aggregates and lets you browse the databases – in addition to giving you the IP addresses and default passwords of any connected device on the planet.
So Why Shouldn’t You Be Scared?
The term “hacker” may have negative connotations, but the truth is that hackers are essential in exposing security risks. You and I owe our personal and financial privacy (what there is of it) to white-hat hackers who keep us safe in advance, or at worst to figure out how the less scrupulous types are getting into our systems. SHODAN doesn’t actually put anyone at risk – bad security practices put people and businesses at risk. In the right hands, SHODAN alerts these groups to those risks.
Harnessing the Power of Shodan
Use SHODAN to find the IP addresses of your home or business devices, and then take whatever steps you need to make that info useless to hackers. You can easily stymie SHODAN by putting your Internet connection behind a simple IP filter or VPN*. All the devices that connect to a network can be put on a Local Area Network, behind that filter. Your webcams, printers, refrigerators and garage door openers don’t really need direct Internet access, nor do particle accelerators or nuclear power plants. A sensible IT pro should already know this (and now you do too).
Lastly, if you haven’t already changed your default login and password to something other than “admin” and “password,” do it now! SHODAN users have your secrets.
*A Virtual Private Network, or VPN can extend a private network across a public network.
John Dilley continually offers unique insights and a fresh point of view. He writes for several websites including CableTV.com and HighSpeedInternet.com. Along with writing, John has a passion for music. He is the lead vocalist and secondary guitarist for The Family Gallows in Salt Lake City. John also shares his personal ideas and philosophies through stories he publishes on his blog, JDilley’s Questions.