Marc Gilbert received a terrifying present on his 34th birthday. Following his celebration, he heard an unfamiliar voice yelling at his sleeping two year-old daughter to “Wake up, you little slut!”
“It felt like somebody broke into our house,” feared Marc, who later found the voice coming out of his daughter’s internet-connected baby monitor. “[I] couldn't see the guy. All you could do was hear his voice and he was controlling the camera [...] it's quite possible that this had been going on more than one day.”
He threw away the monitor, which he once thought parents “couldn’t live without.”
While the attack was little more than a terrifying prank, it’s rather concerning how the hacker found his way into the vulnerable device. The attacker probably didn’t invest on expensive exploit toolkits available in the cybercrime underground black market. Instead, he spent a few casual minutes searching for IP connected hidden cameras running on default security configurations using a tool like Shodan.
Behind Shodan, there’s an apparent voodoo making it “the scariest search engine on the Internet.”
Rewind a few centuries and magic used to be a vital element in exposing key enemy vulnerabilities. Tribal warrior societies in a state of continual, low-threshold warfare rarely had resources to completely annihilate their opponents, so they kept searching for ways to easily penetrate into enemy territories. Technology didn’t exist back then, but that never kept them from gaining valuable intelligence, which they often derived from voodoo practices.
Fast forward into the digital era and for hackers – and security researchers – there’s a (not so) new search engine in town labeled as the dark Google, the evil search engine that works like magic and exposes vulnerable devices connected to the internet – Sentient Hyper-Optimized Data Access Network a.k.a. SHODAN.
If that isn’t scary enough for security analysts, law enforcement agencies and business owners, Shodan can even locate control systems for nuclear power plants, fuel stations, water parks and particle-accelerating cyclotrons.
To make matters worse, many of these systems are operating on default passwords or have no security built into them – all that’s needed is an internet connection and IP addresses to connecting to some devices controlling critical utility and energy infrastructure. Security analyst Dan Tentler demonstrated at last year’s Defcon cybersecurity conference how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.
On the bright side, Shodan is primarily developed for security researchers and businesses as a penetration testing tool. Cybercriminals can also use Shodan to search for vulnerable devices, and sophisticated attackers can perform high-profile attacks leveraging botnets to exploit vulnerabilities without having to detect them in the first place. On the other hand, C-suite IT executives can use Shodan’s detection capabilities to ensure their employees and IT administrators are not using default passwords for their systems.
Nevertheless, tools like Shodan render ineffective conventional security schemes such as security-by-obscurity. The over-hyped threat surrounding Shodan is also a reminder of how costly the emerging trend of Internet of Things (IoT) has become for business organizations. Things such as electric kettles, network printers, inter-connected censors and cameras don’t have to be connected to public networks. ‘Smart’ technologies are providing hackers with opportunities to compromise entire business IT networks and giving birth to a new hacking trend dubbed as the Cybercrime of Things.
Enterprise trends such as smart technologies, IoT and Bring Your Own Device will continue to thrive as businesses embrace cyberspace as a viable platform for delivering quality services within and beyond the organization efficiently. Organizations turning away from these trends in favor of employing a defensive security strategy risk productivity losses far out-weighing damages incurred by minor network infringements.
Businesses restricting public-facing devices, using VPNs to allow secure external access, suppressing banners (the information Shodan uses to index networked devices), regularly changing default and standard passwords and running the search engine against their own networks can help protect against Shodan searches by cybercriminals.
The bottom line is that penetration tools such as Shodan only enable hackers to exploit devices exposed in the unforgiving cyberworld due to misconfigurations, use of default passwords and bad security practices.
Owing to the sophistication of global security threats, cybercrime is rightly considered as a fact of life. But scary hype aside, Shodan offers no voodoo charms for compromising networked devices unless IT departments responsible employ poor security practices. At the same time, following industry-proven security best-practices can enable businesses to leverage Shodan as a business charm for maintaining IT security while leveraging Smart technologies and IoT to enhance business value and productivity.