More and more machines and systems are being connected online, in some cases without passwords – making them accessible to people with the wrong intentions. A few years ago, I wrote an article about how Swedish Radio had noticed that connected systems could be reached relatively easily. The investigation revealed a number of shortcomings in the areas of water supply, district heating and fire alarms. The study found over 1,000 systems that could be activated without entering a single password. It used Shodan, perhaps the Internet’s most intimidating search engine.
This article is a couple of years old, but it’s still very relevant. Shodan is still a search engine that reveals frightening security flaws.
Shodan -the scary search engine
Shodan scans the Internet for connected devices and indexes them. Like Bing or Google, Shodan is a search engine, but instead of indexing websites, it finds internet-connected devices. These devices can range from servers to routers to Internet of Things (IoT) devices, which can be found in homes and organisations.
So the search engine’s database already has many connected things indexed. So these could be anything from your smart fridge to internet-connected SCADA systems. Shodan indexes everything that is connected. Traffic lights, security cameras, automation equipment, heating systems, SCADA networks – the number of devices connected to the Internet is growing. They are easy to index for anyone with access to a search engine like Shodan. From the Shodan database, it is possible to search for devices that can be logged into without a password or that have a default password and username.
One might think that the search engine itself is the scary part. Still, the frightening thing is the number of devices that have no password at all or have poor login. Behaviour that makes systems accessible to people and organisations with the wrong intentions.
By making information public and easily accessible, Shodan is a vital resource. A resource used by cyber security experts, for example, to help protect users from attacks. Anyone can search for any internet-connected device using Shodan, and Shodan lets you see if something is publicly available or not.
Shows vulnerabilities
Many systems still have the default login or 1234 as a password, and some systems don’t even have a login. In 2018, the survey of vulnerable systems in mission-critical functions found over 1,000 cases where no password was even required to control the systems at all.
The survey found thousands of vulnerable systems across a range of industries – but systems such as sewerage, district heating and fire alarms are bound to raise a few extra eyebrows.
The workhorses of our time
Industrial control systems are the workhorses of our time, opening and closing water supplies, regulating natural gas flows, managing car production or regulating gas emissions, as well as controlling power plants and traffic systems.
In 2014, another project, SHINE (Shodan Intelligence Extraction), identified over 2 million industrial control systems (including SCADA) directly connected to the Internet.
The Swedish Radio categorised over 7,000 systems with security vulnerabilities and found systems that control and regulate critical infrastructure among unprotected systems.
Shodan’s founder himself says that “it is clear that there are no security procedures or protection in this hardware, they do not even belong on the internet at all”.
Unprotected systems
Control systems collect information from sensors, analyse the data and pass it on to computers, which are the interface between man and machine. The systems are designed for trouble-free operation and non-stop functionality—systems in operation, designed in a different era.
Many systems are based on processors developed 20 years ago, before the Internet was widely available before the era when Things were a part of the Internet.
Many systems have a mix of old hardware and software and newer components. In industrial systems, these may be older machines, systems or control computers whose initial security system consisted of physically protecting the systems by building fences or brick walls around the hardware and only using them on isolated networks.
Changing passwords and logins
There are search engines that know the IP addresses used by mobile operators. As soon as a router is connected to the network with default passwords and usernames, they pose a security risk.
My advice is simple. Plug the router into your computer change the username and password before you plug in a SIM card. Then turn off your router, insert the SIM card, turn it back on, and log in. Slightly more complicated, much more secure.
Shodan focuses on the rapid growth of connected systems, and it gives us food for thought to work more on the cyber security threats our society is exposed to. These are machines and processes that millions of people depend on every day.
Remember that Shodan is an available service; it is not a “private pirate network”, and there is nothing hidden or secret around the service. However, there are, of course similar, if not more powerful, systems in the hands of organisations that spare no expense,