What is Shodan?

EDITOR NOTE: This is Jonny’s 75th post on Technology Bloggers! Jonny was a complete newbie to blogging when he wrote his first post (about prosthetic limbs) but he is now somewhat of an expert – although he probably wouldn’t agree! – note by Christopher

Recently a couple of articles have appeared on large US websites about a type of search engine called Shodan. This search engine has been about for about 3 years, but it is different from Google and its cohorts in many ways. I looked at it and could not understand it at all, so what is it then and why is it causing such concern?

A screenshot of the Shodan website

Expose online devices

I have seen Shodan described as “The scariest search engine on the Internet”. This CNN money article explains that Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet.

What interest could there be in such capability? Well a lot apparently. The system allows an individual to find security cameras, cooling systems and all types of home control systems that we have connected to the Internet. (See Christopher’s series about his British Gas system here).

One serious problem is that many of these systems have little or no security because they are not perceived as threatened. Shodan searchers have however found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

Hacking apart it turns out that the world is full of systems that are attached via router to the office computer and web server, and on to the outside world. Access for anyone who can find them and might like to turn of the refrigeration at the local ice rink, shut down a city’s traffic lights or just turn off a hydroelectric plant.

The Shodan system was designed to help police forces and others who might have legitimate need for such a tool, but what when it gets into the wrong hands. Security is non existent, just get your free account and do a few searches and see what you find.

See this Tech News World article for a further look at the ethical and practical issues that such a freely available product might bring

Regular readers will be aware of my interest in these types of problems through my work at the Bassetti Foundation for Responsible Innovation. I am not sure how the development and marketing of such a tool could be seen as responsible behaviour, but as I have been told on many occasions during interviews there are plenty of other ways of finding out such things. These types of systems are gathering already available information to make it usable, nothing more, so not doing anything wrong.

Do you agree?

18 thoughts on “What is Shodan?

  1. It’s a bit worrying really. I wonder if the large government organisations and companies will act quickly enough to secure this sort of thing. Government tends to move VEEEERY slowly here (Australia, though I’m sure it’s the same everywhere).

  2. I can’t see a lot of positive uses however I think it would be extremely difficult to regulate against this type of search engine. I also don’t know of too many people who password protect devices that are attached to their router. Hopefully Christopher has put a decent password on his heating system.

  3. Shodan looks like yet another U.S.Government funded project that serves multiple purposes. First, its a great idea to help companies and governments who have inadequate security personnel to easily identify the threats that hackers have always been able to identify. Hopefully, if organizations can identify the threats they can better protect their resources. Second, this type of search engine will attract all of the newby or rookie level hacker wannabe folks who will unknowingly be providing their IP addresses and areas of interest to governments and law enforcement agencies who are the intended recipients of this data. The government is still using the old “fly to honey” attractions to find the bad guys.

    • Christopher Roberts

      Interesting that you feel a government might be behind the site Jason. We don’t censor comments (from views, but we do for language/abuse) so you are perfectly free to express your opinion.

      I had a quick search using Shodan, just out of interest, as a blogger, wanting to better understand the site – does that mean they are onto me? Lets hope not! In your eyes, have I done something wrong?

      Thanks for the interesting comment Jason, welcome to the Technology Bloggers community :-)
      Christopher

      • Christopher,

        Of course you did nothing wrong. Being associated with a government does not automatically mean CIA :-) Like you said, its just my opinion and nothing more.

        I equally don’t view the site as a “black hat” site. Truly, it is a really needed/beneficial site that hopefully will help secure our electrical power and other utility systems as well as benefit the corporate sector.
        Jason

  4. I wouldn’t call this responsible innovation, that’s for sure. But if someone is intent on doing something harmful I guess there are plenty of other ways for them to find out these things. With the popularity of Shodan maybe people will be more aware of such a threat and take measures to prevent them.

      • Not necessarily an improvement in Internet security, but more an improvement of awareness of the dangers. I agree that a highly skilled tracker can easily hack into most systems, but sites like these encourage the average hacker to create havoc.

Leave a Reply

You do not need to enter your name or email address. Your email address will not be published.

Email notifications of direct replies to your comment.

Current ye@r *