What is Shodan?

EDITOR NOTE: This is Jonny’s 75th post on Technology Bloggers! Jonny was a complete newbie to blogging when he wrote his first post (about prosthetic limbs) but he is now somewhat of an expert – although he probably wouldn’t agree! – note by Christopher

Recently a couple of articles have appeared on large US websites about a type of search engine called Shodan. This search engine has been about for about 3 years, but it is different from Google and its cohorts in many ways. I looked at it and could not understand it at all, so what is it then and why is it causing such concern?

A screenshot of the Shodan website

Expose online devices

I have seen Shodan described as “The scariest search engine on the Internet”. This CNN money article explains that Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet.

What interest could there be in such capability? Well a lot apparently. The system allows an individual to find security cameras, cooling systems and all types of home control systems that we have connected to the Internet. (See Christopher’s series about his British Gas system here).

One serious problem is that many of these systems have little or no security because they are not perceived as threatened. Shodan searchers have however found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

Hacking apart it turns out that the world is full of systems that are attached via router to the office computer and web server, and on to the outside world. Access for anyone who can find them and might like to turn of the refrigeration at the local ice rink, shut down a city’s traffic lights or just turn off a hydroelectric plant.

The Shodan system was designed to help police forces and others who might have legitimate need for such a tool, but what when it gets into the wrong hands. Security is non existent, just get your free account and do a few searches and see what you find.

See this Tech News World article for a further look at the ethical and practical issues that such a freely available product might bring

Regular readers will be aware of my interest in these types of problems through my work at the Bassetti Foundation for Responsible Innovation. I am not sure how the development and marketing of such a tool could be seen as responsible behaviour, but as I have been told on many occasions during interviews there are plenty of other ways of finding out such things. These types of systems are gathering already available information to make it usable, nothing more, so not doing anything wrong.

Do you agree?