Shodan is the search engine of a CISO's nightmares. It's showing us just how vulnerable our systems are.
Invented by the programmer and white hat hacker John Matherly, and named for a villainous cyberentity in the System Shock games, Shodan has been described as the "world's most dangerous search engine."
What's the big deal?
Game-screenshot of System Shock's Shodan.
Shodan crawls the web, searching for any connecting device -- from PCs to industrial systems, from printers to smartphones -- and analyzes the software running on those devices for, among other things, security flaws. Of course, it finds plenty. In fact, it has notoriously exposed vulnerabilities in control systems for industrial processes and even power grids.
Accessing tens of millions of devices, Shodan users have poked their digital noses into -- as the website says -- webcams, routers, power plants, iPhones, wind turbines, refrigerators, VoiP phones... Is it time for us to be terrified again?
Not according to Matherly, who told San Diego City Beat that he's trying, through Shodan, to be a "good citizen on the Internet." Matherly says his own work is nonmalicious and "entirely legal." But what about his users? Isn't he providing a dream machine for black hat hackers who want to gain access to devices for criminal purposes?
Shodan does have some controls on user activity. Anonymous users are allowed to generate a very restricted number of search results. Paid subscribers, apparently, tend to be security professionals checking their own networks. From this evidence, Matherly concludes that Shodan is making the Internet safer.
That's a peculiarly sunny view.
Honest users are finding "bank routers with passwords that are unencrypted... a ton of SCADA systems that you can basically access as a read only account so you can see what others are seeing and then figure out what the systems are doing, how they are doing, and what a good landing pad would be for working further mischief in the system." We can be confident that dishonest users are finding the same thing. How difficult is it to open a Shodan account with a fake identity, a dummy email address, and a stolen credit card? How many users have done so already? And how many more engines like Shodan are we likely to see?
As some analysts have said, there's no point blaming the messenger. The security expert Dan Tentler has emphasized that the idiocies exposed by Shodan are the problem, not Shodan itself. There's some truth in that, but even if we are all living in glass houses, passing around convenient stones to throw may be a bad idea.
— Kim Davis , Community Editor, Internet Evolution