If you’re interested in internet insecurity, you’ve probably heard of Shodan.
The name Shodan (more properly, SHODAN) is short for Sentient Hyper-Optimized Data Access Network, and refers to a malevolent machine intelligence in a 1990s video game series called System Shock.
But in the 2010s, the name has been appropriated by an online service that describes itself as “the world’s first search engine for internet-connected devices.”
Very loosely speaking, Shodan spiders, or crawls, its way around the internet, a bit like the Googlebot, connecting to likely services, logging what comes back, and creating a searchable index of the results.
The results can be useful if you want to find out what’s visible to outsiders on your own network.
For example, most home routers are configured via a web interface that listens on port 80 (unencrypted HTTP) or port 443 (encrypted HTTPS).
In an ideal world, you don’t want people on the outside to be able to connect to your router’s web server at all, as a security measure to reduce your exposure to external hacking attacks.
So you can search for your own router via Shodan…
…and if it shows up, you know that you’ve configured something incorrectly.
(If Shodan has already found it automatically, then any number of crooks have probably found it too, either by scanning the internet themselves, or simply by using Shodan.)
A WHOLE LOT MORE
Of course, what Shodan logs when it finds listening web services may give away a whole lot more than just “something is listening.”
If Shodan’s port scanner finds a login page, that’s interesting enough; but if it finds a listening service without any password protection at all, or with ill-configured protection, it may end up recording and indexing personal data that you never intended to make public.
For example, if Shodan is able to connect to port 554 on your home router, that probably means you have a webcam that’s accessible directly from the internet, because that port is commonly used for RTSP, the Real Time Streaming Protocol.
If you haven’t set any security on your webcam, then Shodan’s visit typically won’t see and “remember” a login prompt, but will instead end up with a live snapshot of whatever was going on at the time your webcam was indexed.
That might be what you want, if you’re running a beach camera that’s supposed to be publicly accessible so that surfers can see what the waves are like, or a ski-slope camera so people can check how busy the ski lifts are.
It definitely isn’t what you want if the device is a babycam in your infant’s bedroom, or a surveillance camera inside your server room.
THE TOP SEARCHES
Sadly, of Shodan’s five most popular searches, the top three are for online cameras. (Fourth is dreambox, a streaming media device, and fifth is default password, looking for devices which have security enabled, but not properly.)
As Ars Technica reports, Shodan’s recently-enabled picture-grabbing indexing service has already made public an almost absurdly eclectic set of images, including “marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.”
Insecure webcams are nothing new, and we’ve written about them more than once before, notably when a site called insecam.com went further than Shodan and allegedly tapped into insecure cameras to produce live copies of the feeds they were streaming.
WHAT TO DO?
It’s legal to “port scan”, or search for open services, on your own network across the internet, using a search engine like Shodan or an on-demand security scanner like Nmap.
If you don’t know how to do this, why not ask someone you can trust amongst your friends or family to help you take a look?
(If you’re asked for help, make sure that the person asking you genuinely has permission to invite you to probe their network.)
If Shodan can find your webcam, your internet kettle, your Wi-Fi security configuration, your home thermostat or your Uranium enrichment centrifuges automatically…
…then so can anyone with even the most modest hacking skills, including anyone who knows how to use Shodan.
Your network should have:
- Proper passwords protecting any private data or devices, whether from inside or outside.
- No services visible to the outside world except the ones you intend.
If in doubt, don’t give it out!
Image of SHODAN from the game System Shock 2 via Wikipedia.
herobyclicking
Thanks for the article, good stuff. Though I was thrown by the image, it is lifted from the game System Shock 2.
Paul Ducklin
I acquired it from Wikipedia’s SHODAN page:
https://wikipedia.org/wiki/SHODAN