The Final Shodan!

Gunjan Trivedi is executive editor at IDG Media. He is an award-winning writer with over a decade of experience in Indian IT. Before becoming a journalist, he had been a hands-on IT specialist, with expertise in setting up IP WANs. Reach him at gunjan_trivedi@idgindia.com

For the uninitiated, Shodan (www.shodanhq.com) searches for devices that are connected to the Internet. It can be loosely described as a Google for the Internet of Things. While regular search engines index content, Shodan crawls the Web to identify devices that can be accessed publicly, perhaps with enough vulnerability to sneak in.

Shodan. I first heard of this term many, many moons ago, probably just before I got into one of those fights that were famously arranged during recess at our all-boys, Catholic school. A bullying remark here and a bruised ego there was all it needed to stoke the fire in such school fights. My opponent was a shodan-rank black-belt in Shotokan, a style of karate. I, on the other hand, was fresh out of summer training camp that had boxing on its curriculum, and had just begun my tryst with powerlifting.

Almost 18 years later, I heard the term all over again. But this time it was in bizarrely different scenario. It had nothing to do with the word that means ‘first’ or ‘beginning’ in Japanese. This time, it sounded sinister and potentially much more dangerous. In fact, an article earlier this year in CNN Money dubbed Shodan the scariest search engine on the Internet.

For the uninitiated, Shodan (www.shodanhq.com) searches for devices that are connected to the Internet. It can be loosely described as a Google for the Internet of Things. While regular search engines index content, Shodan crawls the Web to identify devices that can be accessed publicly, perhaps with enough vulnerability to sneak in. Mike Wheatley’s article published in SiliconANGLE states that it primarily focuses on SCADA (supervisory control and data acquisition) systems, and is capable of finding anything from standalone workstations to wide-area networking configurations.

TechnoBuffalo’s Adriana Lee goes on to say that someone even discovered command and control systems for a nuclear power plant, a particle-accelerating cyclotron using the search engine, as well as a French hydroelectric plant and a city traffic control system. In fact, the online traffic system was found to be easily manipulated—a user could have put it in ‘test mode’ by entering a simple command—despite the ‘Death May Occur’ warning on the opening screen of the system.

However, the privately developed search engine, Shodan—while is ironically named after the main antagonist of the System Shock video game series that has been voted one of the best villains of all time—isn’t an illegal endeavor. All it does is collate and display information that is readily available in the public domain.

Aaron Weiss of eSecurity Planet explains how. He writes in his article: When you connect to a server listening on a given port, the server usually responds with a ‘banner,’ which is a block of text with details about the service. What Shodan’s crawler does is query IP addresses around the world, looking for and saving banner responses at several common ports. Shodan lets users query keywords in these banners, filtered by metadata like port and IP address or domain name. Any vulnerability revealed by Shodan comes down to the information in the banners.

In his interview with Vice, Shodan’s creator John Matherly admitted that its usage has evolved far beyond what it was created to do: Allow companies to track where their software is being used. Now, he believes, Shodan has ended up being used to provide empirical basis for security analysts’ arguments. And, since Shodan isn’t an anonymous service, it does keep criminals away. Interestingly, Weiss says that Shodan is not the only way for hackers to discover these devices. Even though Google indexes content rather than server banners, hackers have long known that particular query strings can reveal misconfigured devices. These query templates are known as “Google dorks” and they long predate Shodan.

According to Lee, Shodan is used for the most part by security professionals, researchers and law enforcement, who typically employ the service to alert companies about these security vulnerabilities. But that doesn’t mean some rogue Shodan user won’t do harm, she warns.

I distinctly remember ending the school-fight with that shodan in a jiffy. After a blatant display of high kicks and fast moves, it was all over with a massive shoulder push and a relatively damaging right hook to the chin. I am sure it will take more than that now, as devices get increasingly connected to the Internet and tools like Shodan lowering the barrier significantly to make their discovery easier. Beware!