Search is synonymous with Google. However, if something doesn’t show up on the search engine, how can you find it? John Matherly has found a way.
Matherly is the maker of Shodan, a tool that is now popular as the most frightening online search engine. Unlike Google, which navigates the internet looking for websites, Shodan trawls the web’s back alleys searching for things that are connected to the online world such as webcams, routers, printers, power grids and controls for vital infrastructure.
Shodan gathers info on around 500 million connected services and devices each month. Interesting discoveries include control systems for a crematorium, a gas station, a water park and a hotel wine cooler. Cybersecurity experts also found command systems for a particle-accelerating cyclotron and nuclear power plants.
What’s really remarkable about Shodan’s ability to locate all of this and what makes it very scary is that only a few of those devices and systems have built-in security.
“You can log into just about half of the Internet with a default password,” said Rapid 7’s Chief Security Officer HD Moore, who uses a private variant of a Shodan-like database for study purposes.
“It’s a massive security failure,” he added.
A search for default password shows that many servers, printers, and system control devices use the user name “admin” and the password “1234”. On top of that, most connected systems don’t ask for user credentials.
In a forum at 2012’s Defcon Cybersecurity Conference, Dan Tentler, an independent security penetration tester, revealed how he found a hockey rink in Denmark that can be defrosted remotely with the press of a button.