“When Internet users do not find their inquiries on Google, they think no one can find them; this is simply not true.”
This is according to John Matherly, the creator of Shodan, which is widely regarded as the scariest search engine on the Internet.
Dissimilar to Google, which crawls the Web searching for websites, Shodan navigates the Internet’s back channels. Shodan is in essence a “dark” Google, looking for the printers, webcams, serves, routers and all the other things that is connected to and makes up the broader Internet.
Shodan operates 24 hours a day, seven days a week to perpetually collect information on roughly 500 connected devices and services each month.
Users and industry professionals claim Shodan offers stunning search results even from the basic of inquiries. Seemingly countless security cameras, home automation devices, traffic lights and heating systems are connected to Internet and easy to locate through a Shodan search.
Shodan searches can find control systems for water parks, gas stations, and even a hotel wine cooler. Cyber security researchers were even able to locate command and control systems for nuclear power plants and particle accelerating cyclotrons by accessing Shodan.
What is truly impressive about Shodan’s ability to locate all of these things, and the characteristic that makes Shodan so scary is that many of the aforementioned devices have legitimate security systems built into them.
“You can access a scary amount of the Internet with a default passcode,” said HD Moore, the chief security officer of Rapid 7, which operates a private version of a database similar to Shodan for personal research purposes.
A basic search for “default password” reveals countless serves, printers and system control devices that utilize “admin” as their user name and “1234” as their password. Several other connected systems require no credentials at all; for these systems all you would need is a Web browser that is connected to them.
In a speech at last year’s Defcon cyber security conference, independent security penetration tester Dan Tentler revealed how he used Shodan to locate control systems for evaporative coolers, garage doors, and pressurized water heaters.
Tentler located a car wash that be turned on and off and a hockey rink that could be defrosted with the click of a button. A city’s entire traffic control system was found to be connected to the Internet, allowing a hacker to put it into “test mode” with a single command entry. Tentler also located a control system for a hydroelectric plant in France with turbines generating over 3 megawatts each.
“A hacker or evil person could really do some serious damage with this information and control,” Tentler said in a severe understatement.