What is Shodan?
So, what can I tell you about Shodan? It’s a search engine like Google, except it doesn’t spider websites – it spiders open ports of devices connected to the internet. It’s basically a gigantic port scanner, but only on a small number of ports – the popular ones.
The first thing everyone wants to do when they find Shodan is to search for computers, networking equipment and other mainstream things people assume are online. While there are certainly eyebrow-raising numbers of IIS 5 (Internet Information Services) installations and swarms of vulnerable Apache Tomcat and JBoss (WildFly) installs connected to the internet, there are also devices that nobody would outwardly consider to be online or even that they had the capacity to be online. Who builds a Web server into a car wash? They’re online. So are license plate cameras, webcams, giant hotel-based wine coolers, 911 first-responder VOIP systems – the list goes on, and the list is quite long.
There has been this prevailing wind – since the dawn of connectivity, that for some reason businesses and internet patrons at large simply cannot shake – the concept of “Security through obscurity”. Security through obscurity dictates thought processes like “If I put this online and I just don’t tell anybody about it, there’s no way I can get hacked because who could possibly know about it?”. The answer to that is “anybody who looks”, and the bad guys have been “looking” for the better part of 15 years – actively scanning the internet 24 hours a day to find known vulnerabilities. Shodan seems like our best hope of finally making some ground in favor of smiting that particularly nasty demon since it gives people a chance to look at what they have exposed without the need to hire a security firm or a contractor.
Anybody that has ever had to make business decisions about what goes online and what doesn’t has considered “Eh, just put it online. What could possibly go wrong?”. A good lot of those folks had to subsequently endure dealing with “Hey, um – we got hacked. What do we do?”. At that point the blame-game begins, then the fingerpointing – it’s not pretty. The 600 pound gorilla in the room named “Who decided it was okay to do this in the first place” is always conveniently avoided – as usually it is whoever is writing the checks to the employees in the first place – and somehow we’ve painted ourselves into the corner of “The guy who writes the checks made a really bad call, but we can’t say anything because we like our jobs/paychecks/etc”. If you get me started, I’ll go on a rant about how businesses now are putting their ENTIRE infrastructure on the internet – whole businesses with all their servers exposed because someone told them ‘going to the cloud’ would help their pocketbook – but in reality it’s exposed all of their secret sauce directly to the internet because the operational security of their business endeavor was never taken into account.
This phenomenon is exacerbated by tools like Shodan, and while it is painful to deal with in the short term – at least for people who put things online that shouldn’t be online – the longer lasting effects will be that people will consider what they’re doing a little bit more carefully next time they make a decision.
Information security / Cybersecurity Takeaway
Some would condemn Shodan for “exposing” things – those same people would condemn Google for the same thing. Those folks need to learn how to admit they made a mistake and move along smartly – not only would it be better in reducing their stress, the internet at large would become a safer place.
The takeaway here is that Shodan is a tool, like Google. It’s a tool that every business should be using to examine themselves before going live. Other businesses do it frequently – banks have architects and foremen come in while the bank is being built to say things like “You need a vault” and “There should probably be security cameras here” or “You may want to consider putting a lock on the front door so you can lock up at night”. Internet facing businesses should have the same security considerations – if you elect to not put a front door on your business, don’t be surprised to come in one day to find strangers roaming around.
Author: Dan Tentler – Information security expert and founder of Phobos Group.