"If people can not find something on
Google, they think that it will not be able to find one. This is not the case, "- says John Mezerli, creator of
Shodan , the most terrible of Internet search engine.
Unlike Google, which is looking for a simple web sites,
Shodan working with shady Internet channels. It is a kind of "black» Google, allowing to search for servers, web cameras, printers, routers, and most different technique, which is connected to the internet and is part of it.
Shodan is open 24 hours a day, 7 days a week, gathering information about 500 million connected devices and services on a monthly basis.
It's incredible that
Shodan can be found in a simple query. Countless traffic lights, security cameras, home automation systems, heating systems - all of this is connected to the Internet and can be easily detected.
Shodan users found the water park management system, a gas station, a wine cooler in the hotel and the crematorium. Experts on cyber security by Shodan even found a command-and-control systems of nuclear power plants and atomic particle accelerator.
It is especially noticeable in his
Shodan with frightening possibilities of the fact that very few of these systems have at least some sort of security system.
"This is a huge fiasco in security," - says HSBC Dee Moore, chief security officer at Rapid 7. This company has a private database type
Shodan for their own research problems.
If you do a simple search on demand " Default password ", you can find an endless number of printers, servers and systems management with login« admin »and the password" 1234 ". Even more connected systems do not have access details - you can connect to them using any web browser.
Independent expert on the penetration of the system Dan Tentler last year at a conference on cyber security Defcon demonstrated how he found using Shodan control system evaporative coolers, heaters, water pressure, and the garage door.
He found a car wash, which can be switched on and off, and an ice arena in Denmark, which can be defrosted at the touch of a button. In one town was connected to the internet the whole system of management of road transport network, and only one team it could be translated into "test mode". And in France, he found the control system with two hydroelectric turbines, each of which generates to 3 megawatts.
Scary stuff, if you fall into the wrong hands.
"This can lead to serious damage," - said Tentler, and he still put it mildly.
So why all the devices connected to the network and almost not protected? In some cases, such as door locks, running through the iPhone, it is assumed that they are very difficult to find. And then think about the safety of a residual.
A more serious problem is that many of these devices do not need to be online. Companies often buy devices that allow a computer to control, say, the heating system. How to connect a computer to the heating system? Instead of connecting directly to many IT departments simply plug and then, and more to the Web server, thereby unknowingly exposing them to the world.
"Of course, these things just do not have security - said Mezerli. - But first, they have no place on the Internet. "
But the good news is that Shodan is almost entirely used for good purposes.
Mezerli himself, who three years ago created a Shodan just for fun, limited the number of queries to 10 without and 50 account with your account. If you want to use more features Shodan, Mezerli will ask you additional information about your order - and pay.
Penetration testers, security professionals, researchers and law enforcement agencies - are the main users of Shodan. Mezerli agree that Shodan can use as a starting point and the bad guys. But when he adds that cyber criminals typically have access to botnets - large collections of infected computers that can do the same thing, but secretly.
Today, the majority of cyber attacks are focused on stealing money and intellectual property. The bad guys have not yet tried to hurt someone blowing up a building or turning off the lights.
Security experts are hoping to prevent such scenarios, identifying those sensitive connected devices and services using Shodan and warning about the vulnerabilities of their respective owners. Meanwhile, lots of things on the Internet without any security just sit and wait for the attack.