Google For Hackers
If it can’t be found on Google, it doesn’t exist. Right? Wrong. You haven’t visited Shodan yet.
Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.
Nice, but who cares? Hackers do. If you would get one dollar for every device which is still accessible with the default username and password, you’d be rich. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.
Typing in “Default Password” tells it all – countless companies and individuals have no clue how important (even basic) security really is. This simple search reveals countless printers, servers and system control devices that use “admin” as user name and “1234” as password. Many more connected systems require no credentials at all — all you need is a Web browser or FTP client to connect to them.
In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.
He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.