March 4, 2016

shodan

 

Each and every day we’re becoming increasingly connected. This has been driven by an acceleration of the Internet of Things – a highly complex network of physical devices and systems with embedded electronics and network connectivity – that enable devices to communicate and exchange data.

 

This rapid uptake has been largely made possible by the transition into IPv6 – the latest version of the IP networking protocol that underpins every aspect of our digital lives. This new protocol provides us with 340 Trillion Trillion available addresses, which to give you some perspective – is 1021 addresses per square meter on earth. This new version solved a serious problem that was inherent in its predecessor IPv4 – that there were not enough addresses available to cope with the blistering expansion of the internet.

 

In the future every single device that we own will be interconnected to every other – but has anybody thought about the security implications that this presents? The evidence to date suggests not. Building security into these devices appears to be an after-thought. Security has become a bolt-on addition to products following their development cycle, rather than being integrated into the product design from the ground up.

 

As the result?

A network of interconnected & insecure devices that are publicly accessible from the internet. You may not have known but a project exists that aims to automate the detection and cataloguing of these devices.

 

Screenshot from 2016-03-04 21:39:51

 

Shodan is a search engine much like Google, however that’s where the similarities end. Rather than indexing web content over ports 80 (HTTP) or 443 (HTTPS) like Google – Shodan crawls the web searching for devices that respond on a host of other ports including 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 80, 443, 3389 (RDP) and 5900 (VNC). Once Shodan discovers a host that’s responding on a given port it connects to the machine and pulls down the port banner. This information then becomes indexed along with the devices geolocation data.

 

Since launching in 2009 Shodan has discovered and indexed a wide range of internet connected devices, including webcams, traffic signalling equipment, routers, firewalls, CCTV systems, industrial control systems for nuclear power plants and electrical grids, domestic home appliances and much more. These devices have been connected to the internet without any thought for security – often without even implementing basic protections such as a strong username and password.

 

 

 

Screenshot from 2016-03-04 21:42:49

 

Screenshot from 2016-03-04 21:42:13

 

Searching on Shodan is simple and powerful and gives you the ability to find what you’re looking for with ease. Your number of results is limited with a basic account – so you may need to upgrade if you’d like to access and make use of premium features. These include accessing the full search listings, plotting the host locations on maps and finding exploits for ports and services based upon version information.

 
Like any good search engine Shodan also gives you the option to search using various filters – which makes it much easier to narrow your results down and find what you’re looking for.

 
city: find devices in a particular city

country: find devices in a particular country

geo: you can pass it coordinates

hostname: find values that match the hostname

net: search based on an IP

os: search based on operating system

port: find particular ports that are open

before/after: find results within a timeframe

 

We could for example use these filters to search for apache city:”Newyork” to find Apache servers in Newyork or even Server: “Apache” country:”US” to find all webcams in the United States.

 

 

Screenshot from 2016-03-04 21:40:47

 

 

While it’s frightening to learn how many Internet of Things devices are completely unsecured – there’s also another story behind the ones that are. Many of the devices that Shodan detects and indexes do have some security in place – requiring authentication for example, but even these devices aren’t 100% safe from unauthorised access. In the ever-changing world of cyber security nothing remains static, and new exploits and vulnerabilities are being discovered and disclosed all of the time.

 

A significant example involves one of the largest and most well-known computer networking companies in the world – Juniper. In a recent public disclosure Juniper revealed that the firmware running on some of their devices contained a hard-coded back-door password that would allow anybody connecting to a vulnerable device to simply supply that password against a valid user account to gain full administrative access to the device over Telnet or SSH. This exploit for against a vulnerable NetScreen firewall. You can read the full disclosure here: CVE-2015-7755.

 

Using Shodan we can search for Juniper firewalls and browse through the list to find those that are running a vulnerable version of the ScreenOS firmware. Once we’re connected we’d be able to supply the known backdoor password with a default ScreenOS user account (system) and be able to begin remote management of those devices.

 

Screenshot from 2016-03-04 21:45:32

 

We’re  talking about firewalls that are live on mission critical networks all over the world. And how many of these potentially vulnerable NetScreen firewalls has Juniper indexed? More than 18,000. Assuming only 10% of those are vulnerable (which is an extremely conservative estimate) that’s 1,800 vulnerable Juniper firewalls that are currently sitting targets right now on the internet.

 

At DefCon 2012 an independent security researcher and penetration tester Dan Tentler demonstrated how he was able to use Shodan to find control systems for evaporative coolers, pressurised water heaters and even garage doors. He was also able to find a hydroelectric plant in France, a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with the click of a button. He even found a city’s entire traffic control system was connected to the internet and could be interrupted with some simple commands.

 

If these large enterprises haven’t got the resources to lock down and protect their infrastructure then what chance do we have? It’s up to manufacturers to build security into our products and services so that it removes the responsibility from ourselves.

 

Attacks on critical infrastructure until now have been minimal to non-existent. Unfortunately it’s only a matter of time before this changes. Attacks on networked industrial control systems are going to become a significant threat to our safety and security – given that computer systems regulate the treatment plants that deliver our drinking water, the traffic lights that allow us to drive safely, the signalling systems on a transport networks and the nuclear reactors that deliver our energy.

 

As consumers we need to think carefully about the smart products that we purchase and consider the security implications that come with many of these devices. As businesses we need to make sure that we have a proper risk management framework in place – and that the person or organisation that’s looking after our technology is also capable of looking after our security.

Share
 

Comments are closed.