The recent data leak of the Oklahoma Security Commission that compromised 17 years’ worth of FBI investigations, the NGO leak of 4 million internship applications, and the exposure of 114 million businesses and individuals’ data online and many others have one common thread: each of them was found on Shodan, the self-proclaimed “world’s first search engine for Internet-connected devices.”
While not inaccurate, describing Shodan as a “search engine” for “internet-connected devices” is something of an understatement. Search engines as we’ve come to know them such as Google or Bing have primarily consisted of information gleaned from web servers that have intentionally put forth public-facing content (this excludes the Dark Web, which while sounding exotic and mysterious simply amounts to “webpages not accessible to search engines.”)
Similarly, a layperson’s idea or understanding of an internet-connected device usually runs along the lines of a FitBit or Kindle; in the case of Shodan it means anything connected to the internet; its own front page tells you its search results include, among other things, power plants, buildings, and webcams.
In short, Shodan isn’t interested in listing what’s on a website so much as the computer serving the website itself, and what software it’s using, public-facing or not. This presents a double-edged sword as far as cybersecurity is concerned.
From the point of view of a cybersecurity specialist, Shodan can be an especially useful tool. Just as a publicist would check Google for a client’s name to see what information is available about them online, a researcher can look up any internet-connected devices for which they’re responsible and immediately get a detailed report regarding exactly what on their network is visible to the outside world, and if it presents any vulnerabilities that could lead to a cyberattack or data breach.
The white-hat uses of Shodan don’t just extend to technicians examining their own networks: the Oklahoma Security Commission leak, the AIESEC leak, and others were initially discovered and reported by external cybersecurity specialists who alerted the administrators of the vulnerable servers. This presents a nominal win-win: the target of a potentially major breach is alerted and given the opportunity to plug any leaks, and the person or company that found it gets a widely-publicized chance to establish their bona fides and bolster their reputation in the field.
That being the case, it’s naive to not see the significant dangers presented by a website that can quickly and easily provide the IP address, physical location, and known vulnerabilities of any device it happens to index. Shodan doesn’t help provide much in the way of reassurance by featuring the top three searches on the site: all are links to vulnerable or unprotected internet-enabled cameras.
The potential for misuse has been part of the controversy surrounding Shodan since its creation in 2009, and ultimately it misses the larger point: although it’s scary to see them listed on one website, what’s truly terrifying is the sheer number of vulnerable devices online, either completely unprotected, or hidden by fig-leaf security like admin/admin login and password combinations. Despite years of colossal data breaches, ransomware and lower level attacks, what Shodan almost does too good of a job of illustrating is that the lack of awareness of adequate cybersecurity represents a crisis affecting the entire internet.
If years of warnings about changing passwords and news of mega breaches hasn’t been enough to change the average internet user’s behavior, perhaps a few minutes spent browsing Shodan might.