SHODAN“THE INTERNET OF THINGS”

Maxine MajorDecember 12, 2013

OVERVIEW

What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches

WHAT IS SHODAN?

Search engine http://www.shodanhq.com/ Finds anything connected to the internet Named after AI in System Shock 2 (1999)

“Sentient Hyper-Optimized Data Access Network “

Developed by John Matherly. Went live in 2009 Currently indexes over 500 million

connected devices monthly 10,000 Industrial Control Systems

HOW SHODAN SEARCHES

Web search engines index websites Shodan indexes metadata and banners

Port 21/TCP (FTP) Port 22/TCP (SSH) Port 23/TCP (Telnet) Port 80/TCP (HTTP)

“Tell me what you can tell me about yourself.”

LEGALITY

Publicly available data “public” in that it is unprotected

“Once that data is made public…it’s unclear whether it’s still protected by data security laws.” – John Matherly

TOUR OF SHODAN

TOUR OF SHODAN

TOUR OF SHODAN

TOUR OF SHODAN

TOUR OF SHODAN

NARROWING THE SEARCH

Search Filters city apache city:"Zürich“ country  nginx country:DE geo apache geo:42.9693,-74.1224 hostname"Server: gws" hostname:google net net:216.219.143.0/24 os microsoft-iis os:"windows 2003" port 21 (FTP), 22 (SSH), 23 (Telnet)

ADDITIONAL FEATURES

Shodan API Integrate Shodan into your own software

Scanhub Make your own search engine built off

nmap scans Add Shodan to browser search engines

Note: Scans through Shodan are not real-time. They are produced from a crawler database.

WHAT SHODAN FINDS

144 million web servers on Shodan Microsoft’s IIS runs 8.5 million web servers Allegro Software’s RomPager: 22 million

servers OEM embedded web server Routers, switches, printers, etc.

WHAT SHODAN FINDS

Breakdown of Port Distribution (2012)

WHAT SHODAN FINDS

Cameras Webcams Security cameras

Home security systems Printers Refrigerators Caterpillar tractor control

panels Medical Devices Car Washes Hospital fetal monitoring

Critical infrastructure (water, sewage, dams,

Automobile assembly lines High School lighting

systems HVAC Power Dam Baby Monitors Traffic Control Systems

WHAT SHODAN FINDS

Baby Monitors August 2013 Baby monitor hacked

Marc Gilbert heard voices from 2-yr old’s room Verbal abuse from networked baby monitor Foscam video/two-way audio cam “admin” username default New user account had been added. “Root”

Likely Shodan used to discover monitor

WHAT SHODAN FINDS

WHAT SHODAN FINDS

Elementary School Heating System

WHAT SHODAN FINDS

Caterpillar controls

WHAT SHODAN FINDS

Webcams & Security Systems

WHAT SHODAN FINDS

Swimming pool acid pump Traffic control system

WHAT SHODAN FINDS

Wind turbines Heart monitors

WHAT SHODAN FINDS

Security guards Car washes

WHAT SHODAN FINDS

Not all systems found are legitimate Demos Honeypots

WATERWORKS HONEYPOT

Trend Micro created web-based simulation of an industrial control system (ICS) Water pump facility

Water pump supervisory control SCADA network Purpose: to measure attacks on real-world systems

Targeted 17 times in 4 months 12 to shut down water pump 5 to modify pump process

Attacks came via Google and Shodan

RESEARCH IN SHODAN

Security researcher Eireann Leverett developing a tool to match ICSs found on Shodan to known vulnerabilities (2011) Intent to “allow defenders to assess their

attack surface and prioritise the required interventions in a timely manner”

Can also be used for auditing Research funded by BP

SIMILAR SEARCHES

VxWorks Platform developed by WindRiver Systems

(Intel) WDB agent – system level debugger

UDP Port 17185 (2010) Rapid7 developer wrote a scanner for

Metasploit to scan for WDB Surveyed over 3.1 billion IP addresses Discovered 250,000+ systems with WDB agent

exposed Discovered massive scan in 2006 by unknown party

SIMILAR SEARCHES

Universal Plug and Play (UPnP) UPnP Simple Object Access Protocol (SOAP)

2013 Rapid7 white paper “UPnP discovery requests were sent to every

routable IPv4 address approximately once a week from June 1 to November 17, 2012. “

81 million unique IPs responded 20% SOAP API Vulnerable to a single UDP packet for remote code

execution

SIMILAR SEARCHES

Internet Census 2012 (by “Carna Botnet”) Started as a joke:

telnet login root:root on random IPs Binary uploaded to insecure devices

Watchdog w/ lowest priority Scanned port 23 (Telnet) on IPv4 Stopped after a few days. Included a README

Binary ran on 420,000 devices 20% of unprotected devices found 1.2 million unique unprotected devices identified by

MAC Most common unprotected device is router

SIMILAR SEARCHES

Internet Census 2012 Ignored:

IPv6 Devices without ifconfig Devices without a shell 100k MIPS 4kce (embedded systems/game

consoles) Encountered Aidra botnet (malicious)

MINIMIZE SHODAN RISKS

Standard security practices Restrict public facing servers and devices Use VPN or IP filters for external access

(e.g., employee working from home wants to use company printer)

Always change password defaults Suppress/minimize verbose banners Test Shodan on your own devices

May not find you if you’re not already indexed

(esecurityplanet.com)

BEYOND SHODAN

Shodan is the first search engine of its kind.

It’s possible and likely that other search engines could be more powerful.

How long before society becomes aware of what makes something findable?

Need to rewire how people think about connected devices.

REFERENCES http://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdf http://www.shodanhq.com/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-th

e-internet/ https://community.rapid7.com/docs/DOC-2150 https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-d

ont-play http://internetcensus2012.bitbucket.org/paper.html http://en.wikipedia.org/wiki/MIPS_architecture#Microarchitectures_based_on_the_MIPS_instruction_set https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port

-servers https://speakerdeck.com/hdm/derbycon-2012-the-wild-west http://www.us-cert.gov/ncas/alerts/TA13-175A http://www.shodanhq.com/help/filters http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers http://www.allegrosoft.com/embedded-web-server-s2?utm_expid=16278828-3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_ref

errer=https%3A%2F%2Fwww.google.com%2F http://www.networkworld.com/news/2013/031513-scada-honeypot-267740.html http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-th

e-internet/ http://userserve-ak.last.fm/serve/_/86825487/System+Shock+2+cover.png http://money.cnn.com/gallery/technology/security/2013/05/01/shodan-most-dangerous-internet-searches/index.html http://www.qmed.com/news/shodan-potential-nightmare-medical-device-users http://www.slideshare.net/Shakacon/dan-tentler http://secanalysis.com/a-brief-analysis-of-shodan/ http://siliconangle.com/blog/2013/06/26/how-shodan-searches-for-holes-in-the-internet-of-things/ http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf