A Search Engine For The Internet Of Things

Shodan, a little-known search engine, is the go-to site to find out about nuclear power plants control centers, gas stations, and highway signs connected to the internet.

A little-known search engine which indexes information on computers attached to the internet is increasingly leaving itself open to be used by hackers as fears about cyber attacks an American infrastructure and banking systems heighten. Shodan, which CNNMoney's David Goldman calls the “scariest search engine on the internet,” sorts background data on every computer attached to the internet—including industrial control systems and computers embedded in household objects such as televisions and garage doors. The security researcher-oriented site sits at the nexus of the much vaunted “internet of things” and of the start-stop world of public utilities, power plants, and factories whose servers are connected to the internet.

Shodan, which is named after a fictional artifical intelligence in the videogame System Shock, is the brainchild of programmer John Matherly, who first created the site more than 10 years ago as a teenager. Matherly's creation collects information on more than 500 million connected devices and services each month; site users have found information for nuclear power plant command-and-control systems, control systems for a water park, and servers that control gas stations publicly available on Shodan. The site, which is designed for use by security researchers but can be accessed by anyone, limits searches to 10 results without an account and 50 with an account. Accounts are available on a subscription basis.

The information that Shodan collects is publicly available on the internet and is easily accessible to criminals, intelligence agencies, and foreign militaries with basic community college-level information technology experience.

[Image: Flickr user Jurvetson]

Add New Comment

1 Comments

  • Hans Gruber

    Oh, I wouldn't say that some of the search terms are "basic".  Many of the devices requires a tad bit more than simply, college-level knowledge; it requires a fundamental understanding of the systems/devices that are being probed for.

    People think that SCADA and control systems are simple, and that looking for just the word "scada" will reveal thousands of devices, only to find a few short of a dozen or so.  The real skills lie in something the intelligence community has known for years: it's called "follow the pipe", and requires a sense of direction and some skill, along with a lot of intuition.

    Sure, hackers can say that they found Siemens devices.  Congrats!  More than likely, you've found a Siemens router to someone's home someplace throughout the World.  Now...for finding that SCADA/control systems device that controls a railroad someplace, or a water treatment plant, or a power generation station, will take much more perseverance, a lot of patience, and a lot of time searching (if not guessing in some cases) for that specific target.

    Don't discount what SHODAN is or is not.  What it is, is a tool.  A pistol/gun is a tool, too.  Much of it depends on who's wielding it, and what they intend on using it for.  The key point here is the intent, and how any of the data extrapolated and harvested from such sources such as SHODAN are used for.

    Before you can cry that there is a bogeyman out there, remember this first: (1) there will always be a bogeyman out there --- somewhere, someplace (sort of like that breakfast cereal commercial: "somewhere out there, it's breakfast someplace..."); (2) people will try and convince you and others that there is a bogeyman out there, and that he has bad intentions on performing all sorts of nasty things on you; and (3) in most circumstances, the bogeyman won't let you know that he is out there -- not until it's too late -- and by that time, whatever damage is done, has been done.

    Data sources, such as SHODAN, provide a useful and valuable toolset that can be used for both bad...and good purposes.  It depends on who's wielding the tool...  ;)