Mobile Tech

Shodan: The Search Engine that tells secrets

Tuesday, April 9, 2013

Shodan is a search engine that doesn't crawl the web looking for content, it crawls looking for exploits. You heard me, places that have default passwords on servers, or routers, open web cams, printers that are connected without any security - that sort of stuff. Scared yet?

What does this mean to you? It means you can search for just about anything that you think is exploited, it's kinda fun at first then turns to a frightening reality when you realize you might have something hanging on the web wire that could be exploited too! Most developers have servers of some sort, or an internet appliance, this is a great way to check your IP or devices to see if there are potential security problems you might not know about.

It's pretty scary what is out there, Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

"You can log into just about half of the Internet with a default password," said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes. "It's a massive security failure."

Developers can also use their API to connect their own apps to the Shodan database of exploits and back-doors if they like, which opens the door up to all kinds of mischief I'm sure.