Shodan: Dark Side of the IoT

Last week, tech media was actively discussing Shodan, the world's biggest search engine for the Internet of Things (IoT), and its new section that allows for easy browsing of vulnerable and unprotected webcams. With this new search feature you can easily sneak on someone's marijuana plantation, garage or home party and watch people cook their meals or have fun with their friends. It opens up a lot of opportunities for cyber voyeurism and hacking. Because we have so many devices connected to the Internet today (e.g., webcams, heating and ventilation systems, house doors, etc), we're facing a huge risk of having our sensitive personal data leak or be used against us (e.g. cyberstalking).

Shodan was launched by the Swiss software developer John Matherly back in 2009 as a service allowing large tech companies like Cisco and Juniper to keep track on where and how their software is used. Six years later, Shodan evolved as a gigantic search engine for hackers and cybersecurity specialists looking for vulnerabilities in connected devices and applications. It gradually became what is now referred to as a Shadow Google.

According to IT security consultant Dan Tentler, there're millions of unprotected webcams scattered around the Globe these days and their number is growing each year. Tentler has been exploring the issues with IoT security for several years now and regularly tweets documented proofs and new cases. So does official Shodan twitter.

In his 2013 interview for Vice Matherly said he had once been able to connect remotely to the charged particles accelerator and a huge megawatt hydro-electric dam in France using Shodan.

The cyclotron – a particle accelerator – was one. It’s theoretical physics equipment, it’s very, very volatile and it should never have been online. Then there are all these weird things, like crematoriums. Those are really creepy. You see the patient’s name pop up and there are different settings – like, there’s an infant setting. There’s no authentication needed, no passwords, nothing.

Now when Shodan has new robust search functions and offers paid subscription that allows users to surf through the catalogue of hundreds of vulnerable webcams, access to the unprotected IoT devices becomes much easier. While only some require a password to access, most of them are not protected at all and are enabled for remote access by unauthorized 3rd parties.

Are you looking to build a highly secure IoT app and need professional assistance with specification, PoC, prototyping and software development?

Webcams are vulnerable because most of them are using RTSP protocol without authentication; as such, video from the cameras can be accessed by literally everyone who connects to them. Shodan is searching for IoT devices with open ports and the legitimacy of such activities is being questioned now. However, Shodan suggests that the problem with security of the IoT devices is much broader. Shodan is just a search engine that uses the same algorithms as Google or Yahoo!, but its technical capabilities highlight the scope of future security issues we'll be facing as the IoT becomes the ultimate digital reality.

The more we expand the global IoT network, the more it'll affect public security and our daily life: when hackers start breaking in connected cars, medical devices or IoT infrastructure, the risk of violation will become much greater than peeping at people through webcams.

Experts believe that the current situation with unsecured IoT devices is a direct result of the established market mechanisms. Today, most of users don't seem to care much about their data security and aren't ready to pay more for advanced protection features in their IoT products. In their turn, device manufacturers aren't willing to increase user awareness of security threats and overheads resulting from data breaches. Meanwhile, hackers are working hard to invent new types of malware, adware and DDoS to attack the IoT applications and gadgets.

As the IoT evolves, we should anticipate new types of security threats including physical attacks. Hackers will be able to crack wearable webcams worn by cops and manipulate data, intentionally throw driving cars into a ditch or turn off the city traffic systems. The irony is that our dependency on technologies will grow faster than our ability to protect them, so it makes a lot of sense to start building highly secure IoT solutions today!

IT Storyteller and Copywriter
Andrew's current undertaking is big data analytics and AI as well as digital design and branding. He is a contributor to various publications with the focus on emerging technology and digital marketing.