Devices like security cameras, traffic light systems, and high tech temperature controls can all be connected to the web, but they aren’t indexed by Google, which makes them difficult to find without deep computer expertise. Now SHODAN, a search engine that crawls the web for devices like routers, webcams and servers, is helping to expose some of the security flaws inherent to these devices.
Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.
Many of these devices are ill-equipped to handle hackers: since they’re rarely indexed, there hasn’t been a need to set up typical security controls. Many can even be accessed via default passwords like “1234.”
A researcher at the cybersecurity conference DEFCON recently demonstrated just how easy it is to access the devices found on SHODAN. Writes CNN:
Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.
He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry.
We smell a Michael Bay-style infrastructure hacking movie on the horizon.