CNNMoney posted an ominously titled column “Shodan: The scariest search engine on the Internet” yesterday about a search application that discovers unprotected technology connected to the internet that was promptly aggregated by other outlets like FastCompany — but not until the last third of the article did the author mention two key facts: Shodan has existed for three years and is “almost exclusively used for good.”
Make no mistake, the things Shodan can uncover are scary: It’s essentially a way find technology currently online that was never intended to be networked in the first place, or networked with such laughably thin security protocols like using default admin logins and passwords that it’s child’s play to compromise — with the vulnerable tech ranging from the seemingly mundane like home printers and garage doors to the sort of things you really don’t want to be connected to the outside world, such as citywide traffic systems and nuclear command and control centers.
And as we move closer to a world where everything from our refrigerators to our pacemakers are connected to the Internet in one way or another, these problems will only multiply: An “Internet of things” that lacks security built into the devices that join together to create that network could potentially put everyone at risk. The issue is that these vulnerabilities exist in the first place, not that Shodan can uncover them — as previous coverage of Shodan by Dave Maass in San Diego CityBeat* notes:
“The fact that somebody is basically shining a flashlight into a dark room shouldn’t be the part people are afraid of,” says Dan Tentler, a San Diego-based information-security consultant. “The part people should be afraid of is the fact that some genius decided to take, for example, a five-megawatt hydroelectric plant in France, put its control computer on the Internet and allowed everybody that knew about the IP address to connect to it and make changes to this dam, with no encryption or authentication to speak of.”
As with almost all technological developments, Shodan is neutral. In fact, the bad guys have a vested interest in keeping these types of vulnerabilities quiet so their exploitation will go unnoticed. With Shodan, security experts have a simpler way of identifying what networks are at risk and potentially taking them offline or improving security thus bettering the entire system. And security experts does mean hackers: While the word has taken on a lot of negative connotations in the media, hacking is a process of discovering vulnerabilities that is neutral. Just as it’s questionable to call Shodan scary because the things it uncovers are settling, decrying the process of hacking and all people that do it because they reveal problems with systems is equally objectionable.
There are certainly bad hackers, but there are also good hackers: Just ask Peiter Zatko (better known as Mudge) who spent the last few years as a program manager at the Defense Advanced Research Projects Agency (DARPA) focusing on cybersecurity projects. When he left last week he tweeted that he didn’t know which was neater: “getting Office of SecDef highest award, OR the positive use of ‘hackers’ in the letter!”
Update:
*An earlier version of this piece misidentified Dave Maass and the source of this quote.