Marc Gilbert got a horrible surprise from a stranger on his 34th birthday in August. After the celebration had died down, the Houston resident heard an unfamiliar voice coming from his daughter’s room; the person was telling his sleeping two-year-old, “Wake up, you little slut.” When Gilbert rushed in, he discovered the voice was coming from his baby monitor and that whoever had taken control of it was also able to manipulate the camera. Gilbert immediately unplugged the monitor but not before the hacker had a chance to call him a moron.
The monitor, made by Foscam of Shenzhen, China, lets users monitor audio and video over the internet from anywhere in the world. Months earlier security researchers had discovered software flaws in the product that allowed attackers to take control of the monitor remotely or to sign into its stream if they used the user name ‘admin’. Foscam had quietly come up with a fix the month before but had not pushed it out to its users. When Gilbert checked his Foscam account, he discovered that the hacker had added his own user name—Root—so he could sign in whenever he wanted. Gilbert is now considering a class action against Foscam. He could find other plaintiffs using a search engine called Shodan. It’s likely the tool the pervy hacker used to find him.
Shodan crawls the internet looking for devices, many of which are programmed to answer. It has found cars, foetal heart monitors, office building heating-control systems, water treatment facilities, power plant controls, traffic lights and glucose meters. A search for the type of baby monitor used by the Gilberts reveals that more than 40,000 other people are using the IP cam—and may be sitting ducks for creepy hackers.
“Google crawls for websites. I crawl for devices,” says John Matherly, the tall, goateed 29-year-old who released Shodan in 2009. He named it after the villainous sentient computer in the videogame System Shock. “It’s a reference other hackers and nerds will understand.”
Matherly originally thought Shodan would be used by network behemoths like Cisco, Juniper or Microsoft to canvas the world for their competitors’ products. Instead, it’s become a crucial tool for security researchers, academics, law enforcement and hackers looking for devices that shouldn’t be on the internet or devices that are vulnerable to being hacked.
An industry report from Swedish tech company Ericsson estimates that 50 billion devices will be networked by 2020 into an ‘Internet of Things’. Matherly’s the only one putting the results of the surveying into a public search engine. “I don’t consider my search engine scary,” says Matherly. “It’s scary that there are power plants connected to the internet.”
Shodan’s been used to find webcams with security so low that you only needed to type an IP address into your browser to peer into people’s homes, security offices, hospital operating rooms, child care centres and drug dealer operations. Dan Tentler, a security researcher who has consulted for Twitter, built a program called Eagleeye that finds webcams via Shodan, accesses them and takes screenshots. He has documented almost a million exposed webcams. “It’s like crack for voyeurs,” he says.
After finding a vulnerability in a common piece of building software, Cylance security researcher Billy Rios used Shodan, in conjunction with another tool, to find that banks, apartment buildings, convention centres and even Google’s headquarters in Australia, had security, lights and heating and cooling systems online that could be controlled by a hacker.
“There are 2,000 facilities on the internet right now that if someone guesses the IP address, they can take over the buildings,” says Rios. The Department of Homeland Security revealed earlier this year that hackers have taken advantage of this, virtually breaking into the energy management systems of a “state government facility” in 2012 to make it “unusually warm” and of a “New Jersey manufacturing company” in early 2013; they got in using Shodan.
Check out our Festive offers upto Rs.1000/- off website prices on subscriptions + Gift card worth Rs 500/- from Eatbetterco.com. Click here to know more.
(This story appears in the 04 October, 2013 issue of Forbes India. To visit our Archives, click here.)
Pretty Scary !!on Oct 24, 2013
its awesum article...... i had learnt many new things...hats off to mr. John Matherlyon Sep 29, 2013