Shodan: A Google for Hackers

Image: Ethan Pines for Forbes

Shodan founder John Matherly inside his house—he could just as easily be inside yours

Marc Gilbert got a horrible surprise from a stranger on his 34th birthday in August. After the celebration had died down, the Houston resident heard an unfamiliar voice coming from his daughter’s room; the person was telling his sleeping two-year-old, “Wake up, you little slut.” When Gilbert rushed in, he discovered the voice was coming from his baby monitor and that whoever had taken control of it was also able to manipulate the camera. Gilbert immediately unplugged the monitor but not before the hacker had a chance to call him a moron.

The monitor, made by Foscam of Shenzhen, China, lets users monitor audio and video over the internet from anywhere in the world. Months earlier security researchers had discovered software flaws in the product that allowed attackers to take control of the monitor remotely or to sign into its stream if they used the user name ‘admin’. Foscam had quietly come up with a fix the month before but had not pushed it out to its users. When Gilbert checked his Foscam account, he discovered that the hacker had added his own user name—Root—so he could sign in whenever he wanted. Gilbert is now considering a class action against Foscam. He could find other plaintiffs using a search engine called Shodan. It’s likely the tool the pervy hacker used to find him.

Shodan crawls the internet looking for devices, many of which are programmed to answer. It has found cars, foetal heart monitors, office building heating-control systems, water treatment facilities, power plant controls, traffic lights and glucose meters. A search for the type of baby monitor used by the Gilberts reveals that more than 40,000 other people are using the IP cam—and may be sitting ducks for creepy hackers.

“Google crawls for websites. I crawl for devices,” says John Matherly, the tall, goateed 29-year-old who released Shodan in 2009. He named it after the villainous sentient computer in the videogame System Shock. “It’s a reference other hackers and nerds will understand.”

Matherly originally thought Shodan would be used by network behemoths like Cisco, Juniper or Microsoft to canvas the world for their competitors’ products. Instead, it’s become a crucial tool for security researchers, academics, law enforcement and hackers looking for devices that shouldn’t be on the internet or devices that are vulnerable to being hacked.

An industry report from Swedish tech company Ericsson estimates that 50 billion devices will be networked by 2020 into an ‘Internet of Things’. Matherly’s the only one putting the results of the surveying into a public search engine. “I don’t consider my search engine scary,” says Matherly. “It’s scary that there are power plants connected to the internet.”

Shodan’s been used to find webcams with security so low that you only needed to type an IP address into your browser to peer into people’s homes, security offices, hospital operating rooms, child care centres and drug dealer operations. Dan Tentler, a security researcher who has consulted for Twitter, built a program called Eagleeye that finds webcams via Shodan, accesses them and takes screenshots. He has documented almost a million exposed webcams. “It’s like crack for voyeurs,” he says.

After finding a vulnerability in a common piece of building software, Cylance security researcher Billy Rios used Shodan, in conjunction with another tool, to find that banks, apartment buildings, convention centres and even Google’s headquarters in Australia, had security, lights and heating and cooling systems online that could be controlled by a hacker.

“There are 2,000 facilities on the internet right now that if someone guesses the IP address, they can take over the buildings,” says Rios. The Department of Homeland Security revealed earlier this year that hackers have taken advantage of this, virtually breaking into the energy management systems of a “state government facility” in 2012 to make it “unusually warm” and of a “New Jersey manufacturing company” in early 2013; they got in using Shodan.

Matherly grew up in Switzerland, dropped out of high school at 17 and moved to the States to live with his flight attendant aunt in San Diego. Earning his way initially by working at a bookstore, he went to community college and then on to a degree in bioinformatics from the University of California, San Diego.

He got a job at the university’s supercomputer centre, working on a protein database project. After short stints programming for a startup and doing web design for the Union-Tribune, he started building Shodan. Its freemium model has paid the bills since then so he can add more crawlers to scan more of the internet. A free search will get you 10 results. Approximately 10,000 users pony up a nominal one-time fee of up to $20 to get 10,000 results per search. A dozen institutional users, all of them cybersecurity firms, pay five figures annually for access to Matherly’s entire database of 1.5 billion connected devices.

Shodan is a one-man operation, and you can tell by using it. It lacks Google’s clean search interface. You have to know some part of a device’s signature to find what you’re looking for. The results include Internet Protocol language a casual user won’t be familiar with.

But it can be the most effective way to show the impact of a security flaw in a product: A tally on the left-hand side of the screen after a search tells you how many of those devices are on the internet and in which countries they are.

The feds could make life difficult for Matherly if they choose to go after him under the Computer Fraud & Abuse Act, which forbids unauthorised access to computer systems. An aggressive prosecutor in March put Andrew “weev” Auernheimer in jail for accessing a website AT&T had put on the internet with the inadvertent inclusion of email addresses for its iPad customers. “I don’t try to log into servers or anything that could be considered hacking,” he says.

Rather than be prosecuted, Matherly should be rewarded for calling attention to the incredibly stupid mistakes that gadget companies make when configuring their products and the inattention of consumers to the security of the products they buy. Everything that connects to the internet should be password-protected, and many aren’t. Nor should these devices ship with a default user name and password, yet many do.

Last year an anonymous user took control of more than 400,000 internet-connected devices using just four default passwords and used them to build a data set much like Shodan’s. “Everybody is talking about high-class exploits and cyberwar,” wrote the unnamed operator, who wisely stayed anonymous to avoid legal complications. “[But] four simple, stupid, default Telnet passwords can give you access to hundreds of thousands of consumers as well as tens of thousands of industrial devices all over the world.”

Matherly hopes Shodan leads to more transparency and public shaming of companies that are selling vulnerable systems, but he’s not optimistic. “Everything is going on the Internet whether you want it or not,” says Matherly.