Shodan Search Engine Is Honestly Scary, but There's Hope

Shodan isn't new, but the fears around it are as relevant as ever. The good news is, it exposes a problem that has answers.

Shodan is a little-known search engine that—unlike Google, which looks through Websites—searches for online content that's not created for public viewing. This includes "servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet," CNN Money reported April 8, calling Shodan "the scariest search engine on the Internet."

In these days of heightened cyber-security concerns, and increasingly connected devices, the report paints an ominous picture.

Shodan, it says, runs around the clock, collecting information from 500 million-plus connected devices and services each month.

"Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium," the report said. "Cyber-security researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

"What's really noteworthy about Shodan's ability to find all of this—and what makes Shodan so scary—is that very few of those devices have any kind of security built into them," the report continued.

The upside to the story is that, again unlike Google, the number of searches that can be performed are limited. John Matherly, its creator, limits searches to 10 without an account and 50 with one, and there's also the matter of a payment.

Matherly said he uses the site "for good" and expects that folks with other intentions "may use it as a starting point" but are more likely to rely on botnets—infected computers that can be made to perform tasks without their owners' knowledge.

Lawrence Pingree, a research director with Gartner, says that Shodan shows what's been available on the Internet for years, but much more quickly and efficiently than it could previously be found.

"Without proper security technologies such as firewalls, intrusion prevention, vulnerability scanning technology and other security controls, any of these systems could potentially be breached by an attacker," Pingree told eWEEK.

"Placing any device without the proper protection mechanisms on the Internet, in an unpatched state without the proper security," he added, "makes you a sacrificial lamb for an attacker."

Research firm Extensia expects the number of machine-to-machine (M2M) connections—such as those used in smart heating systems, for example—to grow at an annual compound growth rate of 50 percent worldwide over the next 10 years.

By 2021, the firm expects the number of M2M device connections to reach 2.1 billion, and to have "far-reaching implications for communications service providers, vendors and networks."

In February, following reports that The New York Times, The Wall Street Journal and even the U.S. Federal Reserve had been hacked, President Obama signed an executive order that sought to help address cybersecurity concerns by allowing federal agencies to share information with private industry. A day later, the Cyber Intelligence Sharing and Protection Act of 2013 was introduced in the House of Representatives.

A criticism of the order is that while it's well intentioned, the best practices it sets forth aren't mandatory and can't be enforced.

IBM has said that enforcement should fall on an appointed, accountable person, such a chief security officer.

During an April 6 cyber-security event for the electric power sector, Andy Bochman, security energy leader for IBM Security advised, "The best way for a utility to introduce cyber-security into its infrastructure is to go in with a high-ranking executive to own the cyber-security risk for the enterprise."

Gartner's Pingree agrees.

"Security is a drag on most businesses. The most efficient way to make money is to do nothing—until you get hurt. But if you build a solution properly you can avoid the shortfalls and the costs involved with being breached," said Pingree. "You need someone in the organization to be a champion for security."

Follow Michelle Maisto on Twitter.