1 / 33

Shodan “The Internet of Things”

Maxine Major December 12, 2013. Shodan “The Internet of Things”. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches. Overview. Search engine http://www.shodanhq.com/ Finds anything connected to the internet

lana
Download Presentation

Shodan “The Internet of Things”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Maxine Major December 12, 2013 Shodan“The Internet of Things”

  2. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches Overview

  3. Search engine • http://www.shodanhq.com/ • Finds anything connected to the internet • Named after AI in System Shock 2 (1999)“Sentient Hyper-Optimized Data Access Network “ • Developed by John Matherly. • Went live in 2009 • Currently indexes over 500 million connected devices monthly • 10,000 Industrial Control Systems What is Shodan?

  4. Web search engines index websites • Shodan indexes metadata and banners • Port 21/TCP (FTP) • Port 22/TCP (SSH) • Port 23/TCP (Telnet) • Port 80/TCP (HTTP) • “Tell me what you can tell me about yourself.” How Shodan Searches

  5. Publicly available data • “public” in that it is unprotected • “Once that data is made public…it’s unclear whether it’s still protected by data security laws.” – John Matherly Legality

  6. Tour of Shodan

  7. Tour of Shodan

  8. Tour of Shodan

  9. Tour of Shodan

  10. Tour of Shodan

  11. Search Filters • city apache city:"Zürich“ • country  nginx country:DE • geo apache geo:42.9693,-74.1224 • hostname "Server: gws" hostname:google • net net:216.219.143.0/24 • os microsoft-iis os:"windows 2003" • port 21 (FTP), 22 (SSH), 23 (Telnet) Narrowing the Search

  12. Shodan API • Integrate Shodan into your own software • Scanhub • Make your own search engine built off nmap scans • Add Shodan to browser search engines • Note: Scans through Shodan are not real-time. They are produced from a crawler database. Additional Features

  13. 144 million web servers on Shodan • Microsoft’s IIS runs 8.5 million web servers • Allegro Software’s RomPager: 22 million servers • OEM embedded web server • Routers, switches, printers, etc. What Shodan finds

  14. Breakdown of Port Distribution (2012) What Shodan Finds

  15. Cameras • Webcams • Security cameras • Home security systems • Printers • Refrigerators • Caterpillar tractor control panels • Medical Devices • Car Washes • Hospital fetal monitoring What Shodan Finds • Critical infrastructure (water, sewage, dams, • Automobile assembly lines • High School lighting systems • HVAC • Power Dam • Baby Monitors • Traffic Control Systems

  16. Baby Monitors • August 2013 Baby monitor hacked • Marc Gilbert heard voices from 2-yr old’s room • Verbal abuse from networked baby monitor • Foscam video/two-way audio cam • “admin” username default • New user account had been added. “Root” • Likely Shodan used to discover monitor What Shodan Finds

  17. What Shodan Finds

  18. Elementary School Heating System What Shodan Finds

  19. Caterpillar controls What Shodan Finds

  20. Webcams & Security Systems What Shodan Finds

  21. Swimming pool acid pump Traffic control system What Shodan Finds

  22. Wind turbines Heart monitors What Shodan Finds

  23. Security guards Car washes What Shodan Finds

  24. Not all systems found are legitimate • Demos • Honeypots What Shodan Finds

  25. Trend Micro created web-based simulation of an industrial control system (ICS) • Water pump facility • Water pump supervisory control • SCADA network • Purpose: to measure attacks on real-world systems • Targeted 17 times in 4 months • 12 to shut down water pump • 5 to modify pump process • Attacks came via Google and Shodan Waterworks Honeypot

  26. Security researcher Eireann Leverett developing a tool to match ICSs found on Shodan to known vulnerabilities (2011) • Intent to “allow defenders to assess their attack surface and prioritise the required interventions in a timely manner” • Can also be used for auditing • Research funded by BP Research in Shodan

  27. VxWorks • Platform developed by WindRiver Systems (Intel) • WDB agent – system level debugger • UDP Port 17185 • (2010) Rapid7 developer wrote a scanner for Metasploit to scan for WDB • Surveyed over 3.1 billion IP addresses • Discovered 250,000+ systems with WDB agent exposed • Discovered massive scan in 2006 by unknown party Similar Searches

  28. Universal Plug and Play (UPnP) • UPnP Simple Object Access Protocol (SOAP) • 2013 Rapid7 white paper • “UPnP discovery requests were sent to every routable IPv4 address approximately once a week from June 1 to November 17, 2012. “ • 81 million unique IPs responded • 20% SOAP API • Vulnerable to a single UDP packet for remote code execution Similar Searches

  29. Internet Census 2012 (by “Carna Botnet”) • Started as a joke: • telnet login root:root on random IPs • Binary uploaded to insecure devices • Watchdog w/ lowest priority • Scanned port 23 (Telnet) on IPv4 • Stopped after a few days. Included a README • Binary ran on 420,000 devices • 20% of unprotected devices found • 1.2 million unique unprotected devices identified by MAC • Most common unprotected device is router Similar Searches

  30. Internet Census 2012 • Ignored: • IPv6 • Devices without ifconfig • Devices without a shell • 100k MIPS 4kce (embedded systems/game consoles) • Encountered Aidra botnet (malicious) Similar Searches

  31. Standard security practices • Restrict public facing servers and devices • Use VPN or IP filters for external access • (e.g., employee working from home wants to use company printer) • Always change password defaults • Suppress/minimize verbose banners • Test Shodan on your own devices • May not find you if you’re not already indexed (esecurityplanet.com) Minimize Shodan Risks

  32. Shodan is the first search engine of its kind. It’s possible and likely that other search engines could be more powerful. How long before society becomes aware of what makes something findable? Need to rewire how people think about connected devices. Beyond Shodan

  33. http://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdf http://www.shodanhq.com/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/ https://community.rapid7.com/docs/DOC-2150 https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play http://internetcensus2012.bitbucket.org/paper.html http://en.wikipedia.org/wiki/MIPS_architecture#Microarchitectures_based_on_the_MIPS_instruction_set https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers https://speakerdeck.com/hdm/derbycon-2012-the-wild-west http://www.us-cert.gov/ncas/alerts/TA13-175A http://www.shodanhq.com/help/filters http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers http://www.allegrosoft.com/embedded-web-server-s2?utm_expid=16278828-3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_referrer=https%3A%2F%2Fwww.google.com%2F http://www.networkworld.com/news/2013/031513-scada-honeypot-267740.html http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/ http://userserve-ak.last.fm/serve/_/86825487/System+Shock+2+cover.png http://money.cnn.com/gallery/technology/security/2013/05/01/shodan-most-dangerous-internet-searches/index.html http://www.qmed.com/news/shodan-potential-nightmare-medical-device-users http://www.slideshare.net/Shakacon/dan-tentler http://secanalysis.com/a-brief-analysis-of-shodan/ http://siliconangle.com/blog/2013/06/26/how-shodan-searches-for-holes-in-the-internet-of-things/ http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf References

More Related