620 likes | 1.66k Views
Maxine Major December 12, 2013. Shodan “The Internet of Things”. What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches. Overview. Search engine http://www.shodanhq.com/ Finds anything connected to the internet
E N D
Maxine Major December 12, 2013 Shodan“The Internet of Things”
What is Shodan? How it Works A Tour of Shodan What Shodan Finds Similar Searches Overview
Search engine • http://www.shodanhq.com/ • Finds anything connected to the internet • Named after AI in System Shock 2 (1999)“Sentient Hyper-Optimized Data Access Network “ • Developed by John Matherly. • Went live in 2009 • Currently indexes over 500 million connected devices monthly • 10,000 Industrial Control Systems What is Shodan?
Web search engines index websites • Shodan indexes metadata and banners • Port 21/TCP (FTP) • Port 22/TCP (SSH) • Port 23/TCP (Telnet) • Port 80/TCP (HTTP) • “Tell me what you can tell me about yourself.” How Shodan Searches
Publicly available data • “public” in that it is unprotected • “Once that data is made public…it’s unclear whether it’s still protected by data security laws.” – John Matherly Legality
Search Filters • city apache city:"Zürich“ • country nginx country:DE • geo apache geo:42.9693,-74.1224 • hostname "Server: gws" hostname:google • net net:216.219.143.0/24 • os microsoft-iis os:"windows 2003" • port 21 (FTP), 22 (SSH), 23 (Telnet) Narrowing the Search
Shodan API • Integrate Shodan into your own software • Scanhub • Make your own search engine built off nmap scans • Add Shodan to browser search engines • Note: Scans through Shodan are not real-time. They are produced from a crawler database. Additional Features
144 million web servers on Shodan • Microsoft’s IIS runs 8.5 million web servers • Allegro Software’s RomPager: 22 million servers • OEM embedded web server • Routers, switches, printers, etc. What Shodan finds
Breakdown of Port Distribution (2012) What Shodan Finds
Cameras • Webcams • Security cameras • Home security systems • Printers • Refrigerators • Caterpillar tractor control panels • Medical Devices • Car Washes • Hospital fetal monitoring What Shodan Finds • Critical infrastructure (water, sewage, dams, • Automobile assembly lines • High School lighting systems • HVAC • Power Dam • Baby Monitors • Traffic Control Systems
Baby Monitors • August 2013 Baby monitor hacked • Marc Gilbert heard voices from 2-yr old’s room • Verbal abuse from networked baby monitor • Foscam video/two-way audio cam • “admin” username default • New user account had been added. “Root” • Likely Shodan used to discover monitor What Shodan Finds
Elementary School Heating System What Shodan Finds
Caterpillar controls What Shodan Finds
Webcams & Security Systems What Shodan Finds
Swimming pool acid pump Traffic control system What Shodan Finds
Wind turbines Heart monitors What Shodan Finds
Security guards Car washes What Shodan Finds
Not all systems found are legitimate • Demos • Honeypots What Shodan Finds
Trend Micro created web-based simulation of an industrial control system (ICS) • Water pump facility • Water pump supervisory control • SCADA network • Purpose: to measure attacks on real-world systems • Targeted 17 times in 4 months • 12 to shut down water pump • 5 to modify pump process • Attacks came via Google and Shodan Waterworks Honeypot
Security researcher Eireann Leverett developing a tool to match ICSs found on Shodan to known vulnerabilities (2011) • Intent to “allow defenders to assess their attack surface and prioritise the required interventions in a timely manner” • Can also be used for auditing • Research funded by BP Research in Shodan
VxWorks • Platform developed by WindRiver Systems (Intel) • WDB agent – system level debugger • UDP Port 17185 • (2010) Rapid7 developer wrote a scanner for Metasploit to scan for WDB • Surveyed over 3.1 billion IP addresses • Discovered 250,000+ systems with WDB agent exposed • Discovered massive scan in 2006 by unknown party Similar Searches
Universal Plug and Play (UPnP) • UPnP Simple Object Access Protocol (SOAP) • 2013 Rapid7 white paper • “UPnP discovery requests were sent to every routable IPv4 address approximately once a week from June 1 to November 17, 2012. “ • 81 million unique IPs responded • 20% SOAP API • Vulnerable to a single UDP packet for remote code execution Similar Searches
Internet Census 2012 (by “Carna Botnet”) • Started as a joke: • telnet login root:root on random IPs • Binary uploaded to insecure devices • Watchdog w/ lowest priority • Scanned port 23 (Telnet) on IPv4 • Stopped after a few days. Included a README • Binary ran on 420,000 devices • 20% of unprotected devices found • 1.2 million unique unprotected devices identified by MAC • Most common unprotected device is router Similar Searches
Internet Census 2012 • Ignored: • IPv6 • Devices without ifconfig • Devices without a shell • 100k MIPS 4kce (embedded systems/game consoles) • Encountered Aidra botnet (malicious) Similar Searches
Standard security practices • Restrict public facing servers and devices • Use VPN or IP filters for external access • (e.g., employee working from home wants to use company printer) • Always change password defaults • Suppress/minimize verbose banners • Test Shodan on your own devices • May not find you if you’re not already indexed (esecurityplanet.com) Minimize Shodan Risks
Shodan is the first search engine of its kind. It’s possible and likely that other search engines could be more powerful. How long before society becomes aware of what makes something findable? Need to rewire how people think about connected devices. Beyond Shodan
http://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/01/2011-Leverett-industrial.pdf http://www.shodanhq.com/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/ https://community.rapid7.com/docs/DOC-2150 https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play http://internetcensus2012.bitbucket.org/paper.html http://en.wikipedia.org/wiki/MIPS_architecture#Microarchitectures_based_on_the_MIPS_instruction_set https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers https://speakerdeck.com/hdm/derbycon-2012-the-wild-west http://www.us-cert.gov/ncas/alerts/TA13-175A http://www.shodanhq.com/help/filters http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers http://www.allegrosoft.com/embedded-web-server-s2?utm_expid=16278828-3.XjShHBhqQ1OFjzbnYYNwdA.1&utm_referrer=https%3A%2F%2Fwww.google.com%2F http://www.networkworld.com/news/2013/031513-scada-honeypot-267740.html http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/ http://userserve-ak.last.fm/serve/_/86825487/System+Shock+2+cover.png http://money.cnn.com/gallery/technology/security/2013/05/01/shodan-most-dangerous-internet-searches/index.html http://www.qmed.com/news/shodan-potential-nightmare-medical-device-users http://www.slideshare.net/Shakacon/dan-tentler http://secanalysis.com/a-brief-analysis-of-shodan/ http://siliconangle.com/blog/2013/06/26/how-shodan-searches-for-holes-in-the-internet-of-things/ http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf References