Shodan: Exploring the Dark Internet

Bill Matonte, Brian Brokling, Chris Hamm

Overview• What is Shodan

o The dark Interneto The Shodan Storyo How Shodan works

• Industrial Control Systems(ICS) and their vulnerabilities

• Countermeasures

The Dark Internet• In order to understand SHODAN, you must

understand where SHODAN operates. That is, the dark Internet.

• As soon as 2001, there could have been as many as 100,000,000 hosts that are completely unreachable.

• Many of these websites can be reached through "secure gatekeepers", but the security can be very lax.

The Shodan Story • SHODAN was thought of in 2003 and launched in

2009. • SHODAN is the brainchild of John Matherly. He

named his creation off of the evil artifical intellegence entity, SHODAN, from the System Shock series of video games.

• The main idea behind SHODAN is that there are many nodes on the internet, especially industrial and commercial systems, that use the internet, but are not normally considered part of it.

• SHODAN changes this paradigm.

Industrial Controls Systems(ICS)

http://www.ipcprotects.com/images/control-network-security-diag-big.jpg

• Include Many Essential Infrastructureo Nuclear power plantso Chemical processing plantso Energy pipeline monitoring

and control

• Operate and monitor systems remotely

• Reduces cost• Increases security risk• Designed for function

not security

ICS Continued• Lack basic security features

o Encryption, Firewalls, Anti-Virus Software

• Systems difficult to update• Default passwords often unchanged as a “safety

feature"• Before 2011 thought to be “Air-Gapped”• In 2011 it was revealed that 7500 ICS nodes were

exposed• Only 17% required Passwords• 20.5% were susceptible to known exploits.

Shodan the Search Engine

• Optimized to search for systems• Uses Indexed meta-data stored in banners• Filter information from banners to find vulnerable

systems• DEMO!!!

Countermeasures• Restrict your devices to only allow packets to be

broadcast inside the internal LAN• Restrict what IP addresses can access your

network from the internet• Use VPN to remote access your network• Change all default device passwords to

something else• Surpress or minimize verbose banners• Run Shodan against yourself

o see if you can find yourself with Shodan

Works Cited• "Frequently Asked Questions." SHODAN. N.p., n.d. Web. 22 Apr. 2014. <http://www.shodanhq.com/help/faq>.• Goldman, David. "Shodan Finds the Internet's Most Dangerous Spots." CNNMoney. Cable News Network, 02 May 2013. Web.

22 Apr. 2014.• Goldman, David. "Shodan: The Scariest Search Engine on the Internet." CNNMoney. Cable News Network, 08 Apr. 2013. Web.

22 Apr. 2014.• Graddy, Marchello, and Dennis Strouble. "Critical Infrastructure Control Systems Vulnerabilities." International Conference on

Information Warfare and Security. Reading. N.p.: Academic Conferences International Limited, 2010. 106-XIII. Web. 22 Apr. 2014.

• Hill, Kashmir. "Camera Company That Let Hackers Spy On Naked Customers Ordered By FTC To Get Its Security Act Together." Forbes. Forbes Magazine, 04 Sept. 2013. Web. 22 Apr. 2014.

• Hill, Kashmir. "The Crazy Things A Savvy Shodan Searcher Can Find Exposed On The Internet." Forbes. Forbes Magazine, 05 Sept. 2013. Web. 22 Apr. 2014.

• ICS-CERT. "Alert (ICS-ALERT-11-343-01A)." Control System Internet Accessibility (Update A). Deopartment Of Homeland Security, 21 June 2012. Web. 22 Apr. 2014.

• Leverett, Eireann. "Quantitatatively Assessing and Visualizing Industrial System Attack Surfaces." Diss. U of Cambridge, 2011. Leveret-Industrial. Web. 23 Apr. 2014. <"https://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf>.

• NERC. "Control Systems Security Working Group(CSSWG)." NERC. North American Electric Reliability Corporation, n.d. Web. 23 Apr. 2014. <http://www.nerc.com/>.

• O'Harrow, Robert, and Jr. "Cyber Search Engine Shodan Exposes Industrial Control Systems to New Risks." The Washington Post. N.p., 27 Dec. 2012. Web. 8 Apr. 2014.

• United States. Department of Energy.Office of Scientific and Technical Information, United States. Department of Energy, and Idaho National Laboratory. Introduction to SCADA Protection and Vulnerabilities. Washington, D.C; Oak Ridge, Tenn: United States. Dept. of Energy, 2004. Web.

• Wiess, Aaron. "5 Tips to Protect Networks Against Shodan Searches." - ESecurity Planet. N.p., n.d. Web. 21 Apr. 2014. <http://www.esecurityplanet.com/network-security/5-tips-to-protect-networks-against-shodan-searches.html>.