The Search Engine More Dangerous Than Google 210
mallyn writes "This is an article about a search engine that is designed to look for devices on the net that are not really intended to be viewed and used by the general public. Devices include pool filters, skating rink cooling system, and other goodies. 'Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. ... A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.'"
Dangerous? Hah (Score:4, Interesting)
There are some more dangerous than this that don't put silly search limitations on their users and are geared specifically for black hat use.
Re:astounding that defaults are not tougher (Score:5, Interesting)
So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.
To that end, the best option (but scarcely used on hardware interfaces) is to force someone to login as the admin before the device is functional, and during that login to force them to set a new password (with certain password rules prohibiting foolishly simple passwords). Do this, and the problem almost goes away, but the new problem of constant password recovery questions flooding tech support will commence. Most companies, sadly, choose the less secure/less pesky route of just letting it run with the default perpetually.
Re:astounding that defaults are not tougher (Score:2, Interesting)
They could keep "admin" but print a unique password on the router.
Re:astounding that defaults are not tougher (Score:1, Interesting)
Even scarier (Score:5, Interesting)
Of course this happens. (Score:5, Interesting)
This is not at all surprising. We contracted a major premises security company to build out the entry-access systems in our company's new buildings a few years ago. Just to be clear, these control the locks to every door into all of the buildings as well as higher security areas within the buildings. The installers insisted that the control boxes for every building needed to have fixed public IP addresses and could not be behind a firewall in order to work. With little understanding of what they were actually asking, they would only enable service if we provided exactly that to them. Do I even need to mention that they left all of these control units running with default username and password?
Needless to say, once functioning service had been established, I immediately moved everything behind a firewall with no forwarding whatsoever to the NAT private address range. Of course, everything works just fine. I later double-checked the installation guide, which allowed for even wider flexibility in installation, with no real network restrictions of the sort that the installers demanded. I'm sure, however, that if they had ever consulted that document, they would not have understood anything about the network installation instructions.
A big part of the problem with things like this is that the systems are installed by people with next to no real network knowledge. They see their job as alarm, plumbing, cabling, construction, or whatever. So when they get to the networked component, they install it in the simplest, most straightforward manner that has been prescribed by someone only slightly more knowledgeable than they are. They are instructions designed to work in every situation for the dimmest of installers, making it possible to complete the contract as possible, even when the client has no one with network knowledge available. The installers, not understanding networks, see them as impenetrably cryptic and therefore secure from intrusion. In most situations there is no one whose job it is to assess security of these connected devices at the completion of the contract, much less tell the customer that they've left them with a risk.
Sadly, the only real advice for these situations is to make companies (the client companies, I mean, not the vendors) understand that they need to be responsible for their own security. If they don't have the necessary expertise on staff, then they absolutely *need* to hire someone - no, not the damn Geek Squad - to check that any network connected device is secure. If they don't then they own the resultant problems. I suppose, in the long run, that insurance companies will require some sort of compliance if potential risk is to be insured.
Re:astounding that defaults are not tougher (Score:2, Interesting)
They could keep "admin" but print a unique password on the router.
Admin and Root are so commonly used across so many different hardware platforms and software applications that it's best to default to something else and immediately treat any login attempt by either as a hostile intrusion attempt.
But as for why hardware ships with such easy defaults, it's because it's a default and as such, you should assume that damn near anybody on the planet who wants it, will get it eventually. So unless you're going to ship a different login/pw with every last unit, there's not really much of a point. And doing that is a sheer nightmare from a technical support perspective, and frankly isn't worth doing unless you have a very limited list of customers.
It's better to go with an easy default and some kind of mechanism that will constantly bother the user until it gets changed.
Re:Slashdot brings you yesterday's news today (Score:3, Interesting)
...slashdot used to be a site that got tech news before it broke in the mainstream outlets.
You mean, like this [slashdot.org]?