Forgot your password?
typodupeerror
Security The Internet

The Search Engine More Dangerous Than Google 210

Posted by Soulskill
from the or-perhaps-a-catalog-of-people-doing-dangerous-things dept.
mallyn writes "This is an article about a search engine that is designed to look for devices on the net that are not really intended to be viewed and used by the general public. Devices include pool filters, skating rink cooling system, and other goodies. 'Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. ... A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.'"
This discussion has been archived. No new comments can be posted.

The Search Engine More Dangerous Than Google

Comments Filter:
  • dangerous? (Score:4, Insightful)

    by schlachter (862210) on Tuesday April 09, 2013 @03:48PM (#43405225)

    Is google dangerous? Sure, it can be used to do bad things. But that's like saying we've discovered a liquid more dangerous than water.

  • Obligatory (Score:2, Funny)

    by Anonymous Coward

    L-L-Look at you, hacker: a pathetic creature of meat and bone, panting and sweating as you run through my corridors.

  • I mean, how hard is it to ship new devices with something tougher than admin and 1234?

    • I mean, how hard is it to ship new devices with something tougher than admin and 1234?

      they should at least change the account name from "admin" to "luggage"....

      • Re: (Score:2, Interesting)

        by Joce640k (829181)

        They could keep "admin" but print a unique password on the router.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          They could keep "admin" but print a unique password on the router.

          Admin and Root are so commonly used across so many different hardware platforms and software applications that it's best to default to something else and immediately treat any login attempt by either as a hostile intrusion attempt.

          But as for why hardware ships with such easy defaults, it's because it's a default and as such, you should assume that damn near anybody on the planet who wants it, will get it eventually. So unless you're going to ship a different login/pw with every last unit, there's not really

          • Some companies do this.

            I was pleasantly surprised to see a Century Link DSL modem/wifi router come preconfigured with a WPA2, and a random passwords. Both the admin password and the WPA2 password were printed on the sticker on the bottom.

            If Century Link can do it, anyone should be able to.

        • That would require the consumer to spend more than $9.95 on the router, and we can't have that. This is ENTIRELY the consumers fault.

        • by c++0xFF (1758032)

          The serial number would work, as long as the device never publishes it to the outside world.

        • by mspohr (589790)

          A few cheap Belkin routers that I bought for my family do just this.
          They have a sticker on the bottom with a (hopefully) unique username and password.

        • by Khyber (864651)

          Already done on my Belkin.

          Problem is that if you just hit SUBMIT the router inputs the default password for you, no typing required, and you're in.

          What shit fucking security. I'll never touch another Belkin product.

    • by Hatta (162192) on Tuesday April 09, 2013 @03:54PM (#43405289) Journal

      Using a complex default will fool people into thinking the default is secure, and more people will fail to change it. If you're using the same default for every device, it doesn't matter what you use, it's not secure and needs to be changed.

      Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.

      • by Attila Dimedici (1036002) on Tuesday April 09, 2013 @04:04PM (#43405439)
        You hit a good point. There is a corollary to it, most devices have a method of resetting the login to the default (usually something that requires physical access to the device) because there are a significant number of times when for one reason or another the correct login credentials have been lost. If the manufacturer does not use the same default login credentials for every one of a particular device and the end user has lost the card they sent with it that has the default credentials (an eventuality that is likely in those cases where the changed credentials have been lost) the company will either have to have maintained a database of the default credentials for every one of their devices they have shipped, or the end user will be SOL (which will probably result in them being very unhappy with the manufacturer).
        The fact of the matter is that a lot of these devices are going to be things which are infrequently accessed, so even if you file the credentials away in a "safe, secure" location by the time you need them again you may have forgotten where that was.
        • by tlhIngan (30335)

          You hit a good point. There is a corollary to it, most devices have a method of resetting the login to the default (usually something that requires physical access to the device) because there are a significant number of times when for one reason or another the correct login credentials have been lost. If the manufacturer does not use the same default login credentials for every one of a particular device and the end user has lost the card they sent with it that has the default credentials (an eventuality t

        • by gbjbaanb (229885)

          I have a new netgear router, the username and password was printed on the bottom along with the serial number (which I assume is unique). If they can do this, then making a random default password of 2 or 3 words concatenated together (as is the case with the netgear password) can't be too hard.

          In the case of a truly lost password, like the serial number sticker was damaged or stupidly removed for "safekeeping", then you could always re-flash the firmware with an update, last I remember you only need physic

      • by swb (14022)

        For network devices, what about some compromise that combined some part of the serial number and last 3 bytes of the MAC address? Most devices have the serial number machine readable and presumably the MAC address is as well.

        This would make guessing far more complicated, especially if there was some effort made in production to "randomize" serial number and MAC address relationships so they didn't march in linear lockstep.

        These values should be easily found on the equipment if there was any question as to

      • Done with the Netgear router I recently bought.
      • by greg1104 (461138)

        Most of the broadband modem/router devices I see now have a little sticker with unique information like the SSID, MAC address, and WPA key printed on them. You could usefully improve things just by making the default router password be the WPA key. People you've given the WPA key to would then also be able to reconfigure the router in the default config, but that's basically how it works now. When I visit someone non-technical and they invite me to read the WPA key from the router, invariably once I'm on

      • Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.

        They already print (and track) a different physical serial number for each device, that's how they manage warranties. It can't be that hard to do the same using electronic hardware and computers. Sounds a lot easier, actually.

      • by lahvak (69490)

        Now they could issue a different default for every device, but that would require printing a unique card for each device...

        As noted by others, lot of consumer devices that people buy for their homes or offices do that. However, things like traffic light, pool water system or nuclear power plant control systems are supposed to be installed by some sort of qualified technician, and they should know better than to leave the default login and password in place.

      • by blueg3 (192743)

        All the companies using non-trivial "default" passwords use unique passwords anyway.

        It's actually, from my limited, anecdotal experience, pretty effective. The people that don't know to change the password are the same ones that just look up the password on the bottom of the router -- the one or two times (ever) they need it. For the cost of a single sticker, you can force them to (once) use an arbitrarily secure password.

      • by wvmarle (1070040)

        My WiFi router, now about 10 years old, does have a default password and a reset button to reset the device to that password.

        However the only way to access that router's inernals is to be on the LAN side (either WiFi or cable), then point a browser to 192.168.123.254, and enter the password. To get the router to connect via WiFi, you must first connect by cable, to even enable WiFi.

        Can't do much better than that. It's secure out of hte box: physical local connection needed to do anything to the device, afte

    • by jeffmeden (135043) on Tuesday April 09, 2013 @03:55PM (#43405321) Homepage Journal

      I mean, how hard is it to ship new devices with something tougher than admin and 1234?

      We tried using "12345" as the default but that turned out to be a bad idea, too.

      • by cusco (717999)
        That's the default for every Panasonic IP security camera. You would be amazed at the number of different pieces of security equipment with the defaults of admin/admin, and the enormous percentage of that equipment which is installed without changing that configuration. When we take over a customer site installed by others we can almost always take over the equipment by just looking up the default passwords on the web.
    • by femtobyte (710429) on Tuesday April 09, 2013 @03:58PM (#43405349)

      So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.

      • by jeffmeden (135043) on Tuesday April 09, 2013 @04:03PM (#43405433) Homepage Journal

        So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.

        To that end, the best option (but scarcely used on hardware interfaces) is to force someone to login as the admin before the device is functional, and during that login to force them to set a new password (with certain password rules prohibiting foolishly simple passwords). Do this, and the problem almost goes away, but the new problem of constant password recovery questions flooding tech support will commence. Most companies, sadly, choose the less secure/less pesky route of just letting it run with the default perpetually.

        • by cstdenis (1118589) on Tuesday April 09, 2013 @05:00PM (#43406097)

          Too expensive in lost sales.

          "I want to return this device. I plugged it in and it doesn't work"

        • How about making the default password something that is physical on the device but unique to each device?

          You know, something like a serial number.

          • by c++0xFF (1758032)

            This will work as long as the serial number isn't sequential (which makes brute-forcing much easier) and steps have been taken to prevent the device from publishing its serial number to anybody who happens to ask.

        • by cusco (717999)
          Axis cameras are the ONLY security camera that I've run into which insists that you set a password the first time that you log in, one of many reasons why they're our preferred brand. Unfortunately they don't insist on a secure password, so most installers end up configuring them as root/root or root/pass (their old default).
      • by blueg3 (192743)

        Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.

        Clearly you've both identified and failed to identify the problem. Minimally-competent people *don't* recognize "1234", or other static passwords, as a flag that they need to change the password. You either need to *make* them do it or supply a unique password from the get-go.

    • by sinij (911942) on Tuesday April 09, 2013 @04:03PM (#43405435) Journal
      No default password could be secure. The only way is to force password change on first use.
      • Fine with a "real" computer, not really doable with a router. I don't even want to know how many of them are used without ever anyone having connected to them.

        And no, setting them up in a way that they don't "just work" out of the box is not really a solution either. Then the box is "too complicated" and people stop buying them in favor of a competitor's product, try to get that past marketing.

        • by sinij (911942)
          You really think something like redirect to "type in a new password" page on first use would kill sales? Most people understand that you need to have wireless password or your neighbors use up your megabytes, is adding router password such a stretch?
          • Where do those "Most people" live and can I move there? I'd love to live in a neighborhood with a hint of a clue. Then again, I don't, I'd lose my free WiFi access.

            Trust me, "most people" don't even understand why to have a password on their WiFi. And more than a few have no WiFi because their router/AP combo needs to have that configured before use and they couldn't figure it out, but the router "worked", so they stick with wired.

            Yes, I'm fairly sure such a requirement would label your routers as "complica

          • by aaarrrgggh (9205)

            I'd say I am pretty tech savvy. One particular Motorola router stumped me into calling tech support though. Intuitive, obvious, and clear are not universal. I understand how to configure a Cisco ASA (reasonably well)... But this stumped me. (You had to go to the router's home page to accept its terms and conditions or some such nonsense.)

            I was ready to go out and buy another unit...

      • by folderol (1965326)
        Instead of forcing how about nagging, wherever possible bring up a reminder message saying the the default is set, is the same as many others and *bad* people will know it is admin:12345
    • Re: (Score:3, Insightful)

      by HCase (533294)

      That would be a bad idea.

      1. A default password is a default password, and should be assumed to be public knowledge.
      2. A complicated default password will accidentally trick user into thinking it is more secure than admin/1234. For example, you have already been tricked.
      3. If the device is reset to factory default, the password won't be easily remembered, so a device may be stranded in a default or even unusable state until the owner can find the password via documentation, help-desk, or internet database o

      • by Rogue974 (657982)

        I was going to make your point #1 and agree with you #2 and #3.

        You last paragraph though is a HUGE problem. If you loose that piece of paper because it was separated from the packaging, or got wet while sitting in the warehouse and maintenance pulls it off the shelf to install it and it is useless, then the manufacturer gets a huge ear full because the facility was down because they were stupid enough to write the unique password on a slip of paper that was tossed with the packaging.

        In the world of instrum

    • by scubamage (727538)
      I have to agree with you. A number of MSO's supply routers and modems whose default username/password are based on the mac address, so every device has a unique combination.
  • Dangerous? Hah (Score:4, Interesting)

    by GameboyRMH (1153867) <gameboyrmh@NoSpAM.gmail.com> on Tuesday April 09, 2013 @03:54PM (#43405287) Journal

    There are some more dangerous than this that don't put silly search limitations on their users and are geared specifically for black hat use.

  • Internet of things (Score:4, Insightful)

    by Hentes (2461350) on Tuesday April 09, 2013 @03:55PM (#43405309)

    But that's the next big thing, haven't you heard? Giving net access to unsecured hardware is the way forward!

  • How many of these are clever honeypots deployed by whitehats? Probably not a significant proportion, but certainly some are.

    And two: if there really are so many unprotected, highly critical, easily discovered devices why is e-havoc not common place? Could the threat from internet connectivity be overstated? Surely if a service doesnt need to be on the internet at large, it shouldn't be. These kinds of reports presume that every system is vulnerable (and that's an appropriate assumption if you are in the

    • And two: if there really are so many unprotected, highly critical, easily discovered devices why is e-havoc not common place?

      Well, there's lots of unprotected, highly critical, easily discovered people and places in the US, but real-world havoc is also relatively uncommon. Probably for the same reasons--most people aren't evil, and there are harsh consequences for those who are.

    • by cusco (717999)
      How many of these are clever honeypots deployed by whitehats?

      Almost none. This stuff is installed by guys with coveralls and ladders, with as little interaction with the customer's IT department as they can get away with. Really. I've worked in the physical security industry for seven years, and every one of our competitors will avoid dealing with the IT staff if at all possible. Having server and network admins on staff is one of our selling points.
  • ...panting and sweating as you browse through my indexes.
  • The mention of a "cyclotron particle accelerator" control system sounds scary, but may not be. At least here at SLAC there are several levels of control systems, and the ones involved in life safety required physical access to locked areas. Even if someone somehow broke both electronic and physical security machines like this are not very dangerous, similar risk to a typical factory.

    I expect that nuclear reactors are far more secure. The "command and control" system may not actually control the reactor, but

  • Now if only we can gain access to Proteus IV and stop the "Demon Seed" [imdb.com] from spawning.

  • This is older news now. We've known for a while that wind turbines could be found on Shodan [contactandcoil.com].
  • by Spy Handler (822350) on Tuesday April 09, 2013 @04:16PM (#43405609) Homepage Journal

    than Shodan

  • by MindPrison (864299) on Tuesday April 09, 2013 @04:26PM (#43405739) Journal
    You need to sign up and register if you actually want to use it.

    Which technically will hold you liable for anything you search for, smart - and yet useless.
    Services doesn't work, constantly fails, down for maintenance etc...

    shoddy'an...

  • by GrueMaster (579195) on Tuesday April 09, 2013 @04:31PM (#43405787)
    Don't need any nefarious remote flushing going on.
  • Even scarier (Score:5, Interesting)

    by Beorytis (1014777) on Tuesday April 09, 2013 @04:36PM (#43405847)
    Even scarier is that if you follow one of the Shodan search results and login with admin:1234, you might end up in federal prison.
  • Also a random SSID and has remote login disabled. Of course, they had other issues with UPnP and stuff, but at least this makes remote attacks a little bit harder since they're more difficult to discover (still security through obscurity; if they have a dumb device that responds outside NAT, it's still game over). Nothing will stop people from making devices that should be private available publicly for the sake of convenience though.
  • because you are lazy, inept or hungover. Default passwords or "admin:admin" is braindead. You're a terrible admin if you do this, and you should feel terrible if you get cracked.

  • by wilson_c (322811) on Tuesday April 09, 2013 @04:46PM (#43405953)

    This is not at all surprising. We contracted a major premises security company to build out the entry-access systems in our company's new buildings a few years ago. Just to be clear, these control the locks to every door into all of the buildings as well as higher security areas within the buildings. The installers insisted that the control boxes for every building needed to have fixed public IP addresses and could not be behind a firewall in order to work. With little understanding of what they were actually asking, they would only enable service if we provided exactly that to them. Do I even need to mention that they left all of these control units running with default username and password?

    Needless to say, once functioning service had been established, I immediately moved everything behind a firewall with no forwarding whatsoever to the NAT private address range. Of course, everything works just fine. I later double-checked the installation guide, which allowed for even wider flexibility in installation, with no real network restrictions of the sort that the installers demanded. I'm sure, however, that if they had ever consulted that document, they would not have understood anything about the network installation instructions.

    A big part of the problem with things like this is that the systems are installed by people with next to no real network knowledge. They see their job as alarm, plumbing, cabling, construction, or whatever. So when they get to the networked component, they install it in the simplest, most straightforward manner that has been prescribed by someone only slightly more knowledgeable than they are. They are instructions designed to work in every situation for the dimmest of installers, making it possible to complete the contract as possible, even when the client has no one with network knowledge available. The installers, not understanding networks, see them as impenetrably cryptic and therefore secure from intrusion. In most situations there is no one whose job it is to assess security of these connected devices at the completion of the contract, much less tell the customer that they've left them with a risk.

    Sadly, the only real advice for these situations is to make companies (the client companies, I mean, not the vendors) understand that they need to be responsible for their own security. If they don't have the necessary expertise on staff, then they absolutely *need* to hire someone - no, not the damn Geek Squad - to check that any network connected device is secure. If they don't then they own the resultant problems. I suppose, in the long run, that insurance companies will require some sort of compliance if potential risk is to be insured.

  • From the article.

    "The good news is that Shodan is almost exclusively used for good. ... Penetration testers, security professionals, academic researchers and law enforcement agencies are the primary users of Shodan. "

    Like Law Enforcement can be considered to only use this for good. And whose law enforcement...(USoA, China, UK, France, ....)? Will they follow due process and obtain warrants, where necessary. I think not.

  • From what I see on the site by clicking on the link in the summery:
    This page (http://www.shodanhq.com/) is currently offline. However, because the site uses CloudFlare's Always Onlineâ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version.

  • by gmuslera (3436) on Tuesday April 09, 2013 @05:35PM (#43406473) Homepage Journal

    Since the start of internet is pretty common to see in logs hosts that do ip scanning. Having in the open one that shows to the public the kind of information that gets most of them since the beginning just put into the light how vulnerable are the guys without a clue. The good guys that have a clue had a firewall since the start, and the bad guys with a clue had that database compiled from long ago.

    So, its responsibility of the people that have devices on public ip addresses to block/filter/password them, and maybe to the cluelest government that is pushing a cyberwar since last decade to warn, educate, and assist on fixing their citizens on not be so trivially vulnerable. And, of course, thank, not punish, the people behind Shodan for this warning.

  • It's the inept and stupid implementers of these systems that are dangerous, not the search engine
    • It's the inept and stupid implementers of these systems that are dangerous, not the search engine

      Maybe you didn't read between the lines hard enough. Go to that serach engine, access ANY of those devices without permission, and thanks to the Computer Fraud and Abuse Act, you've just committed a fucking fellony, Fool!

  • Only a few minutes after visiting Shodan, via its Anniversary promo link (from a Google search),
    Firefox 20.0 cashed

    Coincidence or cause & effect...? You decide?

  • I had hi-res goatse pics ready and everything. No wireless. Less space than a nomad. Lame.

If it's not in the computer, it doesn't exist.

Working...