Cyber Security: Shodan Shodan is a tool that catalogues millions of devices connected to the Internet. It was launched in 2009 by computer programmer John Matherly, who, in 2003, conceived the idea of searching for devices linked to the Internet. The name Shodan is a reference to SHODAN, a character from the System Shock video game series - see the wonderful graphic on the right! It collects information about the operating systems they use, their configurations and even in some cases default user names and passwords for accessing them. Using Shodan to find computers connected to the Internet is legal. However, it is an offence under the Computer Misuse Act 1990 to try and gain access to a computer without authorization - even if you failed to get in, you could well be found guilty of a crime. It is incredibly easy to break the law if you misuse information from Shodan, so don't do it! Addressing the security challenges of IoT systems is a multi-pronged effort, with researchers in academia and industry working on developing new technology solutions for improving their security. It is also critical that engineers are trained to ensure that security and privacy is considered as a core part of the design and development of all computer systems, including the Internet of Things. If you click on the graphic below the video will play. (The original can be found on this page - but just in case it got taken down I have reproduced it on here.)
NARRATOR: Shodan is a search engine. But rather than just list web pages, it stores information about devices connected to the internet - Not just conventional computers and servers, but also routers, switches, and internet of things devices. It works by scanning the network ports of devices and retrieving what are known as banners. A banner is nothing more than a piece of text that displays information about a particular device. A banner can list the type of services offered by that machine, the software it is running, when it was last updated, even default user name and passwords. Not all machines display banners. Indeed, in some cases, they should not publish a banner at all. And the banner information can be out of date or is misleading. However, examining a banner is one way of learning more about a computer and its vulnerability to attack. We can also use Shodan to identify computers that may not been correctly set up. Most devices are supplied with default user names and passwords, and we're encouraged to change these as part of the setup process. All too often, however, this isn't done. And these machines represent a serious security risk. The banners examined by Shodan occasionally include default passwords supplied by the manufacturer. This is no guarantee that the password will work, but it does suggest that computer may not be correctly set up. Looking at the banner for this computer, I can tell from the 401 message that it requires me to enter a username and password. I can also see that the default user name is "admin" and the password "1234". This doesn't guarantee that this user name and password would still work, but if I was trying to attack this computer, it would be a good way to find out. Whilst it might be very tempting to connect to this computer and try that combination, I won't be doing it. It's an offence under the Computer Misuse Act 1990 to try and gain access to a computer without authorization. And even if I failed to get in, I could well be found guilty of a crime. It's incredibly easy to break the law if you misuse information from Shodan, so don't do it. Having said that, let's try one last search. Programmable logic controllers are found just about everywhere and can be attacked just like any other computer. Shodan allows us to search for PLCs. In this case, I'm going to look at the Siemens PLCs running the same System 7 software as the uranium enrichment plant at Natanz. System 7 often uses a particular network port, so the best way to find Siemens PLCs is to look for banners containing that port number, 102. As we can see, thousands of results from all around the world. I'll see if one I spotted earlier is still connected. Here it is. The banner tells me quite a lot about the PLC itself. The module information refers to a model number in Siemens catalogue, so I was able to search their site to learn a lot more about this PLC. This took me some time, so here's the page. Now I know that the PLC was released in 2012 and production ended in 2014, presumably to be replaced by a more modern device. That might mean this PLC isn't receiving regular software updates. I now know the model number, so it is possible to find out if there are any known security risks from using this PLC. Fortunately, the US government is here to help. The Department of Homeland Security regularly publishes advisories to industries and the public about potential computer security risks. This one, released in March 2014, lists six vulnerabilities in this family of Siemens PLCs, which could allow attackers to interrupt or stop their operations. It also highlights that this family of PLCs are used in a range of critical sectors. This PLC isn't just vulnerable, it is also quite likely to be working in an important facility. Siemens themselves published security notice about the PLC, detailing the security problems and how and the attackers did not need to be especially skilled. Siemens' recommendation for solving this problem was to update to version 4 of the firmware on the PLC. But as we can see, this PLC is still using the vulnerable version 3 and is still open to attack. Hopefully, this video has shown you how. Shodan can be a powerful tool for security researchers. It is also a tool that can be abused by people wishing to cause harm to computers and the people who depend on them. In case I wasn't clear enough before, attempting to gain access to a computer to change its programming is a crime in the United Kingdom and most other countries. So think very carefully about your actions, should you choose to use Shodan or any other computer security applications
|
|