Âé¶ą´«Ă˝

I never imagined a nuclear plant’s control system being online

John Matherly's search engine can find every single thing connected to the internet, and he's alarmed at how much infrastructure is open to online attack
Matherly
“The majority of industrial systems don’t even have the capacity to allow setting a password”
Jeff Wilson

The internet is bigger than people think, isn’t it?

Many people think that the web is the internet. They see the Googles, the Facebooks, the Reddits… but the web is something built on top of the internet and so only the tip of the iceberg. The iceberg is composed of webcams, power plants, printers… billions of devices.

When did this first strike you?

When I started out, I thought of the internet as very much a black box, but I always had the idea that it was huge. I didn’t think that I could actually survey everything connected to it, but I figured that nobody else was doing that so I could at least start collecting the data. It turned out you can crawl the whole internet, so I developed a tool to do that. And it was only when I released it as a search engine called Shodan that lots of people started finding non-websites: printers, databases, industrial control systems, cellphones, cars – a huge breadth of internet-accessible devices.

How does Shodan work?

There are about 4 billion possible public addresses that a device could have on the internet. Shodan randomly picks an IP address, goes there and then asks if it is running software that can be accessed online. If the device responds and essentially says “yes I am”, Shodan notes that and moves on to the next random IP address. It’s a scattershot approach, but it can find everything connected to the internet in just a few hours.

Why create such a search engine?

My original idea was to make a tool for market intelligence. I thought that I could use it to tell firms who was using their software and whether customers were regularly updating it, for example. Or I could tell them which countries prefer their product over a competitor’s. The idea was not about security.

As Shodan began to uncover online devices, which ones surprised you?

To me it was definitely the control systems. I come from a biology and computer science background and I really never imagined that anybody would find the system controlling a nuclear power plant on the internet, but there it was. It was taken offline very quickly after being discovered.

There were also weird things like car washes and crematoria – I had no idea that these things had become so advanced.

Can anyone connect to these systems and meddle with them?

No. There’s a big difference between being able to connect and being able to cause damage – that’s only usually possible if you have a good understanding of how they operate. If you don’t work with control systems for, say, big turbines, you probably don’t know how these things work. Still, there’s no good justification for having power plants accessible like this in the first place.

Why is such critical infrastructure online at all?

Let’s say you run a wind farm with many wind turbines. If you want to fix a software bug, you don’t want to send a technician to every location. That is a complete nightmare, and expensive. Being able to access the turbines over the internet is an obvious solution.

Still, why would they be so openly accessible?

These control systems often don’t have any authentication. The software they run is usually proprietary and very often was designed 15 to 20 years ago. As such, it doesn’t include user authentication or security because it was only designed to be accessible locally. When you see such systems on the internet, it often means you have complete administrative access.

Have you ever called someone up in the middle of the night to warn them that something important was online?

There have been a few instances. I’ve found some large databases full of personal user information exposed, for example. But I don’t usually call the companies who are responsible: they may shoot the messenger. I go to government agencies whose sole objective is to react to computer intrusion – any sort of dangerous or malicious activity. You can report vulnerabilities to them and they will follow up with the organisation.

Could hackers use Shodan maliciously?

In many ways, Google is a tool that you could use for malicious purposes. At the end of the day Shodan is a tool too – a different type, for a different audience.

We take as many steps as we can to limit abuse. For example, we don’t let users download the whole data set unless we have an enterprise agreement with their company. And we take steps to prevent people accessing Shodan anonymously. But even before Shodan there were ways for people to find such information – using malware, for example. At least now there’s a way for the good guys to get some visibility into the internet too.

Does the growing internet of things worry you?

I’m concerned about the direction that it is taking, because security in general is an afterthought. Everything from smart TVs to lawn sprinklers and light bulbs are all getting connected and controlled via the internet. And people often don’t appreciate that these devices now contain full-on computers – they aren’t dumb any more. How are you going to deal with infectious malware inside your light bulbs?

Another danger is criticality in numbers. If you can only compromise a few hundred smart refrigerators, it’s probably not a big deal. But what if you can compromise all the refrigerators on a continent? Or all the air-conditioning units in Texas during summer? These are devices that we don’t tend to replace for a long time and if you don’t get the security right early on, fixing it later is very difficult.

Is the public is aware of the vulnerability of their gadgets?

To some extent. Earlier this year the Ars Technica website published a story on how webcams have terrible security – it made a reference to hackers watching other people’s sleeping babies. Understandably, it elicited a very emotional response. You can find webcams that are accessible using Shodan, but it’s worth noting that there are fewer than 10,000 of them, the majority being cheap knock-offs bought from China.

How can everyday users protect themselves?

The simplest lesson is, if you can access your device over the internet with your smartphone or computer, make sure it has authentication/passwords enabled. If it doesn’t, the chances are anybody else on the internet can also access it. The second lesson is to buy products that automatically update their own software.

Do you think we’ll see more serious cyberattacks on connected devices in future?

I’d be surprised if we didn’t. Just looking at some of the key products being released today, anything outside of smartphones, PCs and servers have poorer security than people might expect, and some have very serious security problems. Then there are industrial control systems. People assume that they have many layers of security, yet the majority of industrial protocols don’t even have the capacity for authentication, meaning the software doesn’t even support setting a password. These are mistakes that we just shouldn’t be making any more, which is why I suspect the problem will get exponentially bigger.

Profile

John Matherly is a Texas-based software engineer and the creator of Shodan, a search engine launched in 2009 for the internet of things

Most exposed

Conservative estimates of insecure industrial control systems

US
54,501

China
17,648

Canada
6498

Italy
4574

France
4408

UK
4222

This article appeared in print under the headline “The internet of unprotected things”

Topics: Computer crime / Hacking / Internet