THERE’S something ugly out there, something that highlights the vulnerability of our networked security devices. Something that demands electronic security people start thinking about IT security.
It’s Shodan, for Sentient Hyper-Optimized Data Access Network, a search engine contrived by John Matherly back in 2009. Shodan snuffles around searching for servers, computers, routers, web cams, security cameras, cars, heart monitors, networked alarm systems, traffic lights, power station controls – anything with an IP address.
This search engine employs filters to undertake its searches and it hunts for anything programmed to answer a request. Using it, hackers have access millions upon millions of unprotected or poorly protected network connected devices.
Importantly, though, at the same time Shodan is being used by hackers to access devices, it’s being used with even greater vigour by security researchers to find open devices across the Internet and lock them up.
If it sounds far-fetched, according to a Forbes Report when Cylance security researcher Billy Rios found a vulnerability in a piece of building software, he used Shodan in conjunction with another tool, to find banks, apartment buildings, convention centres and Google’s headquarters in Australia all had security, lights and heating and cooling systems online that could be controlled by a hacker.
“There are 2000 facilities on the Internet right now that if someone guesses the IP address, they can take over the buildings,” Rios told Forbes at the time. Further, the U.S. Department of Homeland Security said earlier this year hackers had virtually broken into the energy management systems of a “state government facility” in 2012 to make it “unusually warm”.
Another security researcher, Dan Tentler recently built a program called Eagleeye that finds online cameras via Shodan, accesses them and takes screenshots. So far Tentler has documented almost a million exposed cameras. Just as spooky, last year an anonymous user took control of more than 400,000 Internet-connected devices using 4 default passwords and used them to build a data set much like Shodan’s, calling it the Internet Census 2012.
“Everybody is talking about high-class exploits and cyberwar,” wrote the unnamed operator, at the time. “4 simple, stupid, default Telnet passwords can give you access to hundreds of thousands of consumers as well as tens of thousands of industrial devices all over the world.”
Why does any of this matter? It’s because everything is going online to form an internet of things – it’s thought around 50 billion devices will be connected to the internet by 2020.
How much of this will be security gear? Plenty. I’ve viewed hacked surveillance cameras online myself. And as the industry pushes laterally, it’s likely there will be more and more devices out there, some of them installed by people not qualified to protect their remote functionality.
Whether responsibility rests with manufacturers, installers or end users is less of an issue than recognising that there is a risk. We must collectively acknowledge that power stations, government facilities, large organisations of national import, as well as small business and domestic homes, have forgotten doorways lost at the ends of millions of kilometres of Cat-5/6 and wireless network corridors.
The entire scenario highlights the sort of landscape the electronic security industry now inhabits – a place that’s made dangerous by its own flexibility, by its integrated remote functionality. And things get more risky as we continue to progress from a solid state template to a networked environment, with IP-addressable alarm systems and access control solutions.
Alarm systems and access control solutions with their interconnections to lifts, building management, process control and fire systems are not passive devices the way cameras are. They have relay outputs that control physical functions.
Sure you can jump on a security camera and view workers. But that’s not the same as attacking a building after having locked it down so no one can escape. Nor is it the same as opening doors for other intruders, or switching off alarm systems or fire alarm systems.
Yes, these are worst case scenarios but such scenarios need to be kept in the minds of manufacturers, distributors, integrators and end users. This applies doubly at a time when IT departments are being stripped of experienced staff as they themselves move towards ever greater remote automation.
By John Adams
