- Photo by Dave Maass
Ask John Matherly if he’s a hacker, and he’ll struggle for a moment with the term.
On one hand, he’s a hacker, in the sense that he’s an innovative programmer, arms deep in the information-security industry. On the other, he’s hypersensitive to how his baby—a project called Shodan—is portrayed in the press. In the past year, it’s surged in notoriety and not just in technology publications, such as Ars Technica and Wired. Shodan’s been the subject of multiple Washington Post investigative features, profiled on Dutch television and name-dropped by Sen. Joe Lieberman both in a statement on the Senate floor and in a New York Times op-ed, in which he characterized the site as a “nefariously named” hacking tool that was becoming more powerful and easier to use each year.
“I’m not doing anything malicious,” Matherly, who lives in Encinitas, says. “I’m trying to be a good citizen on the Internet.”
Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure.
Imagine a building. Now imagine a private detective checking out the building, snooping around the perimeter, noting what security company’s sticker is on the window, what kind of locks are on the doors, what kind of sprinkler system waters the landscaping, what brand of air conditioner is mounted on the roof, what electric company services the smart meter around the back. Now imagine that investigator does the same thing for every office, every home, every school, every factory, power plant, hospital and football stadium and uploads it to a publicly available database. That’s what Shodan does, but with IP addresses.
It’s almost like an automated way to digitally case every joint in the world.
“But casing already usually implies some malicious intent,” Matherly says. “Because why are you casing in the first place if you’re not trying to get inside? My intention obviously is not to get inside. For the record, everything I do is 100-percent legal.”
American-born and raised in Switzerland, Matherly, now 28, dropped out of his Swiss high school and moved to San Diego in 2001 to live with his aunt and obtain a GED. He designed the first iteration of Shodan—named after the villainous artificial intelligence from the video game System Shock—while studying at Mesa Community College, but his original goal was to create a way for technology firms to conduct market research. When he formally launched Shodan in 2009, the hacking community quickly realized it had much greater potential; Matherly had created a living database of every insecure machine connected to the Internet, from home printers to large-scale industrial systems.
“The fact that somebody is basically shining a flashlight into a dark room shouldn’t be the part people are afraid of,” says Dan Tentler, a San Diego-based information-security consultant. “The part people should be afraid of is the fact that some genius decided to take, for example, a five-megawatt hydroelectric plant in France, put its control computer on the Internet and allowed everybody that knew about the IP address to connect to it and make changes to this dam, with no encryption or authentication to speak of.”
In other words, don’t blame the messenger.
During the last few years, Tentler’s been delivering shocking presentations on what he’s discovered using Shodan: security cameras, automated wine-chilling systems, electronic freeway signs, red-light cameras, ice-rink temperature monitors, institutional climate-control systems, fuel cells. In some cases, the systems are left entirely open; other times, the authentication process—such as a password—is improperly configured or set to the default.
“The list goes on,” Tentler says. “It’s insanity. There’s stuff that was connected to the Internet that in some cases I didn’t know existed, like septic systems that are fully automated, that you can connect to with a web browser.”
Obviously, it requires a certain level of technological sophistication to make the most of Shodan, but certain actions are easy enough for a lay person. For example, if a user plugs the term “auther” into Shodan, he will find hundreds, if not thousands, of unsecured web cams whose software was written by a programmer who misspelled “author.” If the user searches for “Iomega,” he can access personal storage devices, containing business documents, family photos and downloaded videos.
Shodan, Matherly says, reveals widespread reliance on “security through obscurity”—the misconception that the Internet is so big that you can put something online and, as long as it doesn’t show up on Google, no one will ever find it. That hasn’t been true for at least a decade.
“Bad guys doing bad things don’t use Shodan, they use their own scanner,” Tentler says. “Their scanners are automated, and when they find known vulnerabilities, they will automatically break in and drop malware or do whatever else attack they feel is necessary. Shodan is our ticket to this party that is 10 years old.”
Yet, the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team has had its eye on Shodan since at least 2010, when researchers began reporting how they were able to use it to find a certain type of industry system called SCADA (supervisory control and data acquisition) on the Internet. DHS expressed concern that hackers would use Shodan, and in July 2012, the FBI somewhat confirmed that fear. A cyber alert claimed a hacker using the moniker “@ntisec” used Shodan to publicly out businesses that were running a particularly vulnerable system. As a result, hackers allegedly accessed a New Jersey air-conditioning company’s internal climate-control and ventilation systems.
Matherly says that’s an aberration from the norm, and he’s never received a cease-and-desist letter or subpoena or been asked by the government to shut Shodan down. He’s careful in granting access to the database: Anonymous users are allowed to generate only 10 search results at a time, while registered users can see 50 results; paid subscribers can gain greater access. He estimates the site currently has about 80,000 users, mainly information-security professionals checking the security of their employers’ networks.
“Shodan is being used for good,” Matherly says. “There’s enough evidence for me to unequivocally argue that point…. It’s a tool. It can be used for both good and bad, but the vast majority of users have used it— historically, empirically, not just anecdotally—for good research that has been used by DHS and by other people to make the Internet safer.”
Matherly allows academic researchers to use the site for free, and the results so far are astounding. In one of the most recent examples, two researchers with the firm InfraCritical used Shodan to identify 7,200 devices linked to critical infrastructure systems in the U.S. In response, DHS is using the data to track down the private-sector owners of the devices to help them lock them down. DHS has also notified more than 100 countries about vulnerabilities identified through Shodan. In January, as The New York Times reported, researchers with Citizens Lab at the University of Toronto used Shodan to confirm that Egypt, Kuwait, Qatar, Saudi Arabia and the United Arab Emirates had deployed digital censorship software and that 18 nations—including Russia and India—were using digital surveillance and tracking equipment.
The next big development may be in medical devices, particularly as the health industry moves toward digital record keeping, Matherly says. The Washington Post reported on Christmas Day that a security researcher had been able to use Shodan to find a wireless glucose monitor that was vulnerable to hacking.
“I think, eventually, everything is going to be connected in a way, and these devices historically have not been security tested in a way that you would test Windows or something you know will be exposed to viruses or malware, or, speaking in general, random people connecting to it.”
Correction: The original version of this story stated that, according to The Washington Post a hacker had used Shodan to locate a vulnerable glucose monitor in Wisconsin. It turns out the Post got it wrong and the glucose monitor was actually in North Carolina. Also, the individual who located it, Shawn Merdinger, tells us via Twitter that he doesn't consider himself a hacker, per se. We have amended the text to omit the reference to the state (if we simply changed it to "North Carolina" it would be factually inaccurate, since that is not what the Post reported) and to identify Merdinger as a security researcher.