CNN scared the daylights out of the tech community a few weeks ago with its profile of a search engine called Shodan. The search engine, which the network called “kind of a ‘dark’ Google,’ is little known outside of its very narrow user base of academic researchers and law-enforcement officials. Anyone involved in IT support, IT managed services or IT security management should sit up and take note.
Basically, while Google indexes websites on the internet, Shodan searches for and indexes devices connected to the Internet. This category is wide-ranging and includes such mundane, everyday gadgets as webcams and printers as well as the more exotic – and frightening: Security cameras, traffic lights and even control systems for nuclear power plants. The system that controls the air-conditioning for your business could be indexed there.
Huge, Unaddressed Security Gap
Shodan represents, in short, a huge unaddressed security gap in many, if not most, companies’ IT systems as most Web-enabled devices these days are connected to the Internet for easier access and operation.
More frightening is the fact that it is easy enough to assemble and index this information, as some IT security analysts point out – and indeed Shodan is not the only example of this kind. It may be, though, the most user-friendly. Devices can be located based on city, country, hostname, operating system and IP.
CNN outlines a number of scenarios in which these devices – largely unprotected even if they serve as gateways to some very sensitive information or controls – could conceivably be hijacked. Certainly it is not difficult to come up with one’s own nightmare possibilities, from terrorists burrowing their way into a nuclear facility’s system to a rival company wrecking havoc on a warehouse management system the day a big order is to be processed and shipped.
How Likely Is Such a Hack?
The real question is, how likely is it that these scenarios will actually be realized? Can gaining access to one or more devices really bring a facility to its knees, given the other IT safeguards in place? It depends on whom you ask in the IT security community. Shodan and its related genre – the “Internet of Things” – is still new and untested enough that consensus is impossible to reach.
The Internet of Things, briefly, refers to connected devices and the ability to inventory, track and interact with such devices. Some security experts say that the guidelines that Shodan has put in place to prevent mischief are enough. Also, the intricacies involved in targeting a nuclear device’s control system via an errant, unprotected printer, for example would be too much to bother with – that is, there would be easier ways to target such a facility if that is someone’s goal.
“Give it time,” is the opposite camp’s view. Proof-of-concept attacks via devices have already been created in isolated cases. With Shodan – and similar search engines – building scale and creating awareness, such attacks will only increase and become cleverer in the bargain.
Education Should Be Ongoing
One point security experts agree upon: Education about the risks of connecting anything to the Internet is essential and should be ongoing.
The trouble is many workers assume their network is isolated when it is usually connect to the Internet at some point. Even industrial and infrastructure control networks, typically isolated, have some connectivity somewhere. Workers might not realize that.
Once that fact is driven home – along with the vulnerability that Internet-connected devices pose – a company’s IT security has made a big leap forward.