Introduction

The landscape of IoT has been changed completely since the appearance of Shodan, a search engine that lets users find Internet-connected devices such as traffic lights, webcams, routers, security cameras and more. Shodan crawls the Internet, looking for publicly-accessible devices in the IoT — many of which have minimal security. It’s been online for almost ten years.

Despite this fact, manufacturers have not been responsive to the potential threat posed by Shodan and services like it. It most likely will not be long until a massive global hack occurs that exposes millions, potentially billions, to devastating consequences.

This article will address how Shodan changed the landscape of IoT, why this problem is a manufacturer problem, and how security can evolve to tackle this problem. You should have a good grasp on the subject of IoT Security in the Shodan Age by the time you are done reading this article.

How Did Shodan Change the Landscape of IoT?

It is important to begin with the fact that Shodan was not the first tool hackers could use to attack IoT devices. This article will not be a doom-and-gloom, end-of-the-world vision of Shodan, because the basic fact is that IoT devices are hackable with or without it. Period.

However, Shodan has made it far easier to access IoT devices remotely, and in some cases shockingly so. Answering the bellyaching of big tech companies for the need to monitor their devices, Shodan was created in 2009. The immediate impact was that tech company employees, as well as pentesters, hackers and researchers, suddenly had the ability to monitor IoT devices such as webcams, security systems, garage doors and other IoT devices. Part of this was predicated on the fact that IoT devices often have weak default security protections. (But that will be discussed later.)

Dubbed “Google for hackers,” Shodan has been described as interesting, exciting and frightening.

Let’s say that you’re an information security professional with good knowledge of IoT but not familiar with Shodan. Where Shodan has not revolutionized the IoT landscape, it has changed the way that IoT devices are accessed, which should raise some serious security red flags for those working with IoT security.

The first and most shockingly-powerful function of Shodan is that it allows you to find the physical location of any Internet-connected device. You can search for devices by their IP addresses, find IP addresses of devices, find out what ports the devices are using and even what operating systems they are running on. Shodan also lets you search for a connected device’s default security credentials, the device’s domain or subnet, known vulnerabilities and even ports that are currently open. As you can see, Shodan has changed the field by allowing you to retrieve a substantial information profile on connected devices.

The biggest real-world change to the IoT landscape is the change in scale: No connected device is off-limits. Maybe twenty-five years ago or so, the ability to physically locate and access a connected device would not pose much of a security risk. This is in part because nothing much of true importance was connected to the Internet. Now things are quite different with Shodan, where paying a small monthly fee gives users the ability to search for connected devices to their heart’s content.

Why Is This a Manufacturer Problem?

The security problem that exists is between Shodan and Internet-connected devices rests solely in the laps of device manufacturers. This problem can also be fixed by manufacturers just as well.

The simple fact is that connected-device manufacturers have been falling off in the department of device security. Most commonly, connected devices come with weak passwords loaded as the default password or even with no passwords at all. This may seem like a small problem, but as time goes on, this problem will increase exponentially as more and more consumers stock their homes with connected devices.

Despite what device manufacturers may think, the average consumer is still pretty non-tech-savvy and may not have the technical awareness to manually check their device security configurations. In situations like these, devices with weak passwords will suffer from ineffectual security and those without passwords will continue to be insecure. Of course, as soon as the first major hack hits the IoT, major security overhauls may occur fairly quickly — though the hope is to properly remedy the problem so that Zero Day never comes.

With this said, manufacturers are clearly in the best position to prevent this problem from occurring in the first place. A simple change to the default security configuration is all that is needed to stop this problem, and surely this would work for consumer-connected devices. However, ICS and critical infrastructure-controlled devices are another issue indeed.

How Can Security Evolve?

One of the most important things to take away from this article is the fact that this problem can be resolved relatively easily, compared to the looming threat of a coming massive hack of IoT. Below are recommendations for how security can evolve to meet this rising new challenge.

Connected Device Security Training

First, and most important, is IoT-connected device security training for individuals and those working in critical infrastructure. The funny thing is that although critical infrastructure employees have far more at stake in terms of configuring their connected devices properly, the training would more or less be the same.

The crux of the training should cover connected device security passwords and how to change the default security password. This simple change would even the security playing field and make the ability to access a connected device have a similar difficulty level as, say, hacking into a business server.

Changes to Authentication

Another way that security can evolve in a smart direction is by using multi-factor authentication with your IoT devices. It should come as no surprise that this recommendation comes after you are trained on your device security, because a solid security password is fundamental to the whole security process. There are different ways that you can implement multi-factor authentication, so make sure that you find one that suits your organization’s connected device schema.

Security Updates and Patches

Without a doubt, making sure your devices are up to date with the latest security updates and patches has been in the lexicon of just about every PC user since the 1990s. Common sense says that this old responsibility would naturally flow to IoT devices, and it should not be shocking that this is the case. IoT devices need to be updated fully with all the latest patches, because hackers exploit IoT devices that are lacking in the security updates and patch department.

HTTPS

Using HTTPS on IoT devices is another great way to deal with the advent of broad IoT search tools like Shodan. As things stand now, HTTPS is the language that is commonly used in the back end of IoT, such as in application and Web servers. This convenience, coupled with the inherent security, makes using HTTPS with your IoT devices a home-run move.

Conclusion

Shodan has been quite the moving force on the IoT landscape in the almost decade that it has been in existence. While it may have made it easier for hackers to access and attack devices, this fact should be used as a learning experience for those who use IoT devices. Simply tightening up your security passwords, and especially changing them from their abysmal default settings, will fix most of the security issues stemming from Shodan with a good amount of room for IoT security to evolve in response.

 

Sources

  1. What is Shodan? The search engine for everything on the Internet, CSO
  2. Dark Side of the IoT? Shodan Search Engine, RTInsights
  3. A Beginner’s Guide to Securing Your IoT Devices, IoT for All