Welcome to my House, the Default Password is “Password”!

November 8, 2013

In a recent interview for Swiss newspaper Le Temps I was asked what I thought of Shodan, the question was along these lines:

“[…] We’ve heard a lot about Shodan lately, what do you think about it? Is it really working? Can we really find addresses of physical objects connected to the IP network with it? Including potentially critical machines such as Nuclear power-plants and the like?”

An interesting one actually. But first things first: what is Shodan? Shodan is, in essence, a search engine. However, unlike Google searching for documents and content, Shodan hunts the Web for physical devices. It scans addresses trying to find networked objects and to assess their security level. A side effect of Shodan is that if a device is not secure it will expose the device’s back-doors to anyone on the Web, hence making it easier to sneak into the device.

However, the vast majority of the devices Shodan registers are routers, gateways and other network components so you may ask “Why should the Internet and the Web of Things care?”.

Well, let’s start over again. Recent years have witnessed a silent revolution in terms of networked objects. We moved from Intranets of Things, i.e. networks of isolated objects using obscure, proprietary protocols, to the Internet of Things (IoT) where things are connected using Internet protocols such as TCP/IP. Then around 2007 ourselves and a number of our fellow researchers kicked-out an iteration of these concepts call the Web of Things (WoT). In the Web of Things, objects are not only connected at the network level with Internet protocols (TCP/IP, 6lowpan, etc.) but they also feature the application languages and protocols of the Internet, also known as “the Web”. They speak HTTP, offer RESTful APIs, serve HTML, understand Javascript, push data using HTML5 Websockets, etc. While we believed this was a far-fetched vision, a number of consumer electronics manufacturers have readily followed these steps, e.g., Samsung’s TVs connect to TCP/IP (IoT), feature Webservers and allow HTML5 apps to be deployed on them (WoT). Big consortia like the IPSO alliance are showing the way: this little revolution is happening today!

These evolutions have made physical objects more accessible from the digital world than ever before. They also drastically simplify the interconnection of physical objects. However, this new way of digitally connecting or augmenting objects isn’t totally risk-free. Indeed, in the Web of Things, you can potentially access any device or object like you would browse a Web page. A (simplified) example using HTTP would look like:

PUT https://my-home-address.com/devices/tv/next – which could zap to the next channel, or…

DELETE https://my-home.address.com/devices/tv – which could turn your TV off.

Clearly, in the example above, with no added security layer your TV is at risk! 😉

IoT Security, The Ring

Indeed, by enabling this to happen over a simple Web browser we simplify our lives but also the life of hackers. However, here we can also directly leverage from the Web’s best practices. The Web isn’t 100% bomb-proof but it offers pretty decent security systems if used correctly. Moreover Web security is definitely one of the most active research fields in computer science because Web security really matters: for business; for personal data; for on-line transactions, etc. Just like Open Source software, the Web is constantly evolving to become more secure. Therefore physical objects that are part of the WoT can directly benefit from these advances, which isn’t necessarily the case of objects in an Intranet of Things.

So what Shodan is really about is education. I see it as a platform basically saying “Hey, if you do connect your devices to the WoT make sure you ask (Web) security experts to audit it!”

This is where platforms like the EVRYTHNG API can really help. While you could directly open your devices and their data to everyone on the Web, it probably makes more sense to connect them to a trusted WoT platform like EVRYTHNG where access to your data and physical devices directly benefit from state of the art and constantly improving security and access control systems.

Back to the interview question:

“[…] Including potentially critical machines such as Nuclear power-plants and the like?” – which translates to“should we panic?”

My answer would be, no. Not yet! Most of the big hairy scary machines out there like Nuclear reactors are working within an Intranet of Things, quite often in total isolation from global networks, using proprietary M2M (Machine to Machine) protocols. However, the revolution is underway and we’d better make sure we are ready and take IoT and WoT security seriously; putting these things in the hands of experts and using trusted platforms and systems.

IoT security

But to give you a sense of BIG machines using Web protocols, a couple of years ago, while visiting CERN, it was hinted that parts of the Large Hadron Collider‘s control systems were using the Web and HTTP. This may have just been a rumor but what would be more than natural considering that this is where the Web story began, 23 years ago…

ABOUT THE AUTHOR: Dominique Guinard

Dominique Guinard

Additional Legacy Content


EVRYTHNG’s New Mobile Web Scanning Toolkit
Learn More

Data-Driven Product Authenticity Using Machine Learning
Learn More

January 24, 2019

Reflections from The World Economic Forum 2019
Learn More