Welcome to my House, the Default Password is “Password”!
“[…] We’ve heard a lot about Shodan lately, what do you think about it? Is it really working? Can we really find addresses of physical objects connected to the IP network with it? Including potentially critical machines such as Nuclear power-plants and the like?”
An interesting one actually. But first things first: what is Shodan? Shodan is, in essence, a search engine. However, unlike Google searching for documents and content, Shodan hunts the Web for physical devices. It scans addresses trying to find networked objects and to assess their security level. A side effect of Shodan is that if a device is not secure it will expose the device’s back-doors to anyone on the Web, hence making it easier to sneak into the device.
However, the vast majority of the devices Shodan registers are routers, gateways and other network components so you may ask “Why should the Internet and the Web of Things care?”.
These evolutions have made physical objects more accessible from the digital world than ever before. They also drastically simplify the interconnection of physical objects. However, this new way of digitally connecting or augmenting objects isn’t totally risk-free. Indeed, in the Web of Things, you can potentially access any device or object like you would browse a Web page. A (simplified) example using HTTP would look like:
PUT https://my-home-address.com/devices/tv/next – which could zap to the next channel, or…
DELETE https://my-home.address.com/devices/tv – which could turn your TV off.
Clearly, in the example above, with no added security layer your TV is at risk! 😉
Indeed, by enabling this to happen over a simple Web browser we simplify our lives but also the life of hackers. However, here we can also directly leverage from the Web’s best practices. The Web isn’t 100% bomb-proof but it offers pretty decent security systems if used correctly. Moreover Web security is definitely one of the most active research fields in computer science because Web security really matters: for business; for personal data; for on-line transactions, etc. Just like Open Source software, the Web is constantly evolving to become more secure. Therefore physical objects that are part of the WoT can directly benefit from these advances, which isn’t necessarily the case of objects in an Intranet of Things.
So what Shodan is really about is education. I see it as a platform basically saying “Hey, if you do connect your devices to the WoT make sure you ask (Web) security experts to audit it!”
This is where platforms like the EVRYTHNG API can really help. While you could directly open your devices and their data to everyone on the Web, it probably makes more sense to connect them to a trusted WoT platform like EVRYTHNG where access to your data and physical devices directly benefit from state of the art and constantly improving security and access control systems.
Back to the interview question:
“[…] Including potentially critical machines such as Nuclear power-plants and the like?” – which translates to“should we panic?”
My answer would be, no. Not yet! Most of the big hairy scary machines out there like Nuclear reactors are working within an Intranet of Things, quite often in total isolation from global networks, using proprietary M2M (Machine to Machine) protocols. However, the revolution is underway and we’d better make sure we are ready and take IoT and WoT security seriously; putting these things in the hands of experts and using trusted platforms and systems.
But to give you a sense of BIG machines using Web protocols, a couple of years ago, while visiting CERN, it was hinted that parts of the Large Hadron Collider‘s control systems were using the Web and HTTP. This may have just been a rumor but what would be more than natural considering that this is where the Web story began, 23 years ago…