CNN recently published a sensational piece about “Shodan: The scariest search engine on the Internet.”
Unlike search engines like Google that scour the Internet for Websites, Shodan scours the Internet for IP addresses – that is, anything attached to anything that connects with the Web. That means the search engine doesn’t just discover your home router, but everything attached to it, including cameras and home automation systems.
According to CNN:
Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.
It’s stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.
Scary indeed! But it doesn’t have to be.
We asked networking expert and CEDIA IT Task force member Bjørn Jensen of WhyReboot to comment on this story and the implications for home systems integrators. Here he presents the risks of these new “scary” bots and suggests ways for integrators to protect their clients … and profit from their services. – Julie Jacobson
For years many residential integrators have gotten away with being somewhat lackadaisical when it came to network security. This is because until now most hackers couldn’t be bothered to target a home, especially one with few connected devices.
But times are changing.
More and more people are telecommuting from a home office keeping important documents, passwords and other sensitive information on their home computers.
At the same time, an increasing number of devices such as computers, tablets and smart phones are connected to the Internet, not to mention Web-enabled home automation systems.
Another reason why homes are becoming likelier targets for hackers is that it’s easier than ever to find them.
Bots like Shodan crawl the Web, alerting would-be hackers to anything that might look interesting.
Shodan is a search engine for both hackers and do-gooders alike. It basically searches the Web for devices vulnerable to attack. It can acquire information such as device type, open ports, whether security is enabled, default passwords, etc.
As the article states:
Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.
Consumers who think no one would possibly target their unassuming home are missing the point.
It’s not that hackers are looking for a specific target, but that one of their digital minions may stumble upon you by accident and see something worthwhile to report to the bad guys.
Step it Up, Integrators!
I cannot tell you how many times I have come across integrators using the default username and password for any number of devices attached directly to the Web, whether it’s a camera DVR or a router.
It drives me insane because technically all I can do is tell them about the threat and it’s up to them to respond appropriately.
Worse, I cannot breach my clients’ trust by telling the homeowner about the threat. I have to rely on my client to do the right thing, which unfortunately doesn’t always happen.
Running port scans or creating bots to gather information about vulnerable networks connected devices is nothing new; however, sites like Shodan and neworder.box.sk make it easier than ever to find and exploit vulnerabilities.
Integrators need to realize that they are the ones in charge of protecting their clients because they are the ones implementing their systems. The client doesn’t know any better.
During CEDIA’s Remote System Access class at the EXPO last year, Mike Maniscalco from ihiji, who co-authored the class with me, stressed to the students how easy it is for their systems to be hacked and how using something like port forwarding should be avoided at all costs.
I caution my clients ad nauseam to heed this message and to use VPN systems whenever possible, because data in-between is encrypted and there are no open ports for hackers to exploit.
Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody’s home.
I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.
Some integrators take the next logical step of password-protecting their clients’ networked devices, but many don’t go far enough. They either keep the default or switch to something clever like “Password1” thinking they’ll outsmart somebody.
We may not have seen much hacking in the residential space yet, but we will.
As home automation becomes more ubiquitous and hacking via sites like Shodan becomes more accessible to the masses, unless you begin putting the right security protocols in place you are opening yourself up for a world of trouble.
To be honest, I’m surprised we haven’t seen more of it already. Start implementing VPNs for your clients and avoid port forwarding at all costs. At the very least make sure you use strong passwords.
Make clients understand the importance of a strong firewall with remote access capabilities. Just the thought of how many cameras and DVRs are out there with default usernames and passwords and voyeurs peeking into people’s homes makes me shudder.
You can bet that it’s already happening right now.
If you are not a master of network security, please consider hiring a pro – if not WhyReboot, then another fine networking professional in the CE pro channel—to keep your clients safe from hackers, and your reputation firmly intact.
This article originally appeared in CEPro.com here.
Control Systems Home Automation News Security Technology