Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Search Engine More Dangerous Than Google

Posted by Soulskill on from the or-perhaps-a-catalog-of-people-doing-dangerous-things dept.

mallyn writes "This is an article about a search engine that is designed to look for devices on the net that are not really intended to be viewed and used by the general public. Devices include pool filters, skating rink cooling system, and other goodies. 'Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. ... A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.'"

1 of 210 comments (clear)

  1. Re:astounding that defaults are not tougher by jeffmeden · · Score: 5, Interesting

    So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.

    To that end, the best option (but scarcely used on hardware interfaces) is to force someone to login as the admin before the device is functional, and during that login to force them to set a new password (with certain password rules prohibiting foolishly simple passwords). Do this, and the problem almost goes away, but the new problem of constant password recovery questions flooding tech support will commence. Most companies, sadly, choose the less secure/less pesky route of just letting it run with the default perpetually.