When his daughter was born, Marc Gilbert of Houston, Texas, purchased a Foscam baby monitor for the nursery. The Foscam, manufactured in Shenzhen, China, gave parents the capability to monitor both video and audio from any Internet connection in the world. One night, after his daughter had turned two years old, Gilbert heard an unfamiliar male voice saying lewd things inside his daughter’s room. He rushed in and realized that the eerie voice was coming through the Foscam baby monitor. He immediately unplugged the device, but not before he heard the voice call him a “moron.”
According to an article in Forbes, Foscam had discovered a flaw in its baby monitors that allowed remote users to hack the device with the username “admin.” The company had created a fix, but it failed to push the fix out to its existing devices. Using a search engine called Shodan, attackers like the one who invaded Gilbert’s home can find connected devices, like Internet-connected baby monitors, and hack into them. In homes or businesses that lack effective network security solutions, attackers can gain access to webcams, security systems and HVAC systems.
According to the Department of Homeland Security, hackers used Shodan to break into the energy management systems of one state government building in 2012 and one New Jersey manufacturing company in 2013. Shodan has also found unprotected power plants, fetal heart monitors, water treatment facilities and traffic lights. Just by guessing a connected device’s IP address, an attacker could potentially turn off a traffic light at a busy intersection. Fortunately, security professionals are now using Shodan’s capabilities to prevent attacks before they happen.
Why Are Connected Devices Vulnerable?
The machine-to-machine (M2M) market is highly competitive, which means that manufacturers have a major incentive to get their devices to market quickly. Some experts believe that this rush for revenue has caused manufacturers to neglect device security. For example, many connected devices, like smart TVs, smart thermostats, home lighting systems and security cameras, are linked to an unprotected network without a password requirement. Other devices ship with a default username and password, and when the user fails to change the default, attackers can easily access the device.
How Dangerous Are These Unprotected Smart Devices?
In 2012, an unnamed hacker created the “Carna Botnet,” a botnet that scanned the Internet for devices that either required no login credentials or used the passwords “root” or “admin.” Most of the non-secure devices had the signatures of routers, modems, printers and webcams. Every time the scanning program found an unsecured device, it installed itself on the device and continued scanning the Internet. All in all, this botnet ended up compromising 420,000 devices, and it was used to scan 4 billion IPv4 Internet addresses.
Explaining the reason for the project, the hacker wrote, “I saw the chance to really work on an Internet scale, command hundred thousands of devices with a click of my mouse, portscan and map the whole Internet in a way nobody had done before, basically have fun with computers and the Internet in a way very few people ever will.”
The Good News About Shodan
Shodan doesn’t give someone the ability to type in the words “water treatment plant,” find a vulnerable facility and shut down a regional water supply. An attacker would have to know about the industrial system to find it on Shodan. Also, searches on Shodan aren’t anonymous. Today’s savvier attackers would know better than to use Shodan to find vulnerable devices.
The truly frightening revelation from a search engine like Shodan is just how many vulnerable devices are on today’s Internet. A .GIF made by the Carna Botnet’s creator paints an alarming picture of just how many exposed devices there are in the world. Keep in mind that Carna only scanned for IPv4 addresses. It didn’t find the non-secure devices that had the newer IPv6 addresses.
John Matherly, the man behind Shodan, didn’t expect Shodan to become a law enforcement tool. Now, Matherly hopes that Shodan can become a way to expose companies that sell connected devices without adequate security precautions. Precautions, one can imagine, such as the simple security steps that would have prevented an attacker from spying on a two-year-old girl through a baby monitor.