Wired has an article this week about Shodan, the “IoT search engine,” which I hope scares the bejesus out of enough companies and government officials that they’ll finally realize how absolutely critical it is that we make security and privacy THE top public policy/corporate management priorities regarding the IoT.
Shodan’s homepage proudly proclaims that it will let you “EXPOSE ONLINE
DEVICES: webcams, routers, power plants, iPhones, wind turbines, refrigerators (there’s that meme again!), VoIP phones.” Anyone out there who isn’t covered by that list? If so, stay in your cave!
As for everyone else, maybe you’d be more properly attracted by the CNN story about Shodan several months ago: “Shodan: the scariest search engine on the Internet.” Got your attention yet?
Here’s what Shodan can do, according to CNN:
“It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.
Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.”
Command and control systems for nuclear power plants? Sheesh!
Reminds me that while the Obama Administration remains abysmally ignorant of the IoT (and, remember, I’m a fan of them in general …) one official who was all in was former CIA Director David Petraeus:
All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.
‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’
Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’ All of which is true — if convenient for a CIA director.”
Sufficiently alarmed yet?
Let me be clear: I am convinced that security and privacy are the two issues that have the greatest potential to stop the Internet of Things dead in its tracks — and I felt that way even before Edward Snowden was a household name.
Snowden, ooops, Shodan, has revealed shocking indifference to security on the part of countless organizations (and, BTW, don’t forget that 85% of the U.S.’s critical infrastructure — power plants, pipelines, chemical factories, etc., is in private hands):
“A quick search for ‘default password‘ reveals countless printers, servers and system control devices that use ‘admin’ as their user name and ‘1234’ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.
In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.
He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into ‘test mode’ with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.
This is as scary as the Vanity Fair article last year about how a miscreant could use an iPhone to kill you!
The 85% of critical infrastructure in private hands number should be a stark reminder: the only way we can possibly address IoT privacy and security is through collaborative government/private sector action — with strong involvement by you and me.
If you are involved in the IoT in any way, you simply can’t duck this issue!