Countless devices such as routers, heating systems, printers, telephone systems and other office machinery have network features these days. But also publicly visible systems such as security cameras, car wash or even traffic signals. This makes the Shodan search engine to use and display a huge number of devices with internet connection and of which very few are secured. Access to such devices is hardly possible for the average Internet user, but it is laughably easy for an expert. Devices such as network printers in particular are often left out of the equation when it comes to security measures. The result: An unsecured printer with standard access data can easily be hacked and taken over via an Internet connection.
Shodan users have already found control systems for a water park, a gas station, a wine cooler in a hotel and a crematorium. Security experts have even managed to locate a command and control system for a nuclear power plant and a cyclotron particle accelerator. Many of these systems were not protected at all or only insufficiently. Every month Shodan adds around 500 million new devices to their database. A quick search for "Default Password" reveals tons of routers, printers, and servers with default logins and "1234" as the password. Many don't even require credentials and all you need to access is a web browser.
During the Defcon cybersecurity conference last year, security tester Dan Tentler demonstrated how easy it is to search for controllable devices with Shodan. He found a car wash that could be switched on and off and an ice hockey rink in Denmark that can be de-iced at the push of a button. The traffic control system of an entire city could be put into test mode via the Internet. He even came across a control system for a hydropower plant in France. Many of these devices do not even need to be connected to the Internet. Many companies buy complete control solutions that give them as much control as possible. In order, for example, to control a heating system by computer, the heating system is not connected directly to the control computer, but directly to a web server. The heating control is already accessible from the Internet. Hardly anyone thinks about safety here.
Shodan itself is mainly used for legal purposes. The search is limited to ten hits without an account and does not allow any personalization. Even with a free user account, Shodan is still limited to a few pages and does not show all entries. If you want to see everything, you have to submit more personal information, a letter of motivation and a fee. Shodan's primary users are security testers, researchers, and law enforcement officers. In addition, cyber criminals usually have access to botnets that provide them with the same information with fewer risks. Security experts try to use Shodan to inform affected operators and educate them about the weak points in the system. However, tens of thousands of devices, from printers to power plants, can still be attacked via the Internet.