I’m sorry to say so
But, sadly it’s true
That bang-ups and hang-ups
Can happen to you
— Dr. Seuss, "Oh, the places you’ll go!" (1990)
Back in January 2010, I wrote a short blog post about Shodan and VoIP devices and mentioned that it’s a site well worth revisiting. Well, that time has come, and there’s plenty more to talk about when it comes to Shodan.
What is Shodan?
It is a publicly available, searchable database of pre-scanned networked devices. The scanning includes banner results from common services like telnet and http, and is akin to fingerprinting. One way to look at it is like Rainbow Tables for networked devices.
What’s the risk?
When a new vulnerability is discovered, Shodan makes it easy for attackers to search for vulnerable devices without actively scanning. For example, say a vulnerability is published about Apache Mod_Security — an attacker can easily search Shodan for vulnerable version and then launch an attack to pwn the box.
Attackers can also use Shodan search filters and really narrow down search results, by country code or CIDR netblock for example. You do have to register for more specific search functionality if you’re interested in say, the 24 Cisco boxes in Iran with no authentication.
Pssst….wanna Pwn 7000 Cisco routers/switches?
Yes you can. And only because some network admin didn’t know how to configure HTTP authentication. It’s easy peasy with Shodan’s most popular search. Click on the resulting IP addresses from that search and you’ll get the HTTP interface of a Cisco router/switch with no authentication. Add "/level/15/exec/-/sh/run/CR" to the IP address and you’ll get the "show running configuration" output of the device. Understand what’s going on here. An attacker can easily add an admin-level account, change the configuration, crack the listed Cisco passwords in the configuration to target other devices on that network, etc.
Why should I care?
Shodan creates risk by making poor configurations and other adminstrator mistakes much more visible to potential attackers. It also creates risk by providing a pre-scanned inventory of potential targets. I’ve seen some amazingly frightning devices discovered through Shodan that are wide open and have no authentication — for a few examples:
- An Eastern European country’s SCADA water treatment network
- A switch controlling the Neurosurgery VLANs of a hospital
- Physical security door access controller systems
- Routers with VoIP configurations
- and plenty more….
These are just a few examples of the micro-risks. I think from a macro-risk perspective, specifically concerning the Cisco routers with no authentication, is the very possible and easy mass takeover of routers and potential for BGP attacks. Not possible? Well, think back to early 2008 when Pakistan modified BGP routes to block YouTube and because of a misconfiguration, large swaths of the Internet outside of Pakistan could not access the site. This was the result of a error from a few routers broadcasting bad BGP routes — now imagine if an attacker does this with a few thousand routers distributed globally? I think it’s really only a matter of time…
What should I do?
There are tangible steps you can take. First and foremost if to register fora free Shodan account and search for devices on your organization’s CIDR netblock. If you are working with buisness partners that are connected to you, check their CIDR netblocks in Shodan as well. Make a stink and inform the right network and security people of the risks of Shodan exposure.
You can do nothing, and let Shodan determine your fate. Your choice.