Ever so often, there's some new technology boogeyman that gets news agencies up in arms. Shodan seems to be one of these and has come up in online conversation pretty frequently despite being around for a while, especially as it becomes more relevant to modern cybersecurity concerns.
If you've been hearing the name "Shodan" a lot and wonder what all the fuss is about, here's what you need to know.
To put it simply, Shodan is a search engine. However, unlike Google, Shodan crawls the web looking for any internet-connected device. The network of systems that make up the so-called "internet of things." With it, you can search and detect everything from traffic light systems to the webcams that so many of us use. If these devices aren't secured, it now becomes easy to access and perhaps mess with systems that aren't supposed to be messed with.
If it's someone's IP camera that doesn't have a password, then the damage could be some mild embarrassment. However, what if that device is a medical device, like a ventilator? What if it's the control system for a traffic light at a busy intersection?
Clearly, in the wrong hands, Shodan can be dangerous. Still, in the 11 years that it's been out, there haven't been any major incidents that we could find. However, this might be more a case of the actual number of devices on the internet being relatively small.
John Matherly. Born in Switzerland, Matherly moved to the USA at the age of 17. As a university student, he studied bioinformatics and did work related to the mapping of the human genome. This is reportedly one of the reasons he became interested in massive datasets and complex systems. After university, Matherly worked as a freelance software engineer.
In 2009, he revealed Shodan to the world. This lead to the almost immediate discovery of unsecured systems and devices all over the internet. Whether Shodan is a net good or net evil for us remains to be seen, but it's safe to say that the world of cybersecurity will never be the same.
A video game! That's right - SHODAN is the name of a character from the System Shock franchise. A critically acclaimed series of games that also spawned the spiritual successor series Bioshock. While the name is undoubtedly cool, some people may not think that naming your controversial search engine after an insane, all-powerful artificial intelligence is best for PR.
So if Shodan lets you search the Internet of Things, what does that mean? It's probably something you've seen in real life with more and more smart devices connecting to the internet. The internet of things is essentially the total sum of network devices that don't have human operators. They can be just about anything: fridges, cameras, alarms, cars, and anything else with an IP address.
The problem is that many of these devices are produced en masse by global manufacturers that don't put much time or effort into making them secure. Then, as the second line of vulnerability, many users don't bother to change default passwords or add them. There have even been instances of major companies failing to secure their IoT-type systems because it never occurred to them that someone would create a system like Shodan to actively crawl the net looking for them.
Shodan is not evil or a bad thing by itself. In fact, it's probably done quite a lot for us by exposing IoT vulnerabilities early in the adoption of these devices. It's not Shodan's fault that people make or use vulnerable devices. So a lot of the noise being made is related to the exposure of the weaknesses but with some of the blame the action of shifting to Shodan for exposing it in the first place.
For Shodan's part, they've created an interesting paid service that lets you check whether you have any IoT devices exposed in an insecure way. Shodan Monitor is a paid subscription service that will keep an eye on a set of IP addresses you specify and then let you know which of your devices are exposed. It's a crucial product built on a unique search engine infrastructure. It's certainly a coup for Shodan, but also a harbinger of what's to come, as IoT becomes the dominant form of internet-connected device.