Shodan has been called "the most dangerous search engine in the world." That's a pretty strong claim, but why on earth would a search engine draw so much ire? Shodan has been around for just over ten years now, and the massive threat it was made to pose is yet to materialize. Still, that doesn't mean it won't be the source of various dangers.
We've written an entire article about Shodan if you need a deeper explanation. If not, the least you need to know is that Shodan is a search engine that indexes all the IoT (internet of things) devices on the internet, making them easy to discover and access. Think cameras, industrial control systems, web-connected medical devices, smart home hubs, and so on. That's it. So why is it so "dangerous"?
Shodan removes "security through obscurity." That is, the security provided by secrecy. If someone thinks their IoT device is safe just because it isn't a website or crawled by Google, then Shodan removes that illusion.
There are numerous cases where IoT devices that aren't secure are sold to consumers. For example, an IP camera may not have a unique per-unit password. Since so many users don't bother to change the default passwords on cameras and other similar devices, it means hackers can easily access these devices. With the explosion in smart devices inside homes, in our cars, and every business, lax security such as this is a recipe for disaster.
Cameras are one thing. However, there are much more sensitive and dangerous machines connected to the net: power station control systems, traffic lights, lab equipment, assembly lines, and many more. Even a smart garage door opener could pose a potential threat if taken over by an attacker.
If the machines that run our lives today are exposed to anyone who can type a search into Shodan, that's a huge problem - traffic accidents, explosions, serious product defects, and any of a million things the imagination can conjure up. Think of the Stuxnet worm and how it was used to halt the Iranian nuclear program. Those systems weren't' connected to the internet, which meant the malware had to be smuggled inside somehow. With Shodan, that won't even be necessary.
It's easy to point fingers at a tool like Shodan and blame it for being reckless. However, if the standard of security and privacy in the IoT industry was up to scratch, a tool like Shodan would be harmless. If the author of Shodan had not invented it, someone else would have. If a network of exposed IoT devices weren't connected to the internet, Shodan is neutered.
Moreover, anyone who creates an engine like this doesn't have to do it in an open, public-facing manner as Shodan has been done. It could be like those search engines hidden on the dark web, with anonymous authors. In the end, this is a case of shooting the messenger rather than listening to the message itself.
As with new technologies such as smartphones, facial recognition, or social media, we need to figure out the rules and standards as we go. While there aren't enforces minimum standards and regulations or industry alliances to that end, people are going to connect insecure IoT devices to the net.
The least we can expect from governments and large corporations who keep our data is to do the due diligence needed so that a tool like Shodan is useless against those measures. It doesn't matter whether it's the DMV or the Pentagon, IoT security has to be taken seriously.
When it comes to you and me, there is such a thing as responsible IoT use. You can start by making sure you always put custom strong passwords on your smart devices. Secure your router. Use a VPN. Make sure you buy devices from reputable brands that aren't likely to have backdoors. The list goes on, but the point is that you should never use IoT devices as simple plug-and-play machines. Take control of your privacy and security, because no one is going to do it for you.
Funnily enough, Shodan itself is a way for you to do this. They offer a service known as Shodan Monitor, which can help show you if you have any insecure devices connected to the internet. Sadly it's a paid service, but if you want to settle your doubts, it may be worth the price.
Do you have any IoT devices in your home? Do you know if they are secure? Let us know whether you are worried about Shodan and other tools like it.