You might imagine that Shodan would be a choice tool for black-hat hackers. It doesn’t actually log on to them it just records any metadata they publicly broadcast. Much as Google “crawls” the internet, pinging every webpage to create a massive list of them, Shodan crawls the universe of internet-connected devices. Or if you type in the IP address of your firm or house, Shodan will show you whether you have any public devices online. If you hunt for a particular piece of hardware – a new voice-controlled thermostat, say – it will provide you with a list of them anywhere in the world. Shodan is a tool that lets anyone search for IoT devices online. We were using Shodan, the “search engine for the internet of things”. How had Stephens and I found all these open, insecure webcams? Not through any nefarious hacking. I immediately closed the browser window, feeling like a creepy voyeur.
Then, most alarmingly, I found one in a house in Germany showing a clear view of what appeared to be a bedroom, with a cabinet half open and a small table with a few bottles of water on it. I saw one camera that looked out in the lobby of a building in India and another in a Spanish plaza.
I saw something that allowed you to change the flow of water through a city. Like so many internet of things (IoT) devices, the cameras were an insecure mess. The devices didn’t have password protection turned on by default and their owners apparently didn’t realise this. It was a January evening and I was hanging on Twitter with Luke Stephens, an ethical hacker, who was sending me links he’d found to webcams open online. There’s something deeply unsettling about peering into other people’s insecure webcams.
0 kommentar(er)
