THE INTERNET OF THINGS
Shodan
### A map of the world's publicly available webcams. Image: Shodan
When Dan Tentler wants to find something on the internet, he doesn't use Google or Bing. Tentler, a freelance security consultant, is a road-less-traveled kind of guy. He likes to check out the internet's alleyways and backroads. And for people like him him, there's only one search engine. It's called Shodan.
Google has done a masterful job of indexing the human experience – the webpages, books, Word documents, and images and videos that make up our life. But Shodan looks for something simpler. It's looking for all the stuff that's connected to the internet, from routers and refrigerators to live webcams that give you a glimpse inside people's homes to, well, who knows what.
These odd little devices, overlooked by Google and Bing, are the things that Tentler finds interesting. Using Shodan, he's taken a tour of a Scottish country house, explored a stationary GPS receiver in Alaska, and even examined the control panel for a swimming pool. "It's like looking at a street or a set of the buildings, but not from the front," he says. "Not from where their marketing department wants you to see it. But from where the shipping and receiving department uses it."
Using a network of 24 computers nested in service providers across the world, Shodan reaches out and methodically probes machines across the globe asking them the simplest of questions: What can you tell me about yourself? And you'd be surprised what it has found.
If you know the right search terms, a Shodan search can be like randomly opening a window to a mysterious world. But this can lead to some awkward moments, too. Some of the things you find clearly aren't supposed to be made public. And many folks who have devices connected to the internet are paradoxically uncomfortable with the idea that anyone out there might be able to have a peek.
That's been Shodan's backstory since its creator, John Matherly, first started probing the internet nine years ago, while still a student at Mesa Community College in San Diego. About a month after he started building his first database of internet-connected things, he got a call from his internet service provider, Cox Communications. Vigilant system administrators around the world had spotted him probing their networks, and they'd written Cox to complain. Cox wanted to cut him off. "They said: 'Dude you have several hundred abuse emails, what the fuck are you doing?'"
Matherly was just sending web server requests, but that kind of constant methodological probing makes many administrators uncomfortable. It's the kind of reconnaissance work that the bad guys as well as the search engines engage in. "They put these things online and you don't find them on Google. Therefore, you should be able to find them and anybody who does is trying to hack their network," Matherly says. He still spends a fair bit of his time explaining Shodan to sysadmins. "Usually once you explain it to them, they're ok with it," he says.
Shodan's probes cycle through internet protocol addresses. Sometimes, it finds webcams or databases, sometimes control panels for large caterpillar tractors, or even medical devices. Shodan has received a lot of attention over the past few years, because researchers like Tentler have used it to find interfaces to thousands of industrial control systems.
But Shodan's big lesson is that the internet is more diverse than we think. Think webserver, and you'll probably think of Apache or Microsoft, or maybe Nginx, but Shodan's database of nearly 144 million webservers shows that they're not the only ones out there – not by a long shot. According to Shodan, Microsoft's Internet Information Server, or IIS, runs about 8.5 million web servers, but that's dwarfed by one most people have never heard of: Allegro Software Development's RomPager, which runs on more than 22 million machines. IIS may run big websites such as MSN.com, but RomPager runs on millions of routers, switches, and printers.
When Shodan went live in 2009, it was no Google. Matherly ran the search engine on an old Dell Vostro that ran in his closet. He took the name Shodan from the rogue artificial intelligence entity in the 1999 cyberpunk video game System Shock 2.
Today, the Shodan operation is much more sophisticated, but it's still a one-man show. Matherly has a half-rack of servers in San Diego that store his core data on the more than 1.2 billion devices he's tracked on the internet. There's also his network of probes, which add new data on 200 to 400 million devices each month.
Matherly pays for all of this by charging security companies big money for access to his entire database. Anybody can query Shodan, but if you want to do more than a handful of searches you have to register, and then eventually pay a one-time fee of $19 to use the site.
The project is nearly a decade-old now, and Matherly – the son of an executive at a Swiss medical device manufacturer – says it has completely changed the way he thinks about the internet. "Working on Shodan has made me more aware of how connected the world actually is," he says. "I never imagined that a refrigerator would have an IP address, that the traffic lights down the street might be online. That the car wash has a web interface."
Correction: This article originally misstated the cost of the paid version of Shodan. It is a one-time $19 fee.
Webcam footage from around the world
