Shodan, ERIPP and shoddy control device security
While the BBC recently reported the existence of Shodan, a searchable online database of Internet-connected control devices, the fact is that the site has been around for a couple of years now. Shodan holds information about every type of system from standalone computers to industrial scale equipment controllers, such as the Dutch canal control system mentioned on the BBC report.
Shodan isn't the only kid on the block. The "Every Routable IP Project" (ERIPP) aims to build a database of every internet-accessible device - a seemingly innocuous goal. While the existence of such search engines may not be 'new' news, it is certainly worth broadcasting the fact they are still seen as relevant as they offer a shockingly useful resource. With relatively little experience or instruction, hackers can find the web front end of any number of control systems (Shodan includes 1.8 million entries for the UK alone) and test out username and password combinations to see what sticks.
Sometimes this won't be too hard. Devices such as networking and storage boxes, as well as many applications and software packages, come with preset 'admin' usernames and passwords which only require a Google to find out. Yes, of course administrators should be changing these default settings, but we know from practical experience this is not always the case.
While some devices may simply belong to relatively ignorant home users, even more remarkable is the fact that more complex, clearly corporate systems and applications are also offering their front-ends to access by all and sundry. While we know that IT is complex and therefore we can understand if, in exceptional circumstances, the occasional system becomes publicly accessible, the sheer scale of the problem beggars belief.
Particularly given that the solutions are relatively straightforward. Firewalls, VPNs and 2-factor authentication all offer ways of making life harder for the hacker. With search tools like Shodan and ERIPP, no organisation has the luxury of security by obscurity - it would be a simple step to mine such databases and automatically identify sites with open-door policies for hackers.
As we also near the 2-year anniversary of Stuxnet, it is high time to check where your own organisation stands. While doing so could be relatively quick (particularly using such databases), dealing with the damage would take much longer so we strongly recommend the former course of action.