Shodan: The IoT search engine for watching sleeping kids and bedroom antics

[Opinion] Shodan is not the devil, but rather a messenger which should make us take responsibility for our own security in a world of webcams and mobile devices.
Written by Charlie Osborne, Contributing Writer

Shodan has made it even easier for our inner voyeur to spy upon the open webcams of homes across the world -- but are the ramifications more pronounced than idle surveillance?

Launched in 2013, Shodan is a search engine used to find Internet of Things (IoT) connected devices around the world. Webcams, security systems and routers are only some of the devices which, once connected to the Web, can offer a glimpse into our lives behind locked doors should poor security turn the key.

Unfortunately, despite a steep rise in home Internet connectivity and the use of connected home devices -- from lighting to cameras -- and IoT-based vehicles, security comes up short.

We've heard of Jeeps hacked by attackers able to control braking systems, IoT devices with obsolete firmware that can be easily compromised by a remote hacker, and routers placed at risk should you fall for a phishing campaign.

The rapid push to capitalise on consumer IoT devices has left a rift which security needs to fill, and much of it can be solved by forcing consumers to take control of their basic security right at the start -- while other elements, such as patching firmware flaws, are the responsibility of vendors.

Shodan, while potentially a dangerous tool, is also the absolute example of what can happen when devices with lax security enter our daily lives.

In some ways, Shodan is a voyeur's dream. A quick scan either through paid or free membership using terms such as port:554 has_screenshot:true reveals cameras installed in places ranging from car parks in Japan to bars in France, private lounges in Korea to rabbit cages in Germany.

As reported by Ars Technica, you can use the vulnerable cam feed to find everything from "marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores."

Once you've gotten over contemplating the decor choices of citizens in countries including the UK, US and Russia, you begin to realize being able to snoop in bedrooms, kitchens, garages, lounges and gardens has a far darker side than fleeting amusement.

A swift, short search also shows cameras honing in on sleeping children, oblivious couples snuggled on the sofa and happy patrons at bars, unaware their faces are being broadcast to the Internet while they enjoy a cheeky pint.

As the gallery of snapshots shows below, every facet of our lives can be recorded for the viewing of the Internet at large. (Faces and identifiable markers have been blurred by ZDNet to protect identities.)

The most shocking of Shodan

But why does this happen?

Shodan scours the Web for devices which use Real Time Streaming Protocol (RTSP port 554) which are left open without basic password protection -- or only the default password settings -- in place. Luckily for those with vulnerable webcams, Shodan trawls the web for open feeds but only takes a snapshot before moving on.

This is bad enough, however, to highlight how important security has become for the average consumer, whether they realise it or not.

There's no easy answer for consumers. Home cameras come in useful, especially when they are used for security. I use one myself, which remains on its own network and disconnected from any other IoT devices I have installed as one of the few measures I can take to improve the security of my devices.

When I'm out and about or abroad, I like knowing that intruders will set off both motion sensors and my camera, there will be a live stream, alert and the option to record footage of any unwanted guests. I also enjoy the fact I can 'check-in' to make sure everything is fine when i'm away.

There was something else I did straight out of the box, however: I changed the default passwords on every IoT device I operate at home. But not every device even allows you to do this, and this responsibility lies at the feet of vendors -- which may require regulatory pressure to get their act together.

Security researcher Dan Tentler told Ars there are likely "millions" of vulnerable webcams in use. However, solving the problems this idea prompts cannot be done with a simple over-air patch.

Money, trust, and interest lie at the core. Consumers will often choose cheaper products that do the job over more expensive options, vendors wish to create the best profit margins possible, and a current lack of IoT security regulations set the trend.

In addition, consumers often expect vendors to provide secure products as a matter-of-course, and may not understand or care about ensuring complex passwords and barriers are in place before using their latest gadget.

It is possible that regulators such as the US Federal Trade Commission (FTC) may step in to stem the tide of vulnerable IoT devices, but until regulations are firmly in place, consumers are left in limbo.

The FTC issued a report last year urging IoT device makers to adopt a set of best practices to keep devices secure, but more must be done in the future to protect our connected homes.

If nothing else, make sure you change the default password on your device, if you can. Default passwords can be easily found by search engines such as Shodan, and by leaving default settings in place, you may be unwittingly inviting the interested eyes of the Web into your home.

But perhaps you should ask yourself: In a world where the Internet of Things is a fledgling industry and security is yet to catch up, do we really need a camera to enhance a baby monitor? In order to protect our privacy, is it completely outside of the realm of possibility to take a step back and downgrade some of our technology to maintain our privacy at home?

If the answer to the latter is no, then at the very least, any device connected to the Internet which can stream video or audio should not be placed in areas you would prefer to keep private.

Read on: Top picks

Editorial standards