Exposure on the Internet of Things

David Goldman at CNN recently published a story about Shodan, a search engine for the things on the Internet of Things.  A Shodan search yields a URL that would allow a knowledgeable person to connect to a machine or device, and interact with it.  There are things you would expect, like routers, printers, and webcams of unsuspecting homeowners, along with things we might hope could not be accessed, like traffic lights, power plant control systems, and particle accelerators.

The point of the story is not to put fear and trembling into the hearts of the masses, nor to turn people away from the Internet—or against the Internet of Things.  It’s a wake-up call to consumers and industrial users to keep their guard up.

The story recounts how equipment as diverse as a hockey rink cooling system, a car wash, and a hydroelectric power plant could be switched on and off remotely, through an insecure connection on the Internet.  Then there are the more mundane systems like household water heaters and garage door openers.  Who knew that your new iPhone-controlled door locking system might be so available on an Internet search?

Actually, that is the purpose of Shodan—to give security experts a way to find holes, and plug them.  The site allows very limited access to anonymous users.  To summon its full power you must first identify yourself and your purpose in using the engine, and pay a fee.

Unfortunately, dedicated hackers and cyber criminals have other means to get this kind of information.  What’s important is to be aware that devices on the Internet of Things can be exposed, and to take the necessary precautions for protecting them.  We can understand how a homeowner might leave himself open, as recent leaps in technology and gadgetry are hard for most people to keep up with.  But no mission-critical industrial system should permit this kind of access.

This underscores the importance of removing any chance of an unauthorized inbound connection in a real-time cloud system.  At the very least, you need the ability to keep firewalls closed to any incoming traffic.  Devices should be configured to make outbound-only connections to the cloud, or else aggregated behind a firewall to a server that can make an outbound-only connection.

As more and more devices get connected to the Internet of Things, we hope that those responsible will use Shodan or something similar to find the vulnerabilities in their systems, and then take measures to ensure that they are no longer exposed to search.