What kind of stuff is lurking out there on the vast (and growing) Internet of Things? A recent story in Forbes makes the point that its a lot more varied than you might think – everything from Caterpillar trucks to public school classrooms to a crematorium. And “yes,” I said “crematorium.”
The idea that surveillance cameras can be accessed from the public Internet isn’t really new. Security researchers have been showing off ways to sidestep security features for IP enabled surveillance cameras for years. We wrote last week about the Federal Trade Commission’s case against a California company, TRENDNet, which made a line of balky, in secure home surveillance gear. But Kashmir Hill makes the point in her story that surveillance cameras are just the tip of the iceberg.
Hill interviewed security researchers and professional Shodan jockeys, who use that hardware focused search engine to uncover supposedly secure equipment and industrial control system (ICS) software that can be accessed from the public Internet.
Among the interesting platforms that Hill says were discoverable were Caterpillar trucks, whose VIMS (or Vital Information Management System) was Internet connected and vulnerable to brute force attacks with an “easily guessed” username and password.
Other stuff? Hill notes a public interface for a HMI (human machine interface) for operating a crematorium, as well as HVAC (or climate control) and security camera networks for office buildings, elementary schools and the like. Shawn Merdinger, a security researcher at the University of Florida, says he is particularly concerned about the security of medical equipment, which increasingly uses wireless networks and the Internet to relay diagnostic information and receive software updates.
Of course Shodan isn’t new. The search engine has been around for almost four years, with attention to it and the universe of connected stuff it uncovers growing each year. Writing recently on Twitter, John Matherly (@achillean), the creator of Shodan noted that the project’s original goal wasn’t to uncover Internet-connected devices, but merely to map the entire Internet. But others picked up on his scans, noting the proliferation of non-traditional endpoints, including power plants, water treatment facilities and the like. “If only I had known these things would be online when I started the project,” Matherly Tweeted last week. “I figured it would be a bunch of Webservers!”
Others have followed suit and now presentations on non-traditional end points, including consumer electronics, automobiles and critical infrastructure are replacing talks focused on PCs, servers and other more traditional devices when security experts gather to exchange ideas at shows like Black Hat and DEFCON.
