If you haven’t heard what Shodan is and why do we care, I would suggest you get familiar with it. Shodan has been called the “Google” for the internet of things (IoT). Shodan is continually cataloging web facing, connected devices such as control systems, computers, CRACs, power systems, etc.
Why should we care? We should care because if you have setup a customer’s system that is directly connected to the internet, Shodan has either found it or will find it and put into its database for the world to see.
I found the site below in the amount of time it took me to type “niagara” in the Shodan search bar, and then click the first IP listed. Notice all the information for this site is listed on the right of the image.
Try It Yourself
The image on the left shows a search I did for Niagara systems. If you want to try it out, I set the image up so that when you click it, it will open Shodan and automatically search for Niagara systems around the world.
Notice who is leading the pack? We are! This is a statistic we DO NOT want to be in the number one position.
This search shows us that as of today (7/28/15), there are 15,948 publicly exposed, Niagara instances in the United States. Yours could be one of them.
The image below is the details page for the site shown above. The details page gives you the open ports, the Niagara version, the last time Shodan recorded it on the web (in this example it was yesterday around 10 AM), the internet service provider (ISP), city and country that the site is in and lastly… A map showing the location of the IP! This map is the IP geographical location and most likely not the site.
Does Shodan require you to search by vendor? Nope… You can search by equipment type.
The next search I did was for “Chillers”. The image below shows two of the results from this screen (there were many more than these two) and there is lot info that the bad guy could use.
This first system in the image shows that it is a Tracer SC and it is located in the mechanical room. The software version and firmware version are listed. Its Bacnet instance ID is listed. And it shows us the internal IP for the BBMD.
The second system in the image is Delta Controls. It is located on the 10th floor, in the boiler room. It too shows the software and firmware versions and its Bacnet instance ID. The internal IP of the BBMD is shown as well.
Tracer SC Details
I clicked the details for the Trane SC system and the image on the right shows that Microsoft IIS running. This is web service needed to run the user interface.
It is also running ASP.NET. Both of these can be exploited by a hacker. Especially if they are not being updated.
If you want to try it out yourself, go to https://www.shodan.io.
If you would like more information on Shodan or any of my other post, email me at firstname.lastname@example.org.