Skip to main content

Shodan, the search engine that points hackers directly to your webcam

shodan search engine webcam hackers

The U.S. Federal Trade Commission issued a complaint on Wednesday against Internet-connected device maker Trendnet due to a security flaw in one of its webcams – a device marketed for home security and baby monitoring – that let hackers spy on people in their homes. The complaint is the first issued by the FTC that concerns a device included in the category we know as the “Internet of Things.” But thanks to a specialized search engine for Internet-connected devices called Shodan, the FTC’s Trendnet complaint is likely only the beginning.

Countless devices, ranging from webcams to electrical power plants, are insecurely connected to the Internet, making them vulnerable to hacker intrusions and other cyberattacks. Hundreds of millions of these devices can easily be found through Shodan, which indexes the “Internet of Things” in the same way Google indexes websites. It is through Shodan that the FTC – or anyone else – will likely discover the next Trendnet.

Related Videos

As Forbes reports, Shodan was created by John Matherly in 2009. It was originally conceived as a way for companies to find competitors’ products connected to the Internet. “Instead, it’s become a crucial tool for security researchers, academics, law enforcement and hackers looking for devices that shouldn’t be on the Internet or devices that are vulnerable to being hacked,” writes Forbes’ Kashmir Hill.

Anyone can use Shodan by signing up for a free account, which gets you 10 results per search. (A $20-per-year premium account delivers 10,000 results per search.) Once logged in, simply type in a search term, like “webcam” or “iPad,” and Shodan brings up a slew of results, which can be narrowed by country or city, connection type, and company or organization associated with the device or connection. The data might seem meaningless to technically un-savvy users. But to a security researcher, nefarious hacker, it tells them where a device is, and how it might be exploited. Shodan’s database currently includes roughly 1.5 billion Internet-connected devices and facilities, which include routers, VoIP phones, red light traffic cameras, printers, and smart refrigerators, among many other things.

Shodan works by cataloging automatic responses issued by any connected computer known as “banners.” Banners contain a variety of data about the computer or service. Sometimes it even includes the default password for a device or server, which means Shodan users can simply search “default password” and quickly have the keys to vulnerable devices.

While one might be tempted to blast Matherly for creating an easy way for hackers to find Shodan – in the same way Hollywood condemns The Pirate Bay for facilitating copyright infringement – Matherly says it is the creators of the unprotected devices that should bear the burden of responsibility. “I don’t consider my search engine scary,” Matherly tells Forbes. “It’s scary that there are power plants connected to the Internet.”

There are a number of ways to protect yourself from the kinds of intrusions facilitated by Shodan. First, change the password on any device you have that connects to the Internet so nobody can slip in just by entering the default password. For devices that don’t need to be connected to the Internet at all (like some home security cameras, for example), instead connect them to a LAN (Local Area Network), which you can learn to set up here. Finally, just to make sure you’re safe, you can search Shodan for the IP address of any of your connected devices by typing in “net:YOUR.IP.ADDRESS” to see if your are vulnerable.

Image courtesy Blazej Lyjak/Shutterstock

Editors' Recommendations

Privacy for me but not for thee? FBI Director James Comey tapes over his webcam
fbi director cover your webcam james comey

Thought you were paranoid when it came your privacy? Rest assured -- you're not alone. Last week, FBI Director James Comey revealed a few of his own idiosyncrasies in keeping his private life private. Although Comey's position in the ongoing encryption debate between Apple and law enforcement seeks to limit privacy, a few of his comments caught the attention of those on the other side of the argument. In particular, Comey revealed that he tapes over the webcam of his personal laptop. (In some cases, hackers have been known to spy on individuals by way of the embedded camera in these personal devices.)

"I saw something in the news, so I copied it. I put a piece of tape -- I have obviously a laptop, personal laptop -- I put a piece of tape over the camera. Because I saw somebody smarter than I am had a piece of tape over their camera," Comey said. It's an interesting admission for an individual who has long maintained that "absolute privacy" can get in the way of law enforcement and protection.

Read more
Who's at the door? It may be the British police for the teenage hacker in your home
businesses and cyber security firms are coming up with creative ways to fight hackers laptop hacker

When most parents say that the sounds of approaching sirens are coming for their children, it's meant in jest. But for some moms and dads in the U.K., the joke isn't funny anymore. In what may be the exact opposite of "swatting," British police are now trying to scare teenage hackers straight by paying them a home visit. Because sometimes, your parents' threats just don't really have as much clout. Or in some cases, your parents have no idea what you're doing on your computer.

The new initiative is a proactive attempt at stopping cyberattacks before they ever happen. Noting that many young hackers often feel a sense of invincibility and supreme over-confidence, the British police are hoping to give these teens a reality check for everyone's sake. The whole point behind catching these kids early, officials say, is to point them in the right direction, using their (considerable) powers for good rather than evil.

Read more
Someone’s always watching: Hacker sends woman photos of her evening from her own webcam
Alienware 15 laptop webcam

The paranoid feeling you get that there's always someone watching may not be so paranoid after all, especially when it comes to the other side of your webcam. In yet another frighteningly common yet incredibly invasive and terrifying occurrence, a hacker sent a series of photos of a woman's evening with her boyfriend to her Facebook account, seemingly taken from the couple's built-in laptop webcam. The woman, a 27-year-old bartender named Chelsea Clark, was horrified by the slew of photographs that showed the two lying in bed together in what they thought was a private night in watching Netflix. But as it turns out, even the most seemingly secure of moments are no longer safe.

Speaking with Vice, Clark explained that the beginning of the evening proceeded unremarkably, "We were for sure watching Adventure Time," she said. "Pretty normal Wednesday-night stuff." It wasn't until the next morning, when she logged onto Facebook, that she realized that her "normal" Wednesday night had been put on display for an audience of at least one. Alongside the message, "Realy,cute couple [sic]," Clark received a number of photos that she described as "freakishly intimate."

Read more