Search engine Shodan knows where your toaster lives

How did hackers find all the net-connected gadgets they used to attack Dyn and knock out your favorite sites? It's as easy as typing in some search terms.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
Enlarge Image

Friday's internet outage left a mark.

On Friday, many internet users in the US couldn't reach Twitter, but that was just the beginning.

Eventually we learned this was because hackers compromised thousands of cameras and DVRs that were connected to the internet, creating a vast botnet of tiny computers that would do the hackers' bidding. The attackers used the devices to send overwhelming amounts of page requests to a company called Dyn that managed web traffic for Twitter and a host of other popular websites like Netflix, Reddit and Etsy.

Buried in this stranger-than-fiction saga is an eye-catching detail: the fact that hackers can look up any device connected to the internet with a few keystrokes.

One site in particular, called Shodan, bills itself as "the search engine for the internet of things," giving anyone who looks access to information on any internet-connected device.

How does this work? And more importantly, why does this kind of service exist, and what could it possibly be good for? Read on to learn more about Shodan and the searchable internet of things.

If you connect it, they will search

To look up security cameras (or Wi-Fi baby monitors or smart TVs or routers), all hackers have to do is go to Shodan.

Google and Bing also let searchers look up anything connected to the internet and discover the IP address of the gadget. If bad guys know how to compromise a certain kind of device, they can look for those devices specifically with the intention of hacking them en masse.

It sounds scary, but the fact is, anyone with the skills can make a tool to search for internet-connected devices, whether they're good guys or bad guys.

That's because each of these devices has an IP address, a string of numbers that identifies it and serves as its specific address on the net. IP addresses are public information, which anyone can index on a search engine, not just Shodan, Google or Bing.

"Connectivity is reachability," says Srinivas Mukkamala, chief executive of cybersecurity company RiskSense. "If it's reachable, it will be indexed."

Enabling security research

The creators of Shodan and similar search tools say their goal is to help good-guy researchers, often called white hats, like the protagonists of old-school Westerns.

In fact, researchers are major users of Shodan, the company's chief executive, John Matherly, told CNET in March.

While it's possible hackers used Shodan, Google or Bing to locate the cameras and DVRs they compromised for Friday's attack, they also could have done it with tools available in shady hacker circles.

But without these legit, legal search tools, white hat researchers would have a harder time finding vulnerable systems connected to the internet. That could keep cybersecurity workers in a company's IT department from checking which of its devices are leaking sensitive data onto the internet, for example, or have a known vulnerability that could let hackers in.

Even though sites like Shodan might leave you feeling exposed, security experts say the good guys need to be able to see as much as the bad guys can in order to be effective.

"Think about this as a reconnaissance tool," Mukkamala says.