Exposing lurking dangers with an 'Internet cartographer'

"So, this is a wind farm," John Matherly said, nodding at a drab blue-and-black portal that blinked onto the computer screen.

Thirty-year-old Matherly is the father of the controversial search engine Shodan, which finds things connected to the Internet, whether it's a webcam or a wind turbine's control system.

For the U.S. Department of Homeland Security or a power company, Matherly's one-man security outfit based in Austin, Texas, is a way to suss out where companies are vulnerable to cyber intrusions.

At a reporter's request, Matherly had just used Shodan to find a Web-connected door to the computer system running maintenance controls on a lone wind turbine in Wadena County, Minn. Sitting with a borrowed laptop at the Def Con hacking conference in Las Vegas last week, Matherly said he could have sent commands straight to the wind turbine's industrial control system.

"I don't think you could explode it -- I don't think you could do anything crazy," the self-described "Internet cartographer" said. "But you could definitely affect operations."

As a security tool, Matherly views Shodan as a way to prevent a damaging cyberattack on critical energy infrastructure by simply identifying holes to plug. It hasn't been connected to a broad-based, criminal cyberattack on critical infrastructure.

Shodan can tap a database of at least 500 million gadgets and machines, seeing beyond Google's territory of the World Wide Web and into the broader "Internet of Things," Matherly said. It's helped equipment vendors, government agencies and utilities find soft spots in power plants, traffic systems and oil pipelines.

But the fact that it allows people worldwide to probe industrial systems has made electric utilities uneasy.


To Matherly, that's exactly the point. In the five years since he founded Shodan LLC, of which he's the CEO, he has become an educator of sorts. He offers critical infrastructure operators a simple lesson: If you want the convenience of Internet connectivity, be prepared to face the security consequences.

At Def Con, the back of his T-shirt reads, "I'd like to change the world, but they won't give me the source code." He flips between tabs on the laptop, keying in new queries with the dexterous impatience of a computer programmer.

Matherly's Shodan easily turns over online stones to find an astonishing array of devices open to exploitation. Without authentication or other security measures, simply learning a device's IP address can be enough to control a machine 1,000 miles away, although getting into a control system takes a lot more legwork than, say, hijacking a webcam.

"There's no hacking involved in any of these," he said as he pulled up the simple interface for someone's "smart home" in California.

The homeowner had a device to remotely manage lights, thermostats and other household items.

"If I turn off your lights, it's like, 'Oh, ha,'" Matherly said. "It's not going to change your life." He added that he steers clear of "shenanigans."

Still, there are potential privacy and electric reliability issues from such access. More smart energy systems are being installed. If millions of smart homes are insecure, that's a broader problem for electric power providers and cities.

Matherly calls that "criticality by numbers." An attacker could turn on thousands of lights at an unexpected time, overloading the grid, or lower everyone's thermostat in the dead of winter.

"Everyone always wants to talk about control systems -- about power plants, about all these big objects that are scary," he says. "But very few people are paying attention to these everyday devices, which in all honesty, are way more common."

'Echo chamber'

Matherly said Shodan has played a big role in pressuring companies to change their security postures. He estimates the tool has helped identify as many as 100,000 industrial devices connected to the Internet that probably shouldn't be -- from power line monitors to parts of a nuclear complex.

Ultimately, those devices were taken off the Internet. Still, he says lots of other problematic Internet connections remain, and not all companies choose to disconnect them.

"I definitely see myself as -- hopefully -- helping the Internet," he said in an interview with EnergyWire. And in response to critics suggesting Shodan in fact makes it easier for the bad guys to identify the Web's vulnerabilities: "I'm just providing a way for the people who don't want to do it illegally to also have a tool," he said.

Underground botnets have been around for ages, accomplishing the same thing as Shodan with less accountability, the argument goes. Matherly has drummed up discussion about the need for tighter security for systems that underlie the electricity grid, long-distance oil and gas pipelines, and other critical networks. He was in Las Vegas last week to take part in Def Con, one of the world's biggest gatherings of hackers.

The Shodan founder spent much of Friday hanging out in a conference room where casual programmers and security experts traded ideas, anecdotes and advice on protecting critical infrastructure. The room featured a mock water treatment facility and several detached, hackable robotic arms.

Def Con is often viewed as the fun, mischievous after-party to the industry-centric Black Hat security convention, also hosted in Las Vegas. But representatives from serious companies such as Cisco Systems and Siemens pay heed to both conferences.

In 2012, a researcher exposed a glaring flaw in a Siemens-built family of industrial controls and switches called Rugged Operating System. The issue boiled down to an easily breakable, backdoor login account installed by RuggedCom. It allowed unfettered remote access to Rugged systems, used in everything from electric substations to traffic control networks.

Separately, Siemens equipment was also targeted in the deviously complex Stuxnet virus that infected Iranian nuclear centrifuges in the late 2000s.

Matherly said electric power equipment has improved since then, but progress is halting. "It's kind of becoming an echo chamber, where the same security people keep talking to the same other security people about it, and nothing really changes," he said.

A few weeks after the backdoor in RuggedCom systems came to light in April 2012, the North American Electric Reliability Corp., or NERC, issued an alert to its member utilities. The nonprofit grid overseer, charged with helping to ensure electricity reliability in the United States and Canada, warned that Shodan could make it easier for hackers to exploit flaws like RuggedCom's.

"The increase of both local and global hacktivist groups supplies a potential threat agent with the intent, skills, and understanding to leverage Shodan, Metasploit, and other tools against various industrial control systems," NERC noted in its May 7 advisory. "The combination of fragile systems that may be Internet-facing and threat actors who now have the tools to identify and attack these systems has increased the risk to industrial control systems."

Since then, there have been only a handful of cyberattacks in the United States with the potential to affect electricity reliability, according to Department of Energy data. EnergyWire has filed a Freedom of Information Act request for details on the three cyber events reported to DOE's Office of Electricity Delivery and Energy Reliability in the past two years. The companies that reported the events -- NRG Power Marketing, ITC Transmission and Duke Energy Progress -- have offered no indication that Shodan was a factor.

Matherly has worked closely with the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to press companies into taking action, according to DHS. An official there confirmed the agency has collaborated with Matherly "on issues pertaining to Internet-facing devices since at least 2011."

With each day, new Shodan search queries turn up devices that have no business being linked to the insecure Internet. Insurance companies have taken to using the tool to gauge the cyber precautions of companies they cover, according to Matherly.

He said he's optimistic companies will start using virtual private networks (VPNs) for an extra layer of protection on their Internet-facing systems. Disconnecting devices altogether offers a more surefire solution, but he noted that companies aren't always willing to sacrifice the benefits of remote access.

"If you take it offline, you're already good to go for a lot of the really easy attacks," Matherly said.

"You're not going to solve a Stuxnet attack," he said. "Really, a lot of these things are low-hanging fruit in terms of security problems. They're not super complicated problems to solve."

'Kind of a coin toss'

Raised in Switzerland, Matherly has no formal background in security or industrial control systems, having studied bioinformatics after moving to the United States (think sorting through gigabytes of DNA data).

Computer games piqued his interest in programming at an early age. The name for Matherly's search tool comes from the artificially intelligent and creepily omnipotent villain SHODAN in the System Shock video game series. When he started working on it more than a decade ago, he said Shodan was meant to help businesses track who used their products and how they were being configured.

"Initially it was kind of a coin toss," he said. "I wasn't sure whether the data would be used for good or bad."

Obviously that changed when people started using it, Matherly said. "They discovered all these different devices they didn't really expect to find," he said. "And the big devices that people really didn't expect to find were these control systems. That came out of left field."

Shodan's darker side has earned the tool its share of detractors. One case suspected to be tied to Shodan involved a hacker shouting at an infant through an Internet-facing baby monitor.

"Any tool can be misused, for sure," said Steven Roosa, a partner at the law firm Holland & Knight's New York office and a specialist in data privacy and cybersecurity. "The knee-jerk reaction is, 'This type of tool presents security threats and we should ban it.'"

But Roosa said he has actually come to the opposite conclusion.

"If there are products out there -- baby monitors or home surveillance systems, or whatever -- that are so flawed that they can be exploited remotely across the Web, then this is a tool that either painlessly or painfully will bring these things into the public view so they can be rectified," Roosa said.

And that's a good thing, he noted, even if it takes a gray tool to get there.

Turbines to death stars

Devices aren't always what they say they are.

While searching for a type of Siemens factory equipment, Matherly stumbled across a "honeypot." That's cybersecurity parlance for a piece of software designed to be attacked and exploited.

"It was obvious when I saw it," he said. "Nobody would actually install eight copies of the same software on one device, and list them ... it just doesn't make any sense."

Honeypots are an increasingly popular tool in the "good guys'" arsenal, helping them suss out would-be attackers' methods and goals. They're decoys that fool hackers into thinking they've hit the jackpot.

One security consultant reported setting up a fake water utility in his basement, only to see it come under "catastrophic" assault within hours (EnergyWire, Nov. 21, 2013).

The Conpot honeypot program is tailored to mimic industrial control systems. An introductory video to the tool claims it can pose as anything from a power grid to the Death Star. (Whether attackers will actually believe they've hacked into the Star Wars super weapon is debatable.)

The wind farm Matherly found online last week was neither a joke nor a honeypot. It used a legitimate supervisory control and data acquisition/human-machine interface (SCADA/HMI) -- dubbed the "Nordex NC2" portal -- which has been known to suffer from a cross-site scripting vulnerability that leaves it open to exploitation.

A few clicks later and Matherly was browsing through the page's source code in search of hints at the wind turbine's owner. The title "Bear_Creek" caught his eye.

"Sometimes you get lucky like that and find out where it actually is," he said.

Nordex did not respond to request for comment. A representative from the Minnesota company Bear Creek Wind Partners LLC did not respond to confirm or deny if it owned the Internet-facing wind turbine uncovered in Matherly's demonstration.

Twitter: @BlakeSobczak | Email:

Like what you see?

We thought you might.

Request a trial now.

Get access to our comprehensive, daily coverage of energy and environmental politics and policy.