Public search engine lists vulnerable control systems

Shodan maintains database of weak security in traffic lights, CCTV, power stations

Tags: Cyber crimeShodan (
  • E-Mail
Public search engine lists vulnerable control systems Shodan can be used to search for over 500m devices connected to the Internet.
By  Stephen McBride Published  April 9, 2013

A little-known website maintains a comprehensive list of devices connected to the Internet, including details of their vulnerabilities, CNN Money reported yesterday.

Check out our gallery of Shodan's scariest offering's.

The search engine, called Shodan (, allows users to search for countless pieces of hardware connected to the Internet, such as servers, routers, printers and even traffic lights. The search results list a variety of details about each device, including geographical location (longitude and latitude), OS settings and vulnerabilities.

"When people don't see stuff on Google, they think no one can find it; that's not true," said John Matherly, creator of Shodan.

Google's search engine uses automated software to trawl the World Wide Web looking for browser-compatible resources such as webpages, documents and multimedia files. Shodan goes looking for the hardware that is part of the connected infrastructure of the Internet and is able to probe the devices for detailed information about their status.

The result is a database of 500m devices that encompasses traffic lights, security cameras, home automation devices, heating systems and industrial control systems. Specific examples of searchable resources on Shodan include control systems for a water park, a gas station, a hotel wine cooler, a crematorium, nuclear power plants and a particle-accelerating cyclotron.

Check out our gallery of Shodan's scariest offering's.

But it is in the detail of the search results where real concern lies. Default passwords are known to be a problem in many corporate networks, where improper policing of infrastructure can lead to Internet-connected devices having administrator passwords of "1234", "letmein" or similar soft barriers. On Shodan users can type "default password" into the search box to receive a list of connected devices by IP address that use such passwords, and search results even show the precise password. In many cases the name of the organisation to which the IP is registered also appears.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code