By Mark Ackerman
BROOMFIELD, Colo. (CBS4) – Security experts say hackers aren’t just interested in your home computer anymore. Any Internet-connected device could be a target and a new type of search engine has made it easier than ever to find vulnerable devices.
Dale Drew, Chief Security Officer at Level 3 Communications, wants consumers to know about the search engine Shodan, which CNN called the “scariest search engine on the Internet.”
Shodan bills itself as “the world’s first search engine for Internet-connected devices,” allowing “authenticated account holders” to search for exposed Webcams, baby monitors, refrigerators and even power plants.
But according to Drew, easy access to a Webcam could lead to unwanted eyes in your home.
“Literally thousands of people can be peering into your webcam, into your home, and you have no knowledge of it,” said Drew. “Bad guys are getting access to home-based cameras and getting pictures of people changing their clothes or wearing no clothes and then threatening to publish those pictures on the Internet unless they get paid a ransom.”
Webcams are just the beginning. Drew said search engines like Shodan are “transforming the Internet of Things into the Internet of Threats.”
Colorado-based computer hacker Chris Roberts is paid to expose security threats. He said he’s hacked “everything from missiles to tanks to planes, to buildings to banks to prisons.”
Recently Roberts has turned his attention to all of the Internet-connected devices popping up in our homes, like security systems that you can access through a smartphone, Internet televisions and even web-based appliances like ovens that you can preheat while you are still at work.
A prankster could flood your yard by hacking your Web-based sprinkler system, or turn up your heat by hacking into your Internet-controlled thermostat. But accessing these devices could also lead to bigger problems.
“It’s an easy way into your home network and potentially your life,” said Roberts.
During one demonstration, Roberts said he was able to access an Internet-connected oven, which led to a home network, then to a home computer, and on to his ultimate goal, a work computer with sensitive information on it.
“Game over. All because we hacked the oven,” he said.
Roberts said tech manufacturers are working hard to bring products to market quickly and inexpensively, and security is often an afterthought.
“You either accept the fact that you are putting an insecure device in, or you don’t.,” said Roberts.
But Drew said there are some simple things consumers can do to protect themselves. He urges consumers not to bypass security while installing a device. Most importantly, set a unique password. He said the default settings are often “admin” & “password” and the “bad guys know that.”
“If you change that to anything else,” he said, “you’ve prevented a majority of the bad guys from breaking into your home network.”
Another step Drew recommends is to try to find your device on Shodan to determine if it’s vulnerable.
John Matherly, the CEO of Shodan, told CBS4 his search engine is an important tool for security experts.
By identifying insecure devices, “Shodan has directly led to the securing of hundreds of thousands of devices across the Internet, including critical infrastructure in the U.S.”
Matherly said if a security researcher discovers a new flaw in a device they can use Shodan to estimate how many devices would be affected.
“This is a critical step to convince the manufacturer of the device that fixing the vulnerability is important,” he said.