Cyberspace has become all pervasive. Every facet of a modern life has elements of cyberspace embedded in it. Therefore securing the cyberspace has become a necessity, which can no more be wished away. This space collate the news and views affecting the security of our cyberspace.
30 September 2012
Network Surveillance Devices Discovered via Shodan
It’s no secret that Shodan has turned up some interesting findings over the past few years – everything from critical infrastructure devices, to VoIP phones, solar and wind farms, HVAC systems, even a online crematorium.
Now, we can add surveillance devices like BlueCoat Proxy and PacketShaper boxes, Cisco routers running Lawful Intercept code and various vendors’ CALEA Mediation Devices into what Shodan has pre-scanned and savvy researchers searching Shodan can find.
Finding BlueCoat devices by searching Shodan can reveal these filtering and packet shaping boxes deployed around the world.
CISCO SYSTEMS' LAWFUL INTERCEPT
Other vendors’ products in the surveillance space are also identifiable via Shodan searches. Cisco Systems’ Lawful Intercept is a specialized architecture that is well documented and utilizes specific Cisco IOS images on certain platforms. Unfortunately, hundreds of Cisco routers running Lawful Intercept code versions are in the Shodan database simply because the router owners configured the SNMP community read string as “public.” As a result, Shodan scanners queried the router using SNMP and public community string and the router returned the Cisco IOS version, along with other SNMP details.
So what is the impact of these kinds of devices being exposed through researchers’ Shodan searches and disclosure? That is not an easy question to answer, given the unknowns in this kind of situation.
Obviously, there is a risk of attackers targeting and sabotaging these surveillance devices for any number of reasons, from political or criminal motivations to simple personal amusement, a.k.a. "Teh Lulz"
Overall, one must treat these search results with skepticism. After all, they may be honeypots, or test systems, or not in use, or whatever. Simply because a router is on the Internet and has a Lawful Intercept capable image loaded doesn’t necessarily mean it is being used for that purpose.
Then again, they could be live systems... who knows?