30 September 2012

Network Surveillance Devices Discovered via Shodan

shawn merdinger 

It’s no secret that Shodan has turned up some interesting findings over the past few years – everything from critical infrastructure devices, to VoIP phones, solar and wind farms, HVAC systems, even a online crematorium.
Now, we can add surveillance devices like BlueCoat Proxy and PacketShaper boxes, Cisco routers running Lawful Intercept code and various vendors’ CALEA Mediation Devices into what Shodan has pre-scanned and savvy researchers searching Shodan can find.
In the case of Blue Coat, the company’s filtering technology was identified in October, 2011 by Citizenlab.org based out of the University of Toronto and documented here: https://citizenlab.org/2011/11/behind-blue-coat/  Highlights include 12 BlueCoat devices identified in Syria.  This research was also picked up by Forbes and Bruce Schneier as well.
Finding BlueCoat devices by searching Shodan can reveal these filtering and packet shaping boxes deployed around the world.
Other vendors’ products in the surveillance space are also identifiable via Shodan searches.  Cisco Systems’ Lawful Intercept is a specialized architecture that is well documented and utilizes specific Cisco IOS images on certain platforms.  Unfortunately, hundreds of Cisco routers running Lawful Intercept code versions are in the Shodan database simply because the router owners configured the SNMP community read string as “public.”  As a result, Shodan scanners queried the router using SNMP and public community string and the router returned the Cisco IOS version, along with other SNMP details.
So what is the impact of these kinds of devices being exposed through researchers’ Shodan searches and disclosure?  That is not an easy question to answer, given the unknowns in this kind of situation.
Obviously, there is a risk of attackers targeting and sabotaging these surveillance devices for any number of reasons, from political or criminal motivations to simple personal amusement, a.k.a. "Teh Lulz"
Overall, one must treat these search results with skepticism.  After all, they may be honeypots, or test systems, or not in use, or whatever.  Simply because a router is on the Internet and has a Lawful Intercept capable image loaded doesn’t necessarily mean it is being used for that purpose.
Then again, they could be live systems... who knows?

Click here to read more .... 

No comments:

Post a Comment