Shodan.io, an online search engine designed to reveal the location of internet-connected devices, has drawn criticism from many who cite security concerns.
According to Forbes magazine – which described Shodan as “the terrifying search engine that finds internet-connected cameras, traffic lights, medical devices, baby monitors and power plants” – the search engine contains flaws which allowed at least one user to hack into a baby monitor and speak to both the sleeping baby and her father.
Shodan, however, markets itself as a resource for savvy businessmen, who may use the service as a tool with which “to perform empirical market intelligence,” and as a way of understanding one’s own “digital footprint.”
Despite Shodan’s assertions of ethical conduct on its own part, many feel the website’s ability to locate medical systems, power plant controls, traffic lights and other municipal facilities opens the door for potential terrorist attacks. Other hackers may simply use Shodan to intrude upon the privacy of ordinary people, hijacking the webcams on laptops. Forbes writes that "more than 40,000” people are using devices fitted with the IP cameras targeted by Shodan.
Shodan was released by 29-year-old John Matherly, who views his creation as a simple variation of the traditional search engine; he told Forbes, “Google crawls for websites. I crawl for devices.”
Matherly does not view Shodan as an inherently evil system, despite its being named after the villain of the videogame System Shock; Matherly waves off that fact as simply “a reference other hackers and nerds will understand.”
Matherly told Forbes he originally thought “Shodan would be used by network behemoths like Cisco, Juniper or Microsoft to canvas the world for their competitors’ products,” although he now sees his website as “a crucial tool for security researchers, academics, law enforcement and hackers.”
An industry report conducted by Swedish tech company Ericsson estimated “50 billion devices will be networked” into Shodan by 2020. Matherly’s Shodan is the only company currently listing publicly the location of internet-connected devices on the Web.