Shodan Safari, where hackers heckle the worst devices put on the internet

If you leave something on the internet long enough, someone will hack it. The reality is that many device manufacturers make it far too easy by using default passwords that are widely documented, allowing anyone to log in as “admin” and snoop around. Often, there’s no password at all. Enter “Shodan Safari,” a popular part-game, […]

If you leave something on the internet long enough, someone will hack it.

The reality is that many device manufacturers make it far too easy by using default passwords that are widely documented, allowing anyone to log in as “admin” and snoop around. Often, there’s no password at all.

Enter “Shodan Safari,” a popular part-game, part-expression of catharsis, where hackers tweet and share their worst finds on Shodan, a search engine for exposed devices and databases popular with security researchers. Almost anything that connects to the internet gets scraped and tagged in Shodan’s vast search engine — including what the device does and internet ports are open, which helps Shodan understand what the device is. If a particular port is open, it could be a webcam. If certain header comes back, it’s backend might be viewable in the browser.

Think of Shodan Safari as internet dumpster diving.

From cameras to routers, hospital CT scanners to airport explosive detector units, you’d be amazed — and depressed — at what you can find exposed on the open internet.

Like a toilet, or prized pot plant, or — as we see below — someone’s actual goat.

The reality is that Shodan scares people — and it should. It’s a window into the world of absolute insecurity. It’s not just exposed devices but databases — storing anything from two-factor codes to your voter records, and where you’re going to the gym tonight. But devices take up the bulk of what’s out there. Exposed CCTV cameras, license plate readers, sex toys, and smart home appliances. If it’s out there and exposed, it’s probably on Shodan.

If there’s ever a lesson to device makers, not everything has to be connected to the internet.

Here’s some of the worst things we’ve found so far. (And here’s where to send your best finds.)

An office air conditioning controller. (Screenshot: Shodan)

 

A weather station monitor at an airport in Alabama. (Screenshot: Shodan)

 

A web-based financial system at a co-operative credit bank in India. (Screenshot: Shodan)

 

For some reason, a beef factory. (Screenshot: Shodan)

 

An electric music carillon near St. Louis. used for making church bell melodies. (Screenshot: Shodan)

 

A bio-gas production and refinery plant in Italy. (Screenshot: Shodan)

 

A bird. Just a bird. (Screenshot: Shodan via @Joshbal4)

 

A brewery in Los Angeles. (Screenshot: Shodan)

 

The back end of a cinema’s projector system. Many simply run Windows. (Screenshot: Shodan via @tacticalmaid)

 

The engine room of a Dutch fishing boat. (Screenshot: Shodan)

 

An explosive residue detector at Heathrow Airport’s Terminal 3. (Screenshot: TechCrunch)

 

A fish tank water control and temperature monitor. (Screenshot: Shodan)

 

A climate control system for a flower store in Colorado Springs. (Screenshot: Shodan)

 

The web interface for a Tesla PowerPack. (Screenshot: Shodan via @xd4rker)

 

An Instagram auto-follow bot.(Screenshot: Shodan)

 

A terminal used by a pharmacist. (Screenshot: Shodan)

 

A controller for video displays and speakers at a Phil’s BBQ restaurant in Texas. (Screenshot: Shodan)

 

A Kodak Lotem printing press. (Screenshot: Shodan)

 

Someone’s already hacked lawn sprinkler system. Yes, that’s Rick Astley. (Screenshot: Shodan)

 

A sulfur dioxide detector. (Screenshot: Shodan)

 

An internet-connected knee recovery machine. (Screenshot: Shodan)

 

Somehow, a really old version of Windows XP still in existence. (Screenshot: Shodan)

 

Someone’s workout machine. (Screenshot: Shodan)

The corpse of Kodak coughs up another odd partnership

Kodak isn’t feeling very well. The company, which sold off most of its legacy assets in the last decade, is licensing its name to partners who build products like digital cameras and, most comically, a cryptocurrency. In that deal, Wenn Digital bought the rights to the Kodak name for an estimated $1.5 million, a move […]

Kodak isn’t feeling very well. The company, which sold off most of its legacy assets in the last decade, is licensing its name to partners who build products like digital cameras and, most comically, a cryptocurrency. In that deal, Wenn Digital bought the rights to the Kodak name for an estimated $1.5 million, a move that they hoped would immediately lend gravitas to the crypto offering.

Reader, it didn’t. After multiple stories regarding the future of the coin it still has not hit the ICO stage. Now Kodak is talking about another partnership, this time with a Tennessee-based video and film digitization.

The new product is essentially a rebranding of LegacyBox, a photo digitization company that has gone through multiple iterations after a raft of bad press.

“The Kodak Digitizing Box is a brand licensed product from AMB Media, the creators of Legacy Box. So yes, we’ve licensed the brand to them for this offering,” said Kodak spokesperson Nicholas Rangel. Not much has changed between Kodak’s offering and LegacyBox. The LegacyBox site is almost identical to the Kodak site and very similar to another AMB media product, Southtree.

The product itself is a fairly standard photo digitization service although Southtree does have a number of complaints including a very troubling case of missing mementos. The entry level product is a box into which you can stuff hundreds of photos and videos and have them digitized for a fee.

Ultimately it’s been interesting to see Kodak sell itself off in this way. Like Polaroid before it, the company is now a shell of its former self and this is encouraging parasitical partners to cash in on its brand. Given that Kodak is still a household name for many, it’s no wonder a smaller company like AMB wants hitch itself to that star.