A few weeks ago, security researchers found that “lazy” makers of routers and Internet of Things (IoT) devices have been reusing a few hardcoded security keys, rather than giving each device a unique key, thereby leaving them susceptible to en masse hijacking.
How did researchers find the 4,000 vulnerable embedded devices in question?
It turns out that they used Censys: a new, little-known search engine that tracks all the devices hooked up to the internet.
Censys was released in October by researchers from the University of Michigan, who describe it as a “community effort” that’s similar to an open-source project.
Computer scientists at the University of Illinois Champaign Urbana are helping to run it, and Google’s providing the infrastructure that powers the free search engine.
Censys collects data on hosts and websites through daily scans of the IPv4 address space – the internet protocol that routes most internet traffic today, despite the ongoing deployment of a successor protocol, IPv6.
Censys maintains a database of how hosts and websites are configured.
Researchers can query the data through a search interface, report builder, and SQL engine.
Zakir Durumeric, the University of Michigan researcher who leads the Censys project and who invented ZMap, told MIT Technology Review that the team’s trying to catalog everything on the internet – warts and all:
We’re trying to maintain a complete database of everything on the internet.
According to Durumeric, ZMap can determine not only what machines are online at any given moment, but also whether they have security flaws that should be fixed before they get exploited.
It can find not only obvious software bugs but also more subtle issues, such as those caused by an IT administrator failing to properly implement a cryptography standard.
Durumeric says that the things that people attach to the internet are “absolutely astounding”:
We have found everything from ATM machines and bank safes to industrial control systems for power plants. It’s kind of scary.
Astounding, but not surprising to those who’ve been reading about the Internet of Things spreading far and wide and bringing with it all sorts of security issues, including:
- Cars that have been remotely hacked
- Planes found to be vulnerable to remote takeover
- Connected-home gadgets
- Vending machines.
Beyond the router fiasco, Censys was also used by the researchers who found a major security problem with security certificates on Dell PCs that the company acknowledged a few weeks ago.
More details about Censys are available in the team’s research paper.
If you’d like to give the search engine a try, the developers have made this tutorial.