Taking Things Offline is Hard

Shodan has been in the news for the past few years largely due to the discoveries that security researchers have made with it. Whether it's webcams or wind farms there isn't a shortage of things that get connected to the Internet every day. And every time these discoveries are announced the news article will end by saying that the relevant authorities have been notified, especially in the case of industrials control systems. Most readers assume that since the problem has been identified the fix would be straight-forward - just take the system off the Internet!

Why is this on the Internet?!

What isn't made clear to a lot of people is that finding out who owns some of these devices can be very difficult and time-consuming. For example, lets take a look at the results for one of the most popular industrial control system protocols: Modbus. There are roughly 12,500 results at the moment and a banner looks like:

The given device doesn't include any information on the model/ firmware its running and all we can tell based on its IP is that it's located in Russellville, USA. The IP address is owned by the CenturyLink ISP so that doesn't tell us much more about which business is actually operating the device. When you look at Modbus results in aggregate the general issue becomes clear:

A huge amount of industrial control systems are located on mobile networks. For Modbus, it looks like 10% of devices are on the Verizon Wireless network! With websites you usually have Whois information or even a contact page that lets you notify the owner if a security problem is found, but that doesn't exist for the vast majority of non-web devices/ services. So when it comes to tracking down who owns the device you're faced with the problems that:

  1. The device IP doesn't tell you anything about who owns it
  2. The location of the device is very rough and not always reliable
  3. The data the device returns doesn't tell you who made or installed it

I think a lot of people overestimate the capabilities that exist to actually track down who owns/ operates Internet-connected control systems but hopefully I've shown at least a few issues that make it surprisingly hard to take these things offline.