A self-described security "amateur" discovered hundreds of Internet-connected devices ranging from cameras to industrial control systems that were connected to the Internet without even basic password protection - meaning they could be easily turned on and off or otherwise manipulated with a single click of a mouse.
"You would be amazed [what] you could find," Espen Sandli, a journalist at the Norwegian newspaper Dagbladet, told the Computer Assisted Reporting conference Thursday. "The project was made from people who had no idea about data security at the start."
They began by searching for basic security cameras, such as finding and taking control of a surveillance camera inside a nightclub. After that, they graduated to finding compromised control systems at military installations and railroads. In one case, they found a security company's list of clients and passwords in the clear online. In another, they could have accessed who was allowed to enter or leave a military building. Another device on the open Internet could have allowed them to switch off a railway fire-alarm system.
Sandli and a colleague used the publicly available Shodan search engine, which allows searching by factors such as IP address range, device type, operating system and geography. After getting results, they used investigative reporting skills to track down device owners, including some painstaking tasks such as using Google Earth data to try to match outdoor webcams with their owners.
He said the Dagbladet team didn't do their own port scanning (instead relying on Shodan's) and never attempted to enter passwords, even when it was likely that devices were simply using defaults. Those ground rules were part of the project's ethics baseline, he said. But after just a few hours, it became clear he wouldn't need to try basic password cracking because there were so many Internet-connected devices where no passwords were needed.
The NullCtrl project team also always contacted owners of affected devices before publishing a story about one, ensuring they had time to secure or remove them.
The Dagbladet journalists consulted with lawyers in Norway to make sure the NullCtrl project wasn't breaking any laws there. In a discussion after Sandli's presentation, one American investigative journalist said doing a similar project could be illegal in the U.S. if anyone crosses the threshold from looking at Shodan search results to clicking through and attempting to control a device, even one as harmless as moving a webcam to see a different view.
In Norway, the standard is that there was no malicious action taken. Advice to journalists or would-be white hat security hackers trying to undertake a similar project in the U.S.: Get your own legal advice first.
Sandli said it is his understanding that government security agencies in the U.S. have their own means of searching for unsecured critical infrastructure devices on the Internet and informing their owners of the need to beef up protection. The Norwegian national security agency did not. But after NullCtrl, Dagbladet said, the agency made their own Shodan and started conducting proactive searches too.
The NullCtrl project is online at Dagbladet's Norwegian website.