cyberk Posted January 25, 2016 Posted January 25, 2016 https://www.shodan.io/search?query=product%3A%22Universal+Devices+Insteon+home+automation+http+config%22 There are a few ways to protect your install, some more complicated than others...but if you don't want to be hassled, do yourself a favor, purchase the portal! ps: some of these are even using the default credentials!! Quote
jon102034050 Posted January 25, 2016 Posted January 25, 2016 heads up - looks like you have to be logged in to view this. I get your point here, but others who maybe aren't sure what shodan.io is, might be nice to explain it a bit Quote
cyberk Posted January 26, 2016 Author Posted January 26, 2016 Thank's Jon, wasn't aware you needed an account to view For everyone else, shodan.io is a search engine for internet connected devices (internet-of-things) but it basically searches for any device connected to the internet with some sort of remote management enabled. It's gotten a lot of popularity lately due to unsecured baby monitors. If you google it, you'll see hundreds of articles, mostly about baby monitors and nanny cams and how total strangers can sit there staring at your kids sleep, or worse! Why is this important to the ISY community? For example, the system software used by many DVR/NVR/IPCams comes from a select few manufacturers, the default username/password for these is usually the same. IF you search for a particular device family, you'd be surprised how many of these are completely open to the internet with the default credentials. With this information in hand, just about anyone who is in the know, could log in and start viewing your cameras remotely. But let's say you're an educated consumer and you changed your default credentials, you're protected, right? NO, because a big portion of the security for these types of devices comes from their anonymous nature, you don't sit on the net and post the IP address to your camera system for the entire world to see, right? Well shodan.io kinda does that for you, it finds your devices and puts it on a search engine (a very good one) for anyone to find and see. From here, it's not too difficult to write a script to brute force your device and most of these devices (ISY included) have limitations on username/password length, making brute forcing even easier. To top it off, devices (ISY included) does not have native brute-force protection, like "block this IP after xx amount of incorrect logins". So point of the matter is, if your device is listed on shodan, you could be in trouble! This is where the portal comes in, it's a more secure method of connecting to your ISY, the fact alone that you can have multiple user accounts with more complicated passwords is reason enough! Not only this but you never have to worry about port forwarding ever again nor do you have to worry about services like shodan.io crawling your server. Now don't get me wrong, shodan.io is a great thing, it's forcing software developers not to ignore security in their internet-of-things products. Not to mention that shodan.io doesn't use revolutionary technology either, it's using technology that's been around for years upon years but only to those in the know. Now it's open to everyone. So, if you care about security, which in this field, we all should, give the portal a try. ps: imagine how easy it would be for someone to brute force your ISY, figure out when you're not home, unlock your door remotely, and break in to your home....not a good thought! Quote
stusviews Posted January 26, 2016 Posted January 26, 2016 Doesn't that make registering and logging in to shodan.io a risk? Quote
jon102034050 Posted January 26, 2016 Posted January 26, 2016 Thank's Jon, wasn't aware you needed an account to view For everyone else, shodan.io is a search engine for internet connected devices (internet-of-things) but it basically searches for any device connected to the internet with some sort of remote management enabled. It's gotten a lot of popularity lately due to unsecured baby monitors. If you google it, you'll see hundreds of articles, mostly about baby monitors and nanny cams and how total strangers can sit there staring at your kids sleep, or worse! Why is this important to the ISY community? For example, the system software used by many DVR/NVR/IPCams comes from a select few manufacturers, the default username/password for these is usually the same. IF you search for a particular device family, you'd be surprised how many of these are completely open to the internet with the default credentials. With this information in hand, just about anyone who is in the know, could log in and start viewing your cameras remotely. But let's say you're an educated consumer and you changed your default credentials, you're protected, right? NO, because a big portion of the security for these types of devices comes from their anonymous nature, you don't sit on the net and post the IP address to your camera system for the entire world to see, right? Well shodan.io kinda does that for you, it finds your devices and puts it on a search engine (a very good one) for anyone to find and see. From here, it's not too difficult to write a script to brute force your device and most of these devices (ISY included) have limitations on username/password length, making brute forcing even easier. To top it off, devices (ISY included) does not have native brute-force protection, like "block this IP after xx amount of incorrect logins". So point of the matter is, if your device is listed on shodan, you could be in trouble! This is where the portal comes in, it's a more secure method of connecting to your ISY, the fact alone that you can have multiple user accounts with more complicated passwords is reason enough! Not only this but you never have to worry about port forwarding ever again nor do you have to worry about services like shodan.io crawling your server. Now don't get me wrong, shodan.io is a great thing, it's forcing software developers not to ignore security in their internet-of-things products. Not to mention that shodan.io doesn't use revolutionary technology either, it's using technology that's been around for years upon years but only to those in the know. Now it's open to everyone. So, if you care about security, which in this field, we all should, give the portal a try. ps: imagine how easy it would be for someone to brute force your ISY, figure out when you're not home, unlock your door remotely, and break in to your home....not a good thought! Great explanation! Thanks for going into further detail, something that ISY owners should be keeping on the front of their minds Quote
Silenus Posted January 27, 2016 Posted January 27, 2016 Doesn't that make registering and logging in to shodan.io a risk?Yes! Especially if you use the same email as you did to register connected devices, and even more so if you use the same password. When you create a password field on a Web page, there is absolutely no guarantee that the passwords are encrypted on the server you are logging into, nor that the client side application (that is, the application running on your computer) is not sending your login information in the clear if the server isn't using secure http. If an application is sending your login information in the clear, it is visible to any computer system your computer uses to connect to the server. For example, let's say you are logging into a website (let's call it A) from your computer (we'll call it . For simplicity, both you and this website use the same isp. So to connect to site B, you have to go through the computers at isp C. In logging in, A sends a request to C, which then sends that request to B. Now, the ISP has a shady employee who routinely snoops through the access logs, searching for things that look like usernames and passwords. Since website B does not use https for login, nor does it encrypt your login information before sending it, that shady employee can see your username and password in the logs. Now, how many times do you use the same email address and password when signing up on sites? Do you use the same password for your banking site as you do for this one? Let's say the person who set up the site itself is shady (or just lazy) , and they don't encrypt the passwords. One of the admins is shady and they try to use your email and password (that they have ready access to because they aren't encrypted on the server) on other sites. Even if the site operators aren't shady, your login information is all the easier to get if the site were to be hacked. At least with encrypted passwords, a hacker would also need to Crack the password hashes. If you use a unique password (and even better, a separate email for "junk") you are better off. However even then, I'm not sure I would want to log into that site from home. Sent from my SM-N920T using Tapatalk Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.