CEREAL KILLER: "Snoop unto them..."
LORD NIKON: "...as they snoop onto us."
~ HACKERS (1995)
It’s no secret that Shodan has turned up some interesting findings over the past few years – everything from critical infrastructure devices, to VoIP phones, solar and wind farms, HVAC systems, even a online crematorium.
Now, we can add surveillance devices like BlueCoat Proxy and PacketShaper boxes, Cisco routers running Lawful Intercept code and various vendors’ CALEA Mediation Devices into what Shodan has pre-scanned and savvy researchers searching Shodan can find.
Clearly, this kind of exposure can and should be very disconcerting for some organizations and possibly even nation states. This is especially the case given the amount of recent news coverage and scrutiny given to high-surveillance of nations, both the questionable acquisition of these surveillance devices, and their use against domestic populations.
And it’s worth mentioning that security researchers have focused on lawful intercept, notably Tom Cross’ BlackHat 2010 presentation “Exploiting Lawful Intercept to Wiretap the Internet” (slides, video)
BLUECOAT
In the case of Blue Coat, the company’s filtering technology was identified in October, 2011 by Citizenlab.org based out of the University of Toronto and documented here: https://citizenlab.org/2011/11/behind-blue-coat/ Highlights include 12 BlueCoat devices identified in Syria. This research was also picked up by Forbes and Bruce Schneier as well.
Finding BlueCoat devices by searching Shodan can reveal these filtering and packet shaping boxes deployed around the world. For example, looking for BlueCoat devices using a few different Shodan searches shows the following:
“Blue Coat” as a vanilla string search shows 447 hits, with clear strings illustrating many are actual BlueCoat devices.
Another search looking for the “BlueCoat-Security-Appliance” header string –similar to one of the header searched that the CitizenLab.org researchers used shows 9 hits in the US, France, China and Thailand.
And finally, a search for “ProxySG” shows 49 hits for BlueCoat Proxy devices.
CISCO SYSTEMS' LAWFUL INTERCEPT
Other vendors’ products in the surveillance space are also identifiable via Shodan searches. Cisco Systems’ Lawful Intercept is a specialized architecture that is well documented and utilizes specific Cisco IOS images on certain platforms. Unfortunately, hundreds of Cisco routers running Lawful Intercept code versions are in the Shodan database simply because the router owners configured the SNMP community read string as “public.” As a result, Shodan scanners queried the router using SNMP and public community string and the router returned the Cisco IOS version, along with other SNMP details.
The following example illustrates the 317 hits a Shodan search for the string “ADVIPSERVICESK9_LI-M” on port 161 (SNMP) returns:
IMPACT
So what is the impact of these kinds of devices being exposed through researchers’ Shodan searches and disclosure? That is not an easy question to answer, given the unknowns in this kind of situation.
Obviously, there is a risk of attackers targeting and sabotaging these surveillance devices for any number of reasons, from political or criminal motivations to simple personal amusement, a.k.a. "Teh Lulz"
Clearly, from a pro-human rights perspective it’s useful for organizations like CitizenLab.org to publicly find these devices and raise public awareness of the issue. From a government policy enforcement perspective, such as controlling exports of network surveillance devices to blocked countries like Syria, these types of Shodan searches can help to determine what and where these devices are deployed.
Overall, one must treat these search results with skepticism. After all, they may be honeypots, or test systems, or not in use, or whatever. Simply because a router is on the Internet and has a Lawful Intercept capable image loaded doesn’t necessarily mean it is being used for that purpose.
Then again, they could be live systems... who knows?
