Network Surveillance Devices Discovered via Shodan

Thursday, September 20, 2012

shawn merdinger


CEREAL KILLER:  "Snoop unto them..."

LORD NIKON:  " they snoop onto us."

                                ~ HACKERS (1995)

It’s no secret that Shodan has turned up some interesting findings over the past few years – everything from critical infrastructure devices, to VoIP phones, solar and wind farms, HVAC systems, even a online crematorium.

Now, we can add surveillance devices like BlueCoat Proxy and PacketShaper boxes, Cisco routers running Lawful Intercept code and various vendors’ CALEA Mediation Devices into what Shodan has pre-scanned and savvy researchers searching Shodan can find.

Clearly, this kind of exposure can and should be very disconcerting for some organizations and possibly even nation states.  This is especially the case given the amount of recent news coverage and scrutiny given to high-surveillance of nations, both the questionable acquisition of these surveillance devices, and their use against domestic populations.

And it’s worth mentioning that security researchers have focused on lawful intercept, notably Tom Cross’ BlackHat 2010 presentation “Exploiting Lawful Intercept to Wiretap the Internet” (slidesvideo)


In the case of Blue Coat, the company’s filtering technology was identified in October, 2011 by based out of the University of Toronto and documented here:  Highlights include 12 BlueCoat devices identified in Syria.  This research was also picked up by Forbes and Bruce Schneier as well.

Finding BlueCoat devices by searching Shodan can reveal these filtering and packet shaping boxes deployed around the world.  For example, looking for BlueCoat devices using a few different Shodan searches shows the following:

“Blue Coat” as a vanilla string search shows 447 hits, with clear strings illustrating many are actual BlueCoat devices.

447 BlueCoat Boxes via Shodan


Another search looking for the “BlueCoat-Security-Appliance” header string –similar to one of the header searched that the researchers used shows 9 hits in the US, France, China and Thailand.

9 Blue Coat security appliance via Shodan



And finally, a search for “ProxySG” shows 49 hits for BlueCoat Proxy devices.

Blue Coat ProxySG via Shodan



Other vendors’ products in the surveillance space are also identifiable via Shodan searches.  Cisco Systems’ Lawful Intercept is a specialized architecture that is well documented and utilizes specific Cisco IOS images on certain platforms.  Unfortunately, hundreds of Cisco routers running Lawful Intercept code versions are in the Shodan database simply because the router owners configured the SNMP community read string as “public.”  As a result, Shodan scanners queried the router using SNMP and public community string and the router returned the Cisco IOS version, along with other SNMP details.

The following example illustrates the 317 hits a Shodan search for the string “ADVIPSERVICESK9_LI-M” on port 161 (SNMP) returns:

317 Cisco Lawful Intercept routers via Shodan


So what is the impact of these kinds of devices being exposed through researchers’ Shodan searches and disclosure?  That is not an easy question to answer, given the unknowns in this kind of situation.

Obviously, there is a risk of attackers targeting and sabotaging these surveillance devices for any number of reasons, from political or criminal motivations to simple personal amusement, a.k.a. "Teh Lulz"

Clearly, from a pro-human rights perspective it’s useful for organizations like to publicly find these devices and raise public awareness of the issue.  From a government policy enforcement perspective, such as controlling exports of network surveillance devices to blocked countries like Syria, these types of Shodan searches can help to determine what and where these devices are deployed. 

Overall, one must treat these search results with skepticism.  After all, they may be honeypots, or test systems, or not in use, or whatever.  Simply because a router is on the Internet and has a Lawful Intercept capable image loaded doesn’t necessarily mean it is being used for that purpose.

Then again, they could be live systems... who knows?

Possibly Related Articles:
Information Security
Cisco Shodan Surveillance Network Security Monitoring Blue Coat exposure CitizenLab
Post Rating I Like this!
CP Constantine I remember when (in a former life, working in telecom) the CALEA boxen started to appear on our network. Horribly insecure, fragile to the touch, and utterly off-limits for any insistence we had that they be at least moderately protected. They were notorious for being pwned by foreign actors, and there was nothing we could do other than to treat them as untrusted, nay, /hostile/ hosts on our networks, while we waited weeks at a time for their federal operators to fix them. Don't get me started on the slapshod devices that serviced the federal voice wiretap system. While the government used to at least grudgingly respect the process of law to protect privacy and liberty in the action of their surveillance operations, they sure as hell didn't care much about who else had access to those same surveillance systems. While the technology may have evolved, I doubt attitudes have much.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.