I have the schneider unity PLC programming software and was able to connect to about 12 out of 16 of the PLCs I tried that were shown on censys. of the ones I could connect to, two had 'security' enabled so that I couldn't see the program, but still could have stopped it from running or downloaded an entirely new program. 6 PLCs didn't have the program stored in them, so same situation. 4 PLCs I was able to download the program. One was a hydro electric power plant, one was some kind of food factory that used barley, and two were some kind of pumping stations, one of which had a bunch of logic for controlling pH and chlorine. The last modified date for all the programs was in the last 3 years.
None of the programs had any contact information for the programmer or the company that owned the infrastructure.
It is hard to believe people are still putting their plants straight on the internet. Anyone can control any of the outputs which then control real equipment like 200 kV circuit breakers and disconnects, turbines, valves, conveyors, mixers, pumps, etc. If interlocks are implemented in the software as opposed to electrically or mechanically then they can be bypassed which could easily result in equipment damage, injury to personnel, or death.
PLEASE report this to ICS-CERT immediately. If you want a direct DHS contact email me. This is not something to sit on, and you can do a great service to the cybersecurity of our critical infrastructure.
I'm not American. I do like to travel the united states, but the last thing I need is to be labelled as a hacker in my profile when I cross the border and am greeted by the homeland security officers.
DHS can use the Censys search engine and find all the PLCs will open modbus ports just as easily as anyone else in the world!
I have no incentive. US-CERT should offer rewards. I'm not worried about labels on HN but I am concerned about what shows up on officer Wendy's screen when I want to enter the USA.
I've consulted for things like hotel groups. Without fail, there are vendors selling this sort of thing, with instructions like "forward telnet port from the internet to our device".
You can try to push back, and sometimes you will be successful, but you can't blame a hotel manager for saying "well this is what they do for a living.. they would know best".
the IP addresses are registered to telecommunications companies since the controllers are at some remote plant that just has cable, DSL, cellular modem so the IP address is owned by Telus, Shaw, Comcast, TW, Verizon, etc.
If there'd been any contact information in the programs I definitely would have gotten in touch
Censys has some really great data. If you find this kind of thing important or useful, I'd invite you to participate in a project happening right now in the Caddy web server where we're trying to observe the Internet from a server-side perspective (rather than having clients scan servers) to gain insights and understanding as to the health of the Web and its clients. We seek to answer questions like, "What is being advertised in TLS ClientHellos?" and "Which clients fail to adhere to HSTS?" and "Is this surge of traffic possibly a rising global botnet or a DDOS attack?" and "How many HTTPS connections are being intercepted?" (this one builds off work by some of the Censys team) -- with many more (almost 100 questions). This data set will be unique in that it will be collected from many diverse networks rather than a single proprietary/corporate network, and will be made available to the public for research.
I really encourage you to get involved and participate in this project by submitting feedback, especially if you are a researcher or work in this field. We're at the early stages of choosing technologies, but we'll need more voices to refine the ideas and help with the implementation. The more who contribute, the better. More info: https://caddy.community/t/the-caddy-telemetry-project/3224?u...
"Just like people use popular search engines to find relevant content on the Internet, Censys allows users to discover the devices, networks, and infrastructure on the Internet and monitor how it changes over time."
"Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap, the most widely used tool for Internet-wide scanning. Over the past five years, the team has performed thousands of Internet-wide scans, consisting of trillions of probes, and has played a central role in the discovery or analysis of some of the most significant Internet-scale vulnerabilities: FREAK, Logjam, DROWN, Heartbleed, and the Mirai botnet."
Censys seems to be HTTP-focused, along with elements that go with it such as TLS certificates (Not to imply they focus exclusively on HTTP content of course).
Shodan is more generalized and scans many different ports.
Showdan is more like a search engine . This tool is a service that lets you perform arbitrary queries on the internet from a port. It’s like an indexer or a scraper .
If you would like your host to be excluded from the Censys results, you can block traffic from the following subnets: 141.212.121.0/24 and 141.212.122.0/24. However, we would encourage you to consider whether this actually accomplishes what you are intending. Internet-wide scanning is pervasive and others will still find your host even if it's not listed in Censys. We will not censor specific hosts or certificates from the Censys results or historical datasets."
If I notify them that they are unauthorized to scan my networks, and they continue to scan them, have they violated the CFAA?
No, because it’s not against the law to scan servers on the internet. If you don’t want people to scan listening services, don’t let those services listen publicly on the internet. If you were to log into the server, though, that would violate the CFAA.
I know that current caselaw holds that it's not a violation of the CFAA to portscan in the general case[1]. I'm not asking in the general case; I'm asking specifically in the case where the scans are regular and ongoing, and the scanning party has been explicitly given notice that they are unauthorized.
The courts recently ruled on a similar case[1] and came to the conclusion that it was not a CFAA violation. That said, there's a difference between a public website such as LinkedIn and a host that just happens to be reachable over the internet, so I'm not sure it would be fully applicable.
Quoting the web page: "Enterprises use Censys to understand their network attack surfaces. CERTs and security researchers use it to discover new threats and assess their global impact."
The details depend on how much the of advertised scan data enrichment they do, but you might for example ask how many vulnerable cable modems of a certain model there are in the network you are responsible for, and what ISP networks they are on.
You can likely take every public IP your organization has, run it through that, and see what your attack surface looks like. Very useful if you have an unmanageable and public computer network.
Censys? Probably not. It depends how much you value having the data provided in an easily digestible and searchable form that's hopefully updated often.
On the other hand, if you have a small subnet, say, less than a /24, you might as well just nmap it yourself, and then you're also guaranteed to have the latest possible scan.
What, no. It would take the lifetime of the universe to scan just a single ISP's IPv6 space. Every end user gets at least a 64 bits, 4 billion times larger than the current internet.
I searched by subnet and had some false positives and false negatives, and out of date data. Still, it was a bit unnerving to see the right IPs show up with the right web servers.
GeoIP isn't that good. It put two of my machines (located in Frankfurt, DE and Amsterdam, NL) in the US.
They also put my home IP located in Sweden in the neighbooring country Norway (I have a Norweigan ISP though).
None of the programs had any contact information for the programmer or the company that owned the infrastructure.
It is hard to believe people are still putting their plants straight on the internet. Anyone can control any of the outputs which then control real equipment like 200 kV circuit breakers and disconnects, turbines, valves, conveyors, mixers, pumps, etc. If interlocks are implemented in the software as opposed to electrically or mechanically then they can be bypassed which could easily result in equipment damage, injury to personnel, or death.