X

A hacker's next target is just a Web search away

Bad guys and good guys alike can use Google to find vulnerable targets online. What matters most, then, is who's fastest.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read

A few search terms can lead to an exposed Internet connection. That's apparently how an Iranian hacker accessed a dam in New York state.

"Google dorking." It sounds goofy, but it could be just the ticket for a hacker looking to stir mayhem.

The search technique is one of several methods that bad guys can use to find vulnerable computer systems and trace them to a specific place on the Internet. All they have to do is type in the right search terms, and they're well on their way.

That's how an Iranian hacker found a vulnerable dam in the US, according to a The Wall Street Journal story that cited people familiar with the federal investigation into the security breach.

It's a troubling example of what security researchers have long known -- a computer system with out-of-date software is a sitting target. That's because information about old and buggy software and how to hack into it has a way of getting to the public very quickly.

Add dorking (or "Google hacking," a term preferred by some cybersecurity pros) to a growing list of tools that, used together, can help automate the process of finding and exploiting weak spots everywhere, from an element of a city's infrastructure to a surveillance camera in your home or the network of a business that holds records of all your personal information. Google is just one layer of this approach, and other search engines from Microsoft's Bing to the specialized Shodan.io can be substituted for it.

Experts say that with these tools, a hacker could roll out of bed, check his or her email and find alerts with information on how to hack you before breakfast.

"If you like it, then you can go attack it," said Srinivas Mukkamala, chief executive of cybersecurity company RiskSense.

"I don't need to know anything, and I can be a very bad guy."

What saved the day in the case of the small Bowman Avenue dam in Rye Brook, New York, is that at the time of the breach in 2013, the dam, undergoing maintenance, had been disconnected from the computer system that controlled it. Otherwise, the hacker might have been able to take control of the floodgate.

Similar techniques are known to have been used in espionage efforts.

Scary, right? But these search engines and alert systems are only making it easier to find information that's already public.

More important, said Mati Aharoni of cybersecurity company Offensive Security, these services help out the good guys much more than they could possibly help malicious hackers, who will get their hands on the information one way or another.

Aharoni trains people to use his company's repository of known hacking attacks, Exploit Database. The trainees are good guys who need to track down fatal flaws quickly, he said. Hackers already have access to illegal tools that guys good guys can't use. "We're helping to level the playing field."

Shodan CEO John Matherly, whose Shodan.io search tool is used by security companies to find specific computers, agreed. If you're a hacker looking for vulnerable systems, "you can do so fairly cheaply on your own," he said.

Hacking made easy

Layered on top of all the search services are systems that can send automated alerts. One is the Google Hacking Diggity Project. It draws on services like Google alerts, so you can get a message letting you know when a search engine indexes new information about a particular topic. Google is not involved in the creation or operation of Diggity.

A lazy hacker could conceivably use it to get an alert when a vulnerable system and a tool for hacking it are both available, RiskSense's Mukkamala said.

But Diggity creator Fran Brown said his tools help people who are defending websites and computer networks -- or, for that matter, Internet-connected dams -- to quickly find out when their systems are leaking sensitive information or have a known vulnerability.

"You basically can trip over dangerous and sensitive information just by Googling,"
said Brown, co-founder of cybersecurity consulting firm Bishop Fox.

It's not clear how exactly the Iranian hacker got into the dam's systems after he reportedly found its location on the Internet using Google. He's been indicted along with six other Iranian hackers by the US Department of Justice for the dam attack and for attacks on banks.

He might have used the same vulnerability that flagged the dam in a Google dork search to break in, or he might have used a completely unrelated attack.

But the hack still highlights what can go wrong if a security flaw hangs around on a system after it goes public. When a manufacturer announces a fix, it's a race against time to patch up the problem. It's also a race that the people responsible for many Internet-connected systems are losing badly, said Michael Bazzell, a former cybercrimes investigator with the FBI.

"If that system hasn't been patched in the last few years," Bazzell said, "it's pretty trivial getting in."