back to article RealVNC distances itself from factories, power plants, PCs hooked up to password-less VNC

A scan of the public internet by security researchers has seemingly revealed thousands upon thousands of computers fully accessible via VNC – with no password required. Worryingly, the unsecured systems – from PCs and shopping tills to terminals controlling factories and heating systems – are at the mercy of any passing …

  1. djack

    How times change .. not

    I remember finding similar issues on clients' machines years ago. Though this was unsecured PCAnywhere sessions on dial-up connections.

  2. Truth4u

    Might do the same thing

    Its not illegal, Google does it. Now where did I leave the keys to my eastern European virtual server?

  3. Destroy All Monsters Silver badge
    Holmes

    Pretty sure we had...

    Pretty sure we had this headline 2 or 3 years ago. I remember a screenshot of some plant in Poland. It might even have been longer ago, but I can't find it back.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pretty sure we had...

      Yep, they did the same thing in 2012. Maybe every year. Just keeps getting better....

  4. Crisp

    Does Yahoo really go around taking screenshots of peoples desktops?

    I'd like to see some evidence of that claim.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Does Yahoo really go around taking screenshots of peoples desktops?

      I think the keyword here is "similar" – it's in the interests of web giants to avoid indexing or accepting email, etc, from obviously insecure hosts.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does Yahoo really go around taking screenshots of peoples desktops?

        They may all do similar scans... but then exploiting any found vulnerabilities to take screenshots is most definitely of questionable legality in more than one country around the world. Given that any laws would have been broken in the country where the computer is hosted - not from whatever country the scanning was done - it is glib and crass to state with any authority that no laws have been broken unless the legal position has been checked for each country that the vulnerable systems live. As he can't even recognise some of the languages on his screenshots, I think I can authoritatively state he didn't do that...

        1. Destroy All Monsters Silver badge
          Thumb Down

          Re: Does Yahoo really go around taking screenshots of peoples desktops?

          American detected.

          "I didn't break any laws today...."

          ...

          "Did I?"

        2. sniperpaddy
          Trollface

          Of course it's legal !!!

          Keep up to date !!!

          A US court has given yanks the right to pillage data anywhere in the world :)

  5. David Austin

    Meh

    The exact wording on the install options is:

    Set no password (DANGEROUS!)

    With Set a password the default option.

    This is an active choice. If you're smart enough to pick it, it's your responsibility not to be dumb enough to punt it onto the open net.

    1. Halfmad

      Re: Meh

      Which is arguably why it shouldn't have that option during install, people switch off or go for the easiest options. By all means leave it in the software but have it as something you have to do after installation.

      I agree though, idiots have nobody to blame but their probably part time/outsourced IT person they had do it for them, or who installed it so they could remote in later to fix printer drivers..

      1. Hans 1

        Re: Meh

        @Halfmad

        >part time/outsourced IT person

        You can have window cleaners in-house as well, you know ... easy to blame the outsourced party.

    2. Jess

      Re: Meh

      Perhaps the no password option option should only be offered with control (without diving into config files) for the local subnet, and then only if the host is in a one of the private ip ranges.

  6. JimmyPage Silver badge
    WTF?

    Legality ?

    For anyone wondering about the legality of the research, Tentler insisted: "It isn’t [illegal]. Yahoo, Google, Microsoft, Websense, every antivirus vendor in the world, and Shodan – they all do similar scans."

    Never heard that one in court before. He might, just might, want to pay for legal advice right now. He could save an awful lot later ....

    1. Destroy All Monsters Silver badge

      Re: Legality ?

      Yeah? So what.

      law and order shit is that way ----> Ferguson

    2. Jaybus

      Re: Legality ?

      When there is no password set, VNC simply connects and shows the desktop. It is therefore available to the general public in exactly the same way that a public website is.

      1. heyrick Silver badge

        Re: Legality ?

        " It is therefore available to the general public in exactly the same way that a public website is. "

        Just because you CAN access something doesn't imply you have the right TO access it.

        1. Yet Another Anonymous coward Silver badge

          Re: Legality ?

          That's why lawyers would advise you to write to the owners of all websites requestign permission to access the site and read each page.

          You can find the address of the company on the web site

        2. gotes

          Re: Legality ?

          One could claim it was a "wrong number", and they "hung up" as soon as they realised (but not before taking a screenshot).

      2. Adam 1

        Re: Legality ?

        >When there is no password set, VNC simply connects and shows the desktop. It is therefore available to the general public in exactly the same way that a public website is.

        An unlocked car whilst foolish is not an invitation to hop in. An open front door is not an invitation to wander in and take a photo.

        I suspect that the researchers are probably (in the IANAL sort of way) OK to establish a connection to these computers, but taking a screenshot is both unnecessary from their research point of view and moves well into privacy violation territory.

  7. Velv
    Pirate

    And people wonder why the Architecture team screams when some techie suggests "Let's just install VNC"

    Don't get me wrong - there's nothing fundamentally wrong with VNC, or most of the other remote control tools - AS LONG AS THEY ARE CONFIGURED AND SECURED PROPERLY

    To quote the great Robin Williams - "it's like partial circumcision - you either do it properly or you fucking forget it"

    1. Anonymous Coward
      Anonymous Coward

      @Velv - Architecture should rather scream

      when some techie suggests to enable VNC on an Internet accessible (direct or through a firewall) interface of a PC/server running some industrial control software. That guy should be escorted to the nearest exit door and made sure he will never get close to a computer again for the rest of his life, except maybe for his own home PC.

      This is the real failure here, allowing direct access from Internet to these systems. We're in 2014 by now and there is no excuse or justification for this kind of setup.

      Question to CxOs, IT managers and any PHBs in the concerned organizations: why are you paying these imbeciles ?

      Question to IT security managers: are you not feeling a little incompetent for not spotting/acting on this chain of failures ?

      1. Tom 35

        Re: @Velv - Architecture should rather scream

        "why are you paying these imbeciles ?"

        Because the last one kept telling us we couldn't do stuff, or that we had to spend more money for stuff we didn't need. This one is half the price too.

  8. Anonymous Coward
    Anonymous Coward

    .. My workplace does passwordless vnc too..

    If there was a password, it woukd be post-it to the terminal where the session is displayed anyway, and the password popups would be somewhat of a disruption to normal use.

    vnc is popular vecause it's easy to setup, mostly works, and no uberhumanky complex licensing that takes 6 manmonths to figure out and purchase, at which time the needs have changed.

    First version was done with hdmi and sub repeateds, abd tons of cable..

    Oh well, atleast it's all behind NAT

    1. Anonymous Coward
      FAIL

      ". My workplace does passwordless vnc too..

      If there was a password, it woukd be post-it to the terminal where the session is displayed anyway."

      Well, unless the "hacker" in eastern Europe has a bloody amazing pair of binoculars, don't think that would be an issue, certainly better than no password.

      "password popups would be somewhat of a disruption to normal use."

      What password pop ups? The one you use to connect with, but if you have to connect then it's no big deal, surely?

      "Oh well, at least it's all behind NAT"

      Would that be the one that VNC is punching a bloody great hole in? I'm just guessing as your security seems so piss poor, I guess your firewall rules are just Any/Any...just to make it a bit easier.

    2. admiraljkb
      Paris Hilton

      No passwords? Its pwnage time!

      ". My workplace does passwordless vnc too.."

      Might want to look at UltraVNC (also free) then and enable the built in domain authentication. That way your users can get in provided they can remember their own passwords into their pc's.

      Back in 2003, there was a virus out that used passwordless VNC's to spread. Once its inside your firewall, it was also kinda hard to stop at that point. This caused me to have to have to build a specific patch for a commercial product (that will go unnamed) to disable VNC if the install detected no password set. I'm flabbergasted that this is still occurring 11 years later...

      Here is a forum posting from REALVNC:

      https://www.realvnc.com/pipermail/vnc-list/2003-March/037830.html

      (Paris, because she probably has passwordless VNC as well)

  9. petur
    Meh

    Giving RealVNC a bad name

    Was quite pissed when at some point the security software at work flagged my system as unsecure with malware installed, when it detected a properly set up RealVNC on it.

    1. WraithCadmus
      Meh

      Re: Giving RealVNC a bad name

      Security software going off like that is probably going to fix more problems that it causes but it's still a right cock when it happens.

      "Can you reconfigure that old switch?"

      *tries to use telnet*

      *klaxons sound, telnet.exe deleted*

      "No, it seems I can't..."

  10. janimal

    It is the same for

    every single tool ever invented, as well as food and plants and pretty much any object you can think of.

    Humanity might have done some amazing things, but in general humans are pretty rubbish! :)

  11. admiraljkb
    WTF?

    these are probably RealVNC installations

    just probably 4.1 and lower. Who knows how many people are using 3.3.x still....

    I thought passwordless VNC was over after the 2003 virus scare that pwn'd all the VNC servers that didn't have a password set. Guess not, or folks have short memories.

  12. Anonymous Coward
    Anonymous Coward

    VNC and RDP

    VNC is a widely used system for accessing desktops over a network, very much like Microsoft's RDP

    Ha! They wish!!! VNC is a horse and cart compared to MS Remote Desktop's Ford Focus.

    I cringe whenever someone suggests using VNC to me - gimme RDP, or failing that DameWare MRC any day!

    1. JimmyPage Silver badge
      Thumb Up

      Re: VNC and RDP

      you may be interested in guacamole.

      Not, not that this

    2. Anonymous Coward
      Anonymous Coward

      Re: VNC and RDP

      VNC doesn't blank the active screen, require admin rights or require any user interaction. Hence we use it along side RDP.

      Oh DameWare also uses VNC as default for Linux and Mac boxes as default, in fact they have to have VNC server running.

    3. Hans 1

      Re: VNC and RDP

      @AC

      >Ha! They wish!!! VNC is a horse and cart compared to MS Remote Desktop's Ford Focus.

      Exactly, gimme horse and cart over any model from Ford or Fiat.

  13. RandomFactor

    Many security audits use a long list of best practices as a starting point. VNC is one of those checkboxes (protocol flaws, lack of brute force protection, default blank passwords - all from early days and long since resolved in major distros), so you will get something back like

    Issue: VNC running on system XYZZY

    Best Practice: Remove VNC

    If you need the utility, you'll need to provide the analysis showing how those early issues with VNC no longer apply or are mitigated. In a previous company, I did this a few times by requesting the reason for VNC being on the list and then point by point showing how these didn't apply or were mitigated in the version/environment/configuration we had it in. Much of this information to do this you can pull straight from the documentation of your distribution.

    Have fun doing this over again at subsequent audits also :-p

    1. Anonymous Coward
      Anonymous Coward

      "security" audits ...

      A previous employer had one, and they got very upset that developers were allowed in the server room to access development servers, since the production ones were kept there. This was despite the fact that a developer needed an IT bod to walk them in through the cardlock.

      So a KVM (called Kaveman) solution was installed. Great. We went from audited controlled access to development machines, to unaudited, and uncontrolled access via KVM. Yes there was a password. One between 10 in the team, and hardly a secret

      But this was more secure than before. Apparently. Oh, until 3 year on, when a different outfit was hired. They insisted KVM access was a security risk, and suggested the servers only be accessed physically.

      Rinse and repeat.

      1. NogginTheNog

        Re: "security" audits ...

        Rinse and repeat.

        Both audit companies failed to suggest the correct solution: remove development machines from secure production environment and place in their own sandboxed environment.

        1. Anonymous Coward
          Anonymous Coward

          Re: "security" audits ...

          And if the correct solution is not available due to lack of space, electrical access, or simply because the nature of the business requires access to the production environment even for the development systems?

      2. Anonymous Coward
        Anonymous Coward

        Re: "security" audits ...

        "But this was more secure than before. Apparently. Oh, until 3 year on, when a different outfit was hired. They insisted KVM access was a security risk, and suggested the servers only be accessed physically."

        I wonder what would've happened when the firm was told the servers were in a room with clashing clearances (devs have to to enter a room with IT clearance, meaning a dev could tamper with IT stuff), meaning accessing the servers physically was ALSO a security risk?

  14. William Boyle

    Open front doors

    This is akin to leaving your front door unlocked and open - basically an invitation to all and sundry that the contents of your fridge is fair game, even the Guinness... Enjoy!

  15. Charles 9

    BTW, did this test tell the difference between view-only access and controllable access? Sure, view-only access has its own foibles, but it's a lot harder to pwn a machine when you can't remote control it.

  16. Anonymous Coward
    Anonymous Coward

    Yes indeed

    "They may all do similar scans... but then exploiting any found vulnerabilities to take screenshots is most definitely of questionable legality"

    They are not exploiting a vulnerability. These numptys have their systems open to everyone on the planet with no password.

    Anyway, djack beat me to it -- back in "the good old days" (early 1990s), the local hacking group wardialed our area (i.e. all numbers that were not long distance). The number of unpassworded systems was fairly ridiculous. PCAnywhere alone? A hair cutter was wide open; a few unidentifiable desktops were wide open; a climate control/elevator control for a store was wide open. The *police department*? Wide open. Boy that could have been fun 8-) , lucky for them none of the local group were truly blackhats. There were 6 or 8 other systems that were wide open but text-based (besides the couple BBSes and so on that were common knowledge.)

  17. Potemkine Silver badge

    To avoid this...

    ... we found a parade: no vnc nor teamviewer allowed, or the user would have to endure kneecapping.

    For the moment, a very effective strategy ^^

    1. Hans 1

      Re: To avoid this...

      ????? This is, of course, quite silly ... the software in question is not the problem, it's people in charge like YOU that are the problem. I write YOU because you apparently lack the intellect to understand what the actual problem is. Go, re-read that article, but only once you have finished with the windows in the boss' office, make them shiny, please.

  18. Anonymous Coward
    Anonymous Coward

    It's not always the devs.

    I remember an admin accompanying a developer into the server-room during lunch time and tripping while entering, hurling a screwdriver and a coffee-cup into power-stuff. Sparks flying.

    Developers are not always the ones acting irresponsibly. :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon