More shodan shenanigans: VNC with no authentication?

OK, lets try this query (port:5900 RFB authentication disabled) on shodan. I wonder if we will ... OMG, of course there are. There are ~4000 devices with VNC on port 5900 with no authentication. Surely some of them will not be... of course they are. They work. Lets try one at random to see what has been exposed. Its a kabarda pump in Netherlands. Now, the main screen looks innocuous enough, some status and a login. Probably has a more secure password right? Of course not, it fills in the user as 'owner' and accepts blank as a password. At this stage you can turn it on and off, etc.

This is part of some factory automation. Perhaps it runs one of the famous pumping systems that keeps the Netherlands from going underwater? Perhaps on the Zuiderzee? Probably not, but, its not inconceivable that hitting that STOP button will have bad affects for people. And, no password, standard port, no firewall (not even NAT, which, although not a firewall despite what these guys say, would at least hide the port by default).

Quite a few of these are windows servers. But they are the minority, most are 'things', industrial automation devices etc. Here's another one, in Germany, from ETA, some sort of industrial heating system. I would be worried even just about script kiddies changing the temperature, let alone causing real damage. Want to change the set point on their boiler to below 50C and cause some legionnaire? Maybe disable the pellet feed backup to the solar? I can't believe this is the intent of the owners of it.

Some are just wide open machines, ready to open the browser (and someone has in this example. Yes you can open this machine and browse to your hearts content). Could this become a untraceable trail for criminal activity? Could the owner of the site be surprised by various subpoena and police visits as a result?

They've left their browser logged in to various services, I wonder if they will like bad things on Facebook? Or worse? Perhaps their amazon account is logged in and they order a few hundred Kg of microwave Chicharrones? The cheap kind w/ bits of hair left in it and the tattoo still on?

Or maybe someone messes with their relationship and orders some size-2 lingerie and a set of love-cuffs?

Or installs a keylogger and drains their account? Its really hard to imagine this is the desired state of their computer.

Continuining with the theme of industrial automation gone wrong, what about this company?  They are running a SCADA HMI (human-machine-interface) from Siemens called WinCC. And they might be in arrears on their license 🙂

Now, aside from the stunning up-to-date beauty of this modern user interface, can you imagine any trouble in this concrete mixing system? I mean, we can correct for moisture, change the mix. We can turn on/off the flow of concrete. Think of the trouble we could cause, we could make weak concrete that later didn't hold up and buildings would fail. We could dump concrete when there is no truck to accept it and damage the plant. Its really hard for me to imagine that the owner of this system would be excited to know that the great unwashed (that is you) are one click away from finding it in a public search engine.

So what is the solution? Enable some sort of incentive system to that Internet white-hats hunt and inform? But how would you inform these people? Auto-firewall? Poison Shodan so it has a bunch of fake entries and reduce its usefulness so that only more determined folks can find? Fine the culprits? Despair? Hand-Wringing?

Insecure critical infrastructure: what should we do?

View Results

Loading ... Loading ...
3 comments on “More shodan shenanigans: VNC with no authentication?
  1. db Kevin says:

    That is just awesome. For now I’d start by just writing a nice message in a file on the desktop and then force the file to open on startup. Then shutdown the machine. Hopefully that would set up some alarm somewhere and not cause a meltdown…

  2. db DaveD says:

    Some of these could be honey pots?

Leave a Reply

Your email address will not be published. Required fields are marked *

*