Cracking smart house devices & pwning thousands of PCs via VNC remote access

berrytokyo flickr cc by sa 2.0

The BBC had seven hackers in the form of penetration testers test out the security of a “smart house” full of “smart” devices connected to the Internet of Things; devices like a net-connected oven, a Blu-ray DVD player, a wireless electrical outlet plug, a baby monitor, an Internet-viewable web cam and Sonos speakers to name but a few. They were all “a security disaster waiting to happen” and the pen testers cracked into all of them and turned the smart home into a “haunted house of hacking horrors.”

For example, after scanning for and finding a wireless baby monitor, they installed a commercial app and then could remotely listen into the house. “We can take control of the Blu-ray player, make the television turn on, flash lights, and play spooky music through the house.” Thanks to security issues in the way a person signs up for a BMW i3 app, they could even steal the car.

Felix Ingram, from NCC Group, said his team exploited Universal Plug and Play (UPnP) vulnerabilities to take control of the devices. "The one that people really get concerned about is the microphone on a smart TV. We were able to bug a living room through it. That's when the internet of things starts to spook people out, when your stuff does more than you think it does or ever wanted it to."

I’ve written about vulnerabilities in critical infrastructure, or SCADA, many times as the massive insecurities in that cyber-realm are disturbingly dangerous. Many of those same issues apply to the “smart” devices in your home. While true geeks are unlikely to shy away from IoT devices – myself included – despite the plethora of insecurity issues that come along with them, they can at least change the default username and password.

Yet some folks can’t be bothered to put a password on a VNC program that provides remote access to their PC. If IT people setup VNC without a password for a business or critical infrastructure, then they should be fired! Virtual Network Computing (VNC) is so easy to find via an Internet scan, a person who wanted to could “make someone think their house is possessed.”

Unlike Microsoft’s proprietary Remote Desktop Protocol (RDP) protocol, VNC is platform independent. But be careful about how you setup VNC because if you don’t lock down the remote access tool with a strong password, someone somewhere could be remotely sharing and taking screenshots of your desktop. For example, during a Def Con 22 hour-long talk about mass-scanning the Internet, security researchers Robert Graham, Paul McMillan and Dan Tentler ran their scanners and came up with about 30,000 computers on port 5900 that were running unsecured VNC for remote access.

No, it’s “not illegal,” explained Tentler, after people were upset by the stream of VNC screenshots he posted on Twitter. “Yahoo, Google, Microsoft, Websense, EVERY A/V VENDOR IN THE WORLD, and Shodan – they all do similar scans. Some keep those results secret, some sell them, some make them public.” This was an automated scan that grabbed a screenshot of the VNC instance if it was permitted to connect without a password.

They weren’t hacking and they didn’t log in. Tentler wrote, “Using that language ‘logging in’ implies that the service actually asks for a login. This couldn’t be further from the truth. Nobody ‘logged in’ anywhere.” He added, “These were unpassworded instances of VNC – meaning they never asked for any login whatsoever. You point a VNC client at the IP and bam – you’re looking at some GUI.”

Yet some folks were so upset that they went so far as to report the VNC screenshots results to U.S. CERT. Graham then pointed out that since “DHS and US-CERT are in the business of exploiting vulns to increase their budgets -- they'll do nothing to cleanup the vulns we find.”

So what did they find? Oil or natural gas wells, a water reservoir, a donut manufacturing plant, a hydroelectric plant, a CERN host, SCADA and other vulnerable critical infrastructure like “Japanese, Italian, Latvian and Ukrainian power stations.” There were screenshots of medical equipment like an x-ray machine, a hospital bed monitoring a patient, a Hollywood pharmacy, a point of sale station at a restaurant, hotels, video cameras, a grocery store, shoulder-surfing a day trader, a sauna, and even curtains.

 

Those examples barely scratch the surface as many more were of people on social networks, watching porn or other movies, playing video games and more. Ironically, the scan also grabbed numerous screenshots of script kiddies trying to hack.

There’s nothing new about scanning the Internet, but you can find more here if you are interested in scanning the Internet and taking a screenshot of all things. In fact, other people are scanning too and leaving messages on PCs they accessed such as “You got owned.” Forbes added that in an open web browser, one Good Samaritan input “You might want to put a password on your VNC software” with the Google search results for how-to do so opened below it.

Tentler didn’t tweet any screenshots if it meant the entity could immediately be hacked and whacked, but they found controls for “water, power, agricultural, lab equipment,” as well as “universities, banks, pharmacies, visible copies of signed checks, tons of PII data.” Other people scanning the Internet may not be so thoughtful, so if you use VNC, then put a strong password on it. 

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies