Remotely having access to your desktop and files from anywhere is pretty handy, but it can also leave a gaping security hole if you don’t properly set up the software. What happens if you use Virtual Network Computing (VNC), but fail to secure the connection with a password? VNC Roulette; it might feature a screen capture of your desktop or what you are doing on your computer as well your IP. Some folks might take that as a “please hack me” invitation.
It’s not the first VNC Roulette as some attendees at the 31st Chaos Computer Congress had one that they likened to “Chatroulette for open VNC servers.” Not everyone uses Shodan to find open VNC ports, or recalls when Paul McMillan found about 30,000 unsecured VNC connections, or even Dan Tentler’s Def Con 20 presentation, but the newly launched site is attempting to bring the issue to the forefront again.
When the new VNC Roulette site launched last week, it had around 550 screen grabs taken via insecure VNC connections, including an x-ray machine, CCTV systems and a control panel for a university’s lecture room; there are significantly less today.
As of right now, VNC Roulette is struggling under the traffic load, throwing CloudFlare errors, but is still hosting images captured of people browsing Facebook, doing their online banking, reading email dated February 2016, shopping, working via the back end of a WordPress site, and more. Some are mundane images, such as servers, desktops, or playing Solitaire, but others feature SCADA systems.
One of the most disturbing images is a screen cap of patient records which show the patient’s name, patient number, date of birth, and contact information such as address and phone number.
Hopefully the people at Practice Fusion, the “#1 cloud-based electronic health record platform for doctors and patients” supposedly used by over 112,000 healthcare professionals, will learn to at least use a password to secure VNC.
There are several screen captures taken via unsecured VNC featuring SCADA or ICS systems.
A user on Hacker News reportedly spent two hours trying to track down the owner of a Swedish hydropower plant that anyone over the Internet could control. Instead of being grateful for the warning, the owner was in full-fledged denial, claimed it was fine as it was, and then tried to pretend the call had bad reception.
There’s big data for everyone and oddly there are several screenshots about toilets.
In the image below it seems like some people tried to warn the user with messages saved to desktop titled, “Watch out dude,” “Be careful bro,” “Hey dude, I saved you” and “Your VNC is public,” while other hackers who accessed the system tagged it with “we were here” type messages.
Several of the open VNC screenshots included warnings that “an anonymous user has connected.”
There are a wide range of screenshots covering server login screens, business transactions or records, and systems running Linux and Windows. Regarding Windows, the user, and anyone else checking out the machine via the unsecured VNC connection, can see the dreaded Microsoft “not genuine copy” error for Windows 7.
Other people are being hounded to upgrade to Windows 10.
Motherboard reported that VNC Roulette is run by a gray hat hacker with a desire “to make people understand this is dangerous” before someone starts abusing the lack of security to mess up your life. Shortly thereafter, he supposedly sold the database of exposed VNCs to “some Russian guys” for $30,000 and then took the website down.
While it’s unclear if the deal fell through or he simply decided to relaunch VNC Roulette, if you use VNC without setting up a password, don’t be surprised if a screenshot of your desktop and IP address shows up on the site. Keep that in mind before you use online banking or anything that reveals your sensitive business, personal or financial information. You might as well set your desktop background to the message 'please hack me.' MIT has a guide for securing VNC with SSH.