VNC Roulette: Prepare to be hacked if you don't use a password for VNC

If you don't use a password for VNC, don't be surprised if your desktop and IP show up on VNC Roulette. By choosing to use no authentication to secure your VNC connection, some people might take that as a 'please hack me' invitation.

online security hacker

Remotely having access to your desktop and files from anywhere is pretty handy, but it can also leave a gaping security hole if you don’t properly set up the software. What happens if you use Virtual Network Computing (VNC), but fail to secure the connection with a password? VNC Roulette; it might feature a screen capture of your desktop or what you are doing on your computer as well your IP. Some folks might take that as a “please hack me” invitation.

It’s not the first VNC Roulette as some attendees at the 31st Chaos Computer Congress had one that they likened to “Chatroulette for open VNC servers.” Not everyone uses Shodan to find open VNC ports, or recalls when Paul McMillan found about 30,000 unsecured VNC connections, or even Dan Tentler’s Def Con 20 presentation, but the newly launched site is attempting to bring the issue to the forefront again.   

When the new VNC Roulette site launched last week, it had around 550 screen grabs taken via insecure VNC connections, including an x-ray machine, CCTV systems and a control panel for a university’s lecture room; there are significantly less today.

As of right now, VNC Roulette is struggling under the traffic load, throwing CloudFlare errors, but is still hosting images captured of people browsing Facebook, doing their online banking, reading email dated February 2016, shopping, working via the back end of a WordPress site, and more. Some are mundane images, such as servers, desktops, or playing Solitaire, but others feature SCADA systems.

One of the most disturbing images is a screen cap of patient records which show the patient’s name, patient number, date of birth, and contact information such as address and phone number.

Patient records VNC Roulette VNC Roulette

Hopefully the people at Practice Fusion, the “#1 cloud-based electronic health record platform for doctors and patients” supposedly used by over 112,000 healthcare professionals, will learn to at least use a password to secure VNC.

There are several screen captures taken via unsecured VNC featuring SCADA or ICS systems.

open vnc VNC Roulette
Open VNC screen grab SCADA VNC Roulette
Plant overview open VNC VNC Roulette
open vnc gas dashboard VNC Roulette

A user on Hacker News reportedly spent two hours trying to track down the owner of a Swedish hydropower plant that anyone over the Internet could control. Instead of being grateful for the warning, the owner was in full-fledged denial, claimed it was fine as it was, and then tried to pretend the call had bad reception.

There’s big data for everyone and oddly there are several screenshots about toilets.

open vnc big data VNC Roulette
rate toilet VNC Roulette
open vnc toilet 2 VNC Roulette

In the image below it seems like some people tried to warn the user with messages saved to desktop titled, “Watch out dude,” “Be careful bro,” “Hey dude, I saved you” and “Your VNC is public,” while other hackers who accessed the system tagged it with “we were here” type messages.

open vnc messages from strangers VNC Roulette

Several of the open VNC screenshots included warnings that “an anonymous user has connected.”

VNC anonymous user connected VNC Roulette
Windows error and anonymous VNC connection VNC Roulette

There are a wide range of screenshots covering server login screens, business transactions or records, and systems running Linux and Windows. Regarding Windows, the user, and anyone else checking out the machine via the unsecured VNC connection, can see the dreaded Microsoft “not genuine copy” error for Windows 7.

Open VNC not genuine copy of Windows 7 VNC Roulette

Other people are being hounded to upgrade to Windows 10.

Upgrade to Windows 10 VNC Roulette

Motherboard reported that VNC Roulette is run by a gray hat hacker with a desire “to make people understand this is dangerous” before someone starts abusing the lack of security to mess up your life. Shortly thereafter, he supposedly sold the database of exposed VNCs to “some Russian guys” for $30,000 and then took the website down.

While it’s unclear if the deal fell through or he simply decided to relaunch VNC Roulette, if you use VNC without setting up a password, don’t be surprised if a screenshot of your desktop and IP address shows up on the site. Keep that in mind before you use online banking or anything that reveals your sensitive business, personal or financial information. You might as well set your desktop background to the message 'please hack me.' MIT has a guide for securing VNC with SSH.


Copyright © 2016 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon