One moment you’re looking at a random person’s email or bank account. Another moment you’re staring at someone else’s Apple TV. Then, here’s a family’s home smart system, with its virtual controls for lights and air conditioning.
All these computers were vulnerable to anyone that stumbled upon them on a website that showcased systems that are connected to the internet and can be accessed remotely. And there was no need to know how to break or hack into them—they were all left wide open.
These computers, and thousands more, were being collected and displayed on a website called VNC Roulette, which showed a screenshot of the vulnerable system, and its corresponding IP address. VNC stands for Virtual Network Computing, a protocol that allows users to access and control computers remotely as if they were physically in front of them. If the VNC is set up with no authentication, anyone with the computer’s IP can connect to it freely.
“I hope someone[...] will publish something about this to make people understand this is dangerous. Before bad guys do find this and start fucking around with our lives.”
The site was made earlier this week by a 19-year-old gray hat Moroccan hacker who goes by the name Revolver, who declined to reveal his real name. The hacker has since taken the site down. But when I chatted with him earlier this week, he said his hope was to teach people to be more careful.
“I hope someone in the [information security] community will publish something about this to make people understand this is dangerous,” he said. “Before bad guys do find this and start fucking around with our lives.”
Revolver’s work per se isn’t that revolutionary. The website Shodan, a sort of Google for internet-connected devices, can be used to find the exact same systems. In the past, other security researchers, such as Dan Tentler, Paul McMillan and Robert Graham, already warned of the dangers of poorly secured systems that can be found online. And during the 2014 Chaos Computer Congress in Germany, some attendees created a short-lived, although recurring, similar website also called VNC Roulette that still lives on as a Twitter account.
But Revolver’s VNC Roulette laid bare just how many of these systems are routinely left wide open to anyone who knows where to look. And how despite years of security researchers warning people of the dangers of connecting stuff to the internet without thinking about how to secure it, people still do it.
“What is interesting is that more devices are appearing, as more and more new stuff is invented and put on the internet for anyone to see,” Yonathan Klijnsma, a a threat intelligence analyst at Fox-IT who has also done research on open VNC systems, told me in an online chat.
In fact, according to Klijnsma’s own scans of the internet, there are around 335,000 systems connected via VNC online, and around 8,000 of those (about 2 percent) aren’t password protected.
A redacted page of the now defunct VNC Roulette website, this one showing somebody browsing his Facebook account.
These are the ones Revolver was showcasing on his site. At the same time, however, Revolver didn’t just create an automated script to collect all these examples. He told me that at one point he accessed a woman’s computer while the person’s phone was connected to it, and found explicit pictures of her and her partner having sex. Revolver showed me a screenshot of that folder, and he also showed me screenshots of people browsing their email and even bank and PayPal accounts.
For Klijsma, Revolver might be crossing a line, especially because VNC Roulette doesn’t just collect people’s computers, but also embedded systems that are used to control industrial systems.
Another screenshot taken by VNC Roulette, this one showing what looks like a water control system.
“Yes, everyone can find these devices and do what they want,” Klijsma said in a chat. “However you don't have to present them with it. If you present ‘the good stuff' you are doing the work for them; pointing them directly at—most likely—the things you don't want people with malicious intent to have.”
On Thursday, Revolver told me he had decided to sell the database of exposed VNCs he had amassed for $30,000 to “some Russian guys” who wanted to use it for their botnet. Minutes later, he took the website down.
“I hope the community will feel the pain this [sic] guys gonna make when [sic] they their dirty hands on those access's [sic],” he said in a chat.
When I asked him if that meant the Russian hackers were going to hack those vulnerable computers, he simply said: “I don't give a fuck. Tonight I'll get my money and disappear.”
Update, 25/03/2015, 2:34 p.m. ET: Thewebsite came back online on Friday.