- Equipment at a facility in Mexico appears to have been shut down for a while, based on the red banner at the top of the screen, but that wouldn't necessarily prevent intruders from manipulating the settings. It's unclear what the equipment is, but Moldow, based in Denmark, makes industrial filter and ventilation systems as well as industrial fans.
- Control panel for a petrol station in India tracks the amount of fuel in storage tanks and includes tabs for the point-of-sale system to record sales transactions. Would-be intruders can learn more about the system's features by accessing sales literature (.pdf) published online.
- For some reason this pharmacy in Los Angeles was broadcasting its customer prescription records on the internet, a violation of federal HIPPA regulations. An internet scan captured the record of a young woman who had purchased birth control at the pharmacy, exposing her name, address, phone number and birthdate.
Researcher Paul McMillan thinks the pharmacy may have been monitoring the computer activity of employees using the remote access program TeamViewer, but then failed to secure the application, allowing anyone else on the internet to view the employee computer screen as well.
Contacted by WIRED, the customer said she often filled her prescriptions at three different pharmacies, including one on the University of Southern California campus, and couldn't recall which one she had visited most recently. USC's Office of Compliance told WIRED the IP address did not belong to the university. Although a woman in the compliance office said the university knows the identity of the pharmacy that sold the woman her prescription, her office would not provide the information to WIRED so that the pharmacy could be contacted.
- The view of a casino in the Czech Republic as seen through the surveillance cameras overlooking slot machines and a roulette wheel.
- System for monitoring and controlling digital signs at the Irving Park station on Chicago's Metra rail line. It's unclear if the page would provide access to other controls in the system. WIRED contacted Metra two weeks ago and provided complete information about the unsecured page.
- Screenshot of a computer in the United Kingdom taken while the user attempted to log into a bitcoin mining account.
- The internet scan found two small hydroelectric plants in New York on the internet that were not secured. The plants supply electricity for the state of New York. WIRED attempted to reach the plants but was unable to connect with anyone to disclose the vulnerability, so the name of the plant in the screenshot has been blurred.
- Screenshot of a user in California, possibly a worker in a doctor's office, typing an email about a patient. The scan that researcher Paul McMillan conducted searched the internet for any systems with port 5900 enabled. This port is generally used by Virtual Network Computer systems. Many of the systems he found vulnerable had TeamViewer installed on them -- a remote access software that employers sometimes install on systems to track the activity of users. The software had not been password-protected, however, to keep others from also seeing the screen.
- Techni-Cast, a foundry located in Los Angeles, had a control system installed for monitoring the generator it uses to produce power for its metal manufacturing processes. The generator is made by a German company, and the control system was set up to allow the German firm a way to monitor the generator's performance from Europe and do troubleshooting.
Techni-Cast's systems administrator, Michael Marshall, told WIRED that the monitoring system had TeamViewer installed, but the system was supposed to be protected behind a firewall with authentication. He said the system had recently been upgraded, and the authentication may have been disabled during the upgrade.
- A system for monitoring surveillance cameras and the ventilation system at a home in Poland. The IP address for the computer indicates the home may be in the small town of Giżycko in northeastern Poland. The Whois record for the IP address provided a phone number in Poland, but no email address. The person who answered the phone did not speak English, so WIRED was unable to convey information about the unsecured system.
- Screenshot of a computer in Australia, taken just after someone attempted to conduct a failed Western Union transfer. An icon in the lower right corner shows the person was using a VNC connection at the time the screenshot was captured.
- Creek Place Farms is a family-run pig farm owned by Don and Maria Longenecker that specializes in free-roaming, organically fed Berkshire pigs. The control system exposed by Paul McMillan's scan is a German system the farm uses to mix the feed and distribute it to the pigs.
Each pig has an RFID chip that the feeder tracks in order to know how much feed the pig has eaten. As each pig enters the feeding tube, the system delivers a portion of food and tracks how long the pig remains in the feeding tube and how much food it consumes. As the pig returns to the feeder throughout the day, more portions are dispensed to the animal until the pig receives all the food allotted for the day.
A button at the bottom of the control panel would allow someone to alter the mix of the feed -- changing the recipe to deliver more soy than corn to the animals, for example, or provide too much feed to younger pigs. Maria Longenecker told WIRED that she's so obsessive about the system that she doesn't even allow her husband to access it. The system has TeamViewer installed to allow the German firm to monitor the system remotely and troubleshoot any problems. Longenecker told WIRED that she was alarmed to find out that the system was accessible to anyone online and hadn't been password-protected.
- A point-of-sale system for a drugstore in Colombia. Paul McMillan's scan captured several screens from computers at the store, some with purchasing data exposed.
- Screenshot showing the personal desktop of someone who was tracking data on oil and gas pipelines.
- The scan captured several screens for monitoring and controlling car wash systems.
- The monitoring system for a coal mining company in Romania. The panel appears to provide readings for the underground ventilation system, though it's not clear if an intruder could also manipulate the system in some way.
- A screenshot showing what appears to be the control system for an internet radio station in Bulgaria.
What do the controls for two hydroelectric plants in New York, a generator at a Los Angeles foundry, and an automated feed system at a Pennsylvania pig farm all have in common? What about a Los Angeles pharmacy’s prescription system and the surveillance cameras at a casino in the Czech Republic?
They’re all exposed on the internet, without so much as a password to block intruders from accessing them.
Despite all of the warnings in recent years about poorly configured systems exposing sensitive data and controls to the internet, researchers continue to find machines with gaping doors left open and a welcome mat laid out for hackers.
The latest crop comes courtesy of San Francisco-based independent security researcher Paul McMillan, who scanned the entire IPv4 address space (minus government agencies and universities) and found unsecured remote management software running on 30,000 computers.
McMillan searched for port 5900 — a port generally used by Virtual Network Computing systems, or VNC, that are used to control computers remotely. His automated scan took just 16 minutes and used a tool McMillan crafted from combining two existing tools – Masscan to do the port scanning and VNCsnapshot to take screenshots of each system the scan found. He looked only at VNC installations that had no authentication.
Some of the systems are easily identified, since the name of the company appears somewhere on the screen. Many of the systems, however, are unidentifiable since only their IP address is known (often it’s just the IP address of the user’s internet service provider). The nature of the system exposed is also not always clear from the screenshots McMillan’s tool collected. Many of them simply show cartoon schematics of a ventilation system or a factory’s conveyor belts, making it difficult to identify the nature of the operation.
Others were readily identifiable. Mary Longenecker of Creek Place Farms was alarmed to learn that her pig-feeding system was accessible to anyone. The machine mixes and doles out the feed to the Berkshire pigs on her Pennsylvania farm.
“That’s the brains of our operation because it’s so automated,” Longenecker told WIRED. “If someone pressed the stop button, it halts making feed in the entire system, or they could change the feed rations in all of the recipes and really mess things up.”
There’s also the milk inventory controls for a Holstein farm in British Columbia, and the records and appointment system for a string of veterinary clinics in the United Kingdom identifying pets and their owners and the records of their care. One system appears to monitor and control the ventilation for underground miners in Romania, while another displays a view of the refrigeration system for a food service company in Pennsylvania that provides lunches to schools and other facilities. Another appears to be the controls for an internet radio station in Bulgaria.
“A lot of the infrastructure that shows up is there because the software maker had it poke holes in the firewalls for this protocol, but other protocols aren’t showing through that firewall,” McMillan says. “So I think a lot of people think this stuff is behind their firewall” and therefore safe.
Although the systems can be configured to require authentication for access, McMillan found 30,000 systems that had no authentication.
Among ones he found exposed were cash register and point-of-sale systems showing customer purchases and credit card numbers, billboard control systems in South Korea, a system for tracking which exits are open and closed at several elderly residential housing units in New York, several car wash systems, as well as a number of pharmacies, including one in Los Angeles that was exposing full details of customers — their date of birth, home address, contact phone number and the kind of prescription they obtained. One record captured by the screenshot tool identified a 27-year-old female patient who obtained birth control from the pharmacy.
McMillan isn’t sure why the pharmacy data showed up — a violation of federal HIPAA regulations that tightly control who can access patient data — but he suspects the pharmacy may have been using remote management software to monitor employee activity on the computer and weren’t aware that it was also making the computer desktop accessible to anyone on the internet. A number of the control systems he found also appear to be using TeamViewer to allow manufacturers to monitor and troubleshoot the systems for their customers. A spokesman for TeamViewer, however, says that the software requires a password by default for access.
Also caught in the scan were a number of desktops of random users who had VNC on their systems. One desktop capture showed the computer owner playing World of Warcraft, another was downloading TV shows, a third was in the midst of making a Western Union money transfer while another was attempting to log into a bitcoin mining account. Another user in California — perhaps a staff member in a physician’s office — was in the midst of writing an email about a patient when McMillan’s screenshot tool captured the text. McMillan’s scan also captured an image of three children in pajamas apparently opening presents on Christmas morning. WIRED contacted the ISP, who contacted the owner of the computer in South Dakota, who believes the screen capture was taken while he was looking at a picture of his grandchildren.
McMillan initially posted all of the screenshots online that his scan had captured. But he pulled them down quickly after other security researchers criticized him for exposing the vulnerable systems. He has provided the information to US CERT and to ICS-CERT so that they can contact the owners or their ISPs and let them know that their systems are vulnerable. He’s also prepared a password-protected portal with all of the images sorted by IP address and country so that other researchers can help him contact the owners.
A selection of screenshots from some of the systems appear in the gallery above, with sensitive details blurred by WIRED.
By Kim Zetter
Source and more: