We accidentally the whole Internet!

The whole Internet?

Yes! Is this dangerous??

Decide for yourself:
Small compilation of what's out there on vnc

The matter of VNC

A year ago, at 30c3, everybody had fun scanning the internet with zmap, which was presented by it's author in one of the talks. It scans the whole v4 range easily in a few hours. Someone had the idea of using it to scan for VNC servers, and surprise: the internet was full of them. Many of them offering a remote control without any authorization. A series of screenshots amazed and shocked everybody, who thought computer security had advanced since the early days.

OK, but now that everybody was aware, that soon should be over, right? So when at DEFCON in August, the author of masscan presented his zmap alternative (scanning the v4 range in a few minutes, using optimized drivers for a 10G card), there should not be too many left? Ooops... Still the net was full of Windows Desktops, X11 sessions, public display screens, embedded electronics like cashier systems and printers, CCTV operation centers and big machines like water treatment plants.

So now, one year after zmap, we tried it again at 31c3, and were not so surprised any more that still not much has changed. To be honest: we don't really know how much has changed, as we have no exact data of what was found by the others in the earlier scans.

Disclosure

So we decided to publish a resultset of our scan. As we mainly want to help researchers and not bad people, we removed IPs and hostnames where possible from the results. So it can be used to check for the total number of reachable hosts on the various ports, have a look at the titles presented in the banner and such, but not support direct attacks. It's easy enough to do an own scan, but we don't have to help there.

The List of all auth=none servers we found

One Important thing to note: these 23K servers can be accessed directly without bypassing any security mechanisms. Research on foreign forums suggests, that you get much more hosts by even checking most simple passwords like 1234 or 123456 (again, industrial control panels and such) - we did not try any of that. 23K hosts is bad enough.

The Video

To give a visual impression of what's out there, we produced the video as a small compilation of screens you find when you actually connect to the hosts. The really important thing to know here is: we didn't have to search a lot for this. We made a fed hundred screenshots (out of the 23K authless hosts) by random selection. Of course the video is not a stochastic representative distribution of what's out there, there also are many Windows and Linux boxes requesting a login and such. But you don't have to search hundreds of hosts to find a camera, home automation or industrial device. They are out there, and they are many.

A cure?

We are unsure. What can be done? One thing for sure would be to change QEMU to make it really hard to use password less auth. Like force a "I feel stupid" option in the config. QEMU is the single biggest software we find in the banners, with over 5000 of 23000 hosts contributing almost 20%. On the other hand bring the word out to the operators and suppliers of industrial devices like water treatment plants, that there is no such thing as a secure network. Someone alway will, accidentally or by intent, install a backdoor to the network. So authless operation is a no-go, even though if it's INTENDED to only be reachable in the LAN. Or even localhost. It does not work.