Whenever we talk about the IoT we also need to talk about cyber security. For developers and engineers it’s a challenge to protect services and products in two ways. Firstly, security technology is complex and needs to find a fine balance between protection and affordability. The second aspect is to make the security measures as easy to handle for customers as possible.
The last one might be even more tricky than most of us have thought. Even setting a password to protect sensitive data is too much for many users. Don’t believe us? Let us provide you with some evidence for this statement. Last week a page appeared under the URL “vncroulette.com“ (the site has been hacked and is now offline). On this page an anonymous person, who calls himself “Revolver” on Twitter and intended to bring the issue of open VNC servers up, posted unprotected VNC servers publicly.
VNC stands for virtual network computing, and is used by many people in order to access their desktop and files remotely. Usually you are prompted to secure your VNC connection with a password when setting up the service – however as stated above that’s something we users seem already to fail with. As a result, nearly anyone can interfere and take advantage of those “open” VNC connections.
That’s basically what VNC roulette is all about. The person behind VNC Roulette filled a database with open to public VNC servers and even communicated this situation via Twitter. When nobody reacted the unidentified person started to publish evidence on the VNC roulette page. While this sounds bad enough he did not just find unsecured servers from private persons but also posted images of patient records (which show the patient’s name, patient number, date of birth, and contact information such as address and phone number), pictures of an X-ray machine in a facility in Nevada, US, a store’s CCTV system and much more.
— Revolver (@1×0123) April 2, 2016
Above you can see an example for the sensitive data which has been leaked. The tweeted screenshot shows an interface which gives you control over the prices for gas pumps of a gas station with personnel that obviously had not set up a password.
However it gets even more alarming: You don’t need a lot of specific computer knowledge to find open VNC servers using Shodan, a search engine for internet-connected devices (editor’s note: don’t misuse this information to access any sensitive data).
Now why is that concerning? With more and more connected devices we are seeing more and more insecure connections. While we can build the technical prerequisites to help people to protect themselves we are obviously struggling to educate people to get more sensitive and take security seriously. One of the few options besides supporting the education of users we do have, is the application of security hardware which can help in many cases to clearly identify a device without the need for the user to set up a personal password.