Power Plants and Other Vital Systems Are Totally Exposed on the Internet

Power Plants and Other Vital Systems Are Totally Exposed on the Internet

Source link

  Updated by Endah

What do the controls for two hydroelectric plants in New York, a generator at a Los Angeles foundry, and an automated feed system at a Pennsylvania pig farm all have in common? What about a Los Angeles pharmacy’s prescription system and the surveillance cameras at a casino in the Czech Republic?
They’re all exposed on the internet, without so much as a password to block intruders from accessing them.
Despite all of the warnings in recent years about poorly configured systems exposing sensitive data and controls to the internet, researchers continue to find machines with gaping doors left open and a welcome mat laid out for hackers.

The latest crop comes courtesy of San Francisco-based independent security researcher Paul McMillan, who scanned the entire IPv4 address space (minus government agencies and universities) and found unsecured remote management software running on 30,000 computers.

McMillan searched for port 5900 — a port generally used by Virtual Network Computing systems, or VNC, that are used to control computers remotely. His automated scan took just 16 minutes and used a tool McMillan crafted from combining two existing tools – Masscan to do the port scanning and VNCsnapshot to take screenshots of each system the scan found. He looked only at VNC installations that had no authentication.

Some of the systems are easily identified, since the name of the company appears somewhere on the screen. Many of the systems, however, are unidentifiable since only their IP address is known (often it’s just the IP address of the user’s internet service provider). The nature of the system exposed is also not always clear from the screenshots McMillan’s tool collected. Many of them simply show cartoon schematics of a ventilation system or a factory’s conveyor belts, making it difficult to identify the nature of the operation.
Others were readily identifiable. Mary Longenecker of Creek Place Farms was alarmed to learn that her pig-feeding system was accessible to anyone. The machine mixes and doles out the feed to the Berkshire pigs on her Pennsylvania farm.

“That’s the brains of our operation because it’s so automated,” Longenecker told WIRED. “If someone pressed the stop button, it halts making feed in the entire system, or they could change the feed rations in all of the recipes and really mess things up.”

There’s also the milk inventory controls for a Holstein farm in British Columbia, and the records and appointment system for a string of veterinary clinics in the United Kingdom identifying pets and their owners and the records of their care. One system appears to monitor and control the ventilation for underground miners in Romania, while another displays a view of the refrigeration system for a food service company in Pennsylvania that provides lunches to schools and other facilities. Another appears to be the controls for an internet radio station in Bulgaria.

“A lot of the infrastructure that shows up is there because the software maker had it poke holes in the firewalls for this protocol, but other protocols aren’t showing through that firewall,” McMillan says. “So I think a lot of people think this stuff is behind their firewall” and therefore safe.
Although the systems can be configured to require authentication for access, McMillan found 30,000 systems that had no authentication.

Among ones he found exposed were cash register and point-of-sale systems showing customer purchases and credit card numbers, billboard control systems in South Korea, a system for tracking which exits are open and closed at several elderly residential housing units in New York, several car wash systems, as well as a number of pharmacies, including one in Los Angeles that was exposing full details of customers — their date of birth, home address, contact phone number and the kind of prescription they obtained. One record captured by the screenshot tool identified a 27-year-old female patient who obtained birth control from the pharmacy.

McMillan isn’t sure why the pharmacy data showed up — a violation of federal HIPAA regulations that tightly control who can access patient data — but he suspects the pharmacy may have been using remote management software to monitor employee activity on the computer and weren’t aware that it was also making the computer desktop accessible to anyone on the internet. A number of the control systems he found also appear to be using TeamViewer to allow manufacturers to monitor and troubleshoot the systems for their customers. A spokesman for TeamViewer, however, says that the software requires a password by default for access.

Also caught in the scan were a number of desktops of random users who had VNC on their systems. One desktop capture showed the computer owner playing World of Warcraft, another was downloading TV shows, a third was in the midst of making a Western Union money transfer while another was attempting to log into a bitcoin mining account. Another user in California — perhaps a staff member in a physician’s office — was in the midst of writing an email about a patient when McMillan’s screenshot tool captured the text. McMillan’s scan also captured an image of three children in pajamas apparently opening presents on Christmas morning. WIRED contacted the ISP, who contacted the owner of the computer in South Dakota, who believes the screen capture was taken while he was looking at a picture of his grandchildren.
McMillan initially posted all of the screenshots online that his scan had captured. But he pulled them down quickly after other security researchers criticized him for exposing the vulnerable systems. He has provided the information to US CERT and to ICS-CERT so that they can contact the owners or their ISPs and let them know that their systems are vulnerable. He’s also prepared a password-protected portal with all of the images sorted by IP address and country so that other researchers can help him contact the owners.
A selection of screenshots from some of the systems appear in the gallery above, with sensitive details blurred by WIRED.

Update: To add information from TeamViewer spokesman clarifying that TeamViewer requires a password by default.
Homepage image: Robert S. Donovan/Flickr