 Good afternoon ladies and gentlemen welcome to stage C It's my pleasure to present talking about the internet or the security of the internet of things Jose D'eth This is my github profile I'm officially a software guy because that's what I study basically computer science, but I'm quite interested in the security side of things and Recently I got interested in in this particular type of research because I saw somebody on Twitter posting screenshots of stuff they found on Unauthenticated BMC servers on the internet, so I decided to do something similar and Well, the first thing that I would like to talk about is about the morality or whether it's legal or moral for somebody to scan the internet looking for open service on the internet basically and My my view on this. Well, I mean I've talked to people about this and they've said oh well just because it's open you shouldn't be looking at it or It's like seeing a car with the door open and just stealing it And I think that's I mean that there's something very wrong with that metaphor And I'm sure you can see that many levels of wrongness that it has but how is it is this it's basically like having a very large telescope in your home and if people I mean it's like if people leave their doors open at home and you can You have a very large telescope and you can look at their houses without actually Going into the houses from your phone. That's That's similar to what I think I'm doing so Okay, so let's talk about the things I'm gonna show you so When you scan the whole internet for open servers with with well the remote for a bus portable you find very very disturbing things and I've decided not to show you some of the most Extreme things I found because like I've seen actual hospitals with actual patient data On open service on the internet that anyone can access and so, you know, I mean, I can't really in good faith Show any of that but I can show some of the other stuff that I found which I think is pretty funny or Disturbing depends on how you see it. So Yeah, I built a web interface to Well, basically, I'm not sure if you can read that but I've got a talk bar with all of the countries I've scanned and You can see some of the screenshots here. So for example, well, I mean, this is I think this is Switzerland and I can't really read Swiss, but yeah, that looks important And I mean you can probably modify Any of the parameters here and cause disruption of some description and well something else I should mention All of this scanning was automated. So nobody actually connected to the server and controls it. So The way I did it was Has anyone heard of C map? Okay, well, it's basically an internet scanning tool that can scan the whole internet the whole IPv4 address space in six minutes, I think which is pretty fast and What I did is I scanned the whole internet for service with the port 5 9 0 0 open which is the VNC port and Then after that when I had a list of service with VNC open I had a small program that basically connected to it grab the screenshot and disconnected So nobody actually went into the service and took a screenshot. It was just completely automated Which I think is worth mentioning because that's probably very illegal to actually gain access to a computer. So What I'm trying to say is that I didn't actually gain access to any of these computers I just took a screenshot of them 19 cents So, yeah, let's look at some of the screenshots. I Mean again, I don't really know what this means, but you know, it looks interesting or potentially harmful if placed in the wrong hands Yeah, I think this is a this is a fridge. Well, you can't really see that but whatever There was a quite interesting thing in Italy Let me see if I can find it Yeah It looks like a silo of some description with I don't know probably animal Waste or I don't know but you know, if you take a look at the buttons, you can see a alarm button down or a reset button, which I'm guessing probably won't do any good to anyone If you press them when you when you shouldn't be Let's see if we can find something else. Oh Yeah There's also lots of webcams. Well surveillance systems on the internet lots of them I've seen surveillance systems of museums. I've seen surveillance systems of banks if you can believe that I've actually well, yeah, let's just keep looking Well, yeah, lots of desktop so else Okay, yeah, this is a oh, well, so tiny screenshot. This is how a motivation system and I've looked at up actually and You know the characteristic it mentioned on the website you can probably turn off like the heating to the house and so on It also has a an energy Monitor, so I'm guessing you could probably turn off energy to that house if you wanted. I mean again, I didn't do any of this I'm just speculating about the kind of stuff you could do if you if you were Evil or I guess if you wanted to do harm Let's see so This is Mexico and Let's see. Oh, yeah Lots of points of sales. So I'm not sure why this is on the internet, but you can this is a point of sale Terminal so somebody's using it and you know, you can potentially add stuff to other people's Purchases and so on which is I mean to be honest. I have no idea what this is on the internet, but Yeah Let's see. Oh, okay. So this is a transport agency in Mexico and Yeah This is the well, I don't think you can read that but this is on on the internet and it's a transport agency like UPS or DHL or something Like that and yeah, again, this is completely open to anyone on the internet scanning it and connecting to it Right well, yeah, whatever Some of the more juicy stuff. I found the United States for example This is a flow meter for I would suppose some kind of large-scale plan I Looked up this particular model on online and I'm not sure if you can see these for pump one pump two pump three pump four buttons But you can actually deactivate pumps just by pressing them So again anyone without authentication can connect to the server press the four pump buttons and disable them and without anyone Noticing or without you leaving a trial or whatever. So yeah, that's kind of that's kind of bad But what's worse is something else I found at this one I'm not sure what this is, but it has lots of parts and lots of buttons as well It's it says bioenergy so I'm assuming it's generating energy somehow and This is the control panel. So you can see here You can see start stop enable disable All this kind of stuff that you can potentially click and cause havoc far away from you This is another home automation system and I particularly like this one because you can see animal stats And I'm not sure why that is Why would you have a whole machine automation system with? Animal stats, I don't know, but I thought it was fun And yeah, you can also see curtains right there, which is quite interesting Lots of window servers people watching Netflix, which I thought was pretty funny Another flow meter and you can in this one in this case you can clearly see it's a large scale thing Just look at all the gallons. It's No, it's used Let's take a look at Russia. That's always fun I'm not sure what this is this particular one I tried to look it up and the closest thing I could find is some kind of hotel control system Which fortunately it's protected by a login prop, which is good. I guess but sales shouldn't probably shouldn't be on the internet Let's see something Lots of window service Yeah, well, okay, you didn't see that that's probably not safe for work This is another home automation system it's in Russian but and you can't really see it on the screen But there's a button for cams. So There's potentially somebody at home having cameras on their home and you can see them on the internet because it's You know, it's really open to anyone Let's take a look at Romania. Oh That's fun. Yeah, this is a restaurant management system and You can see well, yeah, you can see you can see which tables are open and which tables were used and so on You know more people watching porn that's fun I have no idea what that is, but it looks like a spreadsheet of some description Looks like some kind of university access system Yeah, it looks like it you could possibly change teacher status and so on So more Windows servers. Oh, I particularly like this one because This is probably a screensaver and you can't really see it, but it's made in paint. So I thought it was fun Yeah, let's take a look at something else. Let's see. Oh people playing Candy Crush People watching YouTube and you know, you can You can find lots of people doing normal stuff on their computers And without them being without them noticing that they have a B and C server running I think based on the stuff I've seen that That there's some kind of distribution of Linux or some some sort of pre-built windows or something that has a B and C server on by default Because I've seen lots of people who like, you know, just manage your business and without noticing they have a B and C server on so Let's let's take a look at this It well that that one says enterprise control system. So you know, you can you can draw your own conclusions there This is another surveillance system looks like it's a surveillance system for an office More people watching Facebook and so on Let's take a look at Spain, which is my own country. Oh We found lots of this actually I'm not entirely sure what this is, but it looks like it's The info displays of a train system We did find lots and lots of these so it looks like there's a network of trains or buses or something like that That's connected to the internet So, you know, you find lots of quite interesting stuff on the internet and stuff that you wouldn't necessarily expect I mean You were kind of expecting to find stuff like power plants coal plants and so on at least I was but then you see people watching Netflix And you didn't really expect that at least I didn't Oh, yeah, this one was quite interesting. I'm not sure what it what it is It looks like some kind of fiber optic testing It talks about wavelengths and so on so Yeah, and people just minding your own business This is another home automation system like the one we saw in Russia and in this case you can actually see the video button here, so Let's take a look at the United States again This is the first half of the address base of the United States. The other one I showed you was the law half Oh, yeah, this is fun. This is a sewage drainage drainage system Which is on the internet and you know There's a there's label here said that says dosing pump manual speed So I would guess that you could control that and you know Make shit happen, literally. Oh I also find I also find lots of virtualized service and I took a screenshot of this one because There's one was particularly interesting. It's mem test. So I didn't know you could be in seen to I'm M test but I guess it can and Finally, it's like look at France Yeah, well, there's nothing interesting there. So About the software I used I Could probably show to you actually Okay, I can I can send you a link later if you can if you if you see me afterwards I'll give you a link to this but basically it's just the service code for After you get the after you get the list of IP addresses that respond to port 590 you Use the script to take a take a screenshot of every Unaffiliated server So, yeah, so if there are any questions, just let me know Well, I didn't do any any like actual signs type thing, but I did find lots of Windows server To the night I think there were lots and lots of them. I didn't know there were so many but That's why I mean, that's why I said before that I think There must be some kind of the fault configuration that makes them vulnerable to this kind of stuff because It's just an unreasonable amount of windows So it's person innate on the internet. Yeah, so that's all Yeah, how much? They weren't how much of the service where I'll read only I don't think I don't think many of them were read only. Well, I mean, I have no proof of these but I Mean, I would expect that if someone sets up a VNC server. It's probably Do remote to control it so? You know, okay Any other questions? Oh, no, no, definitely not definitely for my interest I I mean, I I'm not a lawyer or anything But I'm pretty sure publishing a list of IP addresses with the NC ports open would probably be highly illegal Yeah, I mean you can do it your own That's that's the thing that's the whole point of this talk that you can do this kind of research on on your own and Replicate my results