One moment you're looking at a random person's email or bank account. Another moment you're staring at someone else's Apple TV. Then, here's a family's home smart system, with its virtual controls for lights and air conditioning.All these computers were vulnerable to anyone that stumbled upon them on a website that showcased systems that are connected to the internet and can be accessed remotely. And there was no need to know how to break or hack into them—they were all left wide open. Advertisem*nt
"I hope someone[…] will publish something about this to make people understand this is dangerous. Before bad guys do find this and start f*cking around with our lives."
The site was made earlier this week by a 19-year-old gray hat Moroccan hacker who goes by the name Revolver, who declined to reveal his real name. The hacker has since taken the site down. But when I chatted with him earlier this week, he said his hope was to teach people to be more careful."I hope someone in the [information security] community will publish something about this to make people understand this is dangerous," he said. "Before bad guys do find this and start f*cking around with our lives."
Revolver's work per se isn't that revolutionary. The website Shodan, a sort of Google for internet-connected devices, can be used to find the exact same systems. In the past, other security researchers, such as Dan Tentler, Paul McMillan and Robert Graham, already warned of the dangers of poorly secured systems that can be found online. And during the 2014 Chaos Computer Congress in Germany, some attendees created a short-lived, although recurring, similar website also called VNC Roulette that still lives on as a Twitter account. Advertisem*nt
A redacted page of the now defunct VNC Roulette website, this one showing somebody browsing his Facebook account.
These are the ones Revolver was showcasing on his site. At the same time, however, Revolver didn't just create an automated script to collect all these examples. He told me that at one point he accessed a woman's computer while the person's phone was connected to it, and found explicit pictures of her and her partner having sex. Revolver showed me a screenshot of that folder, and he also showed me screenshots of people browsing their email and even bank and PayPal accounts.For Klijsma, Revolver might be crossing a line, especially because VNC Roulette doesn't just collect people's computers, but also embedded systems that are used to control industrial systems. Advertisem*nt
Another screenshot taken by VNC Roulette, this one showing what looks like a water control system.
"Yes, everyone can find these devices and do what they want," Klijsma said in a chat. "However you don't have to present them with it. If you present 'the good stuff' you are doing the work for them; pointing them directly at—most likely—the things you don't want people with malicious intent to have."On Thursday, Revolver told me he had decided to sell the database of exposed VNCs he had amassed for $30,000 to "some Russian guys" who wanted to use it for their botnet. Minutes later, he took the website down."I hope the community will feel the pain this [sic] guys gonna make when [sic] they their dirty hands on those access's [sic]," he said in a chat.When I asked him if that meant the Russian hackers were going to hack those vulnerable computers, he simply said: "I don't give a f*ck. Tonight I'll get my money and disappear."Update, 25/03/2015, 2:34 p.m. ET: Thewebsite came back online on Friday.
ONE EMAIL. ONE STORY. EVERY WEEK. SIGN UP FOR THE VICE NEWSLETTER.
By signing up to the VICE newsletter you agree to receive electronic communications from VICE that may sometimes include advertisem*nts or sponsored content.
