X-ray scanners, CCTV cams, hefty machinery ... let's play: VNC Roulette!

Pics X-ray equipment, farm machinery, electricity generators. Security cameras, desktops with browsers logged into Facebook, stock inventory software. Sales registers, home alarm equipment ... the list goes on.

All this and more on VNC Roulette: a website that popped up this week to remind us of the kinds of sensitive systems exposed unprotected on the public internet.

VNC lets people share their desktops over networks so they can access software and files from other computers. This is handy if you want to check into your home PC, or some equipment on the other side of a site, while away. Crucially, though, these connections should be secured with passwords and encryption.

And thousands upon thousands of machines aren't.

In the past, we've covered security researchers scanning in the internet for vulnerable public-facing desktops. Dan Tentler tweets interesting VNC sessions he's found from time to time. The Shodan search engine is aware of at least 550,000 things on the internet around the world offering VNC access. Not all of them will use authentication to stop random miscreants wandering in.

VNC Roulette has grabbed screenshots of about 550 examples of insecure remote desktops, revealing people browsing Facebook and email at home to industrial system control panels. This is why when we read that a water treatment plant had been hacked and the mix of chemicals added to tap supplies altered, it was no real surprise.

Some of the snaps date back to 2015, some from this month. Some of the sessions have been shutdown; we've been able to verify a few are still up and running and insecure as ever.

VNC Roulette reappeared today after falling offline shortly after its launch this week. Here are some of our favorite examples – we have others but they contain potentially identifying personal information, and that wouldn't be nice to publish.

An X-ray machine in a facility in Nevada, US

What looks like controls for farm equipment in the US Midwest

Our Mandarin isn't perfect, but this looks like someone's torrenting files in China

A store's CCTV system

Control panel for a college lecture room

We recommend you configure your VNC server to require a password and only accept connections from localhost. Then pipe your desktop connection from the remote server to your computer over SSH, thus encrypting and safeguarding data in transit and adding a layer of secure authentication.

Meanwhile, Shodan reveals there are at least 3.4 million machines offering Windows Remote Desktop connections around the world. Best keep those secure, too. ®