I didn't stitch the images together and didn't try to login to any of the sites (that would be crossing a line, and simply mapping geographically local, public servers seems harmless). Just flicking through the 7,000-ish screenshots has been pretty fun.
Lots and lots of:
- router admin panels on the WAN interface. Loads of different brands and models
- DVR and NAS units
- HikVision CCTV (like, hundreds of these - I wonder if they're being used at local hospitals or city centre surveillance by the police)
- IIS servers (especially IIS 7)
- 403s (mostly with the IIS default template)
- University department and team websites (there are a few universities in my city so there are lots of these)
Some weird and wonderful personal websites. Lots of one-line jokes just to fill a space on a public server, presumably. A few wikis.
Overall it's been really fun looking at all the servers that are public but just not really indexed, physically surrounding me.
I called the Swedish government agency responsible for the same thing in Sweden and was quickly escalated and ended up with someone who knew what they were talking about. Hours later the page was down.
I suspect this was the correct path since having a foreign national calling about "hacking" a mw power plant might have ended with me in trouble.
It does raise the issue of responsible disclosure. I've approached companies in the past after identifying security flaws and had the whole range of responses. Thanks for telling us, we'll take it from here. Let us reward you for telling us. Let us sue you for hacking us... Now it's safer, if less socially responsible, to stay quiet. ️
I'm surprised so many of these at internet connected, with their own public IP. No NAT, no VPN, no firewall. I'd expect that on one-off DIY deployments at grocery stores but this was pretty surprising.
In the US, DHS does this for the federal government, as well as some state and private organizations: https://www.us-cert.gov/resources/ncats
You might also like to explore this: https://www.shodan.io/ and if you have some time on your hands this: https://www.kali.org/
The big issue for consumer routers is, admittedly, the shoddy quality of the firmware and the fact that even on the occasion where vulnerabilities are fixed, those releases often do not get installed.
NAT Is Not A Firewall
So the general idea that things will be safe from being behind nat is more or less wrong, unless you have 100% control over all possible traffic generated from the inner host(s), at which point you could have had it without firewall more or less. Will your robo-hover never phone home, never look for tuesday patches, java updates, OTA firmwares or talk to some license server or whatever? Then nat is ok, but if any of this can happen in some situation, then it is "on the internet" even if it started out behind nat.
It moves a machine along the scale from unreachable closer to unprotected-and-exposed-to-everything even if it's not all the way there.
I'd recommend reading up on the Cuyahoga River, the Clean Water Act, and the formation of the EPA - it's pretty much the same problem. Industry creating problems by abdicating its responsibility, necessitating a legal solution. And enforcing that requires a public institution.
An interesting idea.
What is the minimum viable "superhighway-fitness" of a device?
On the script kiddie level, you had different options. The easiest was simply scanning for public FTPs and IIS IPs and posting those in the member section of whatever forum you were a member of (or in public to get that access). The next level was using checking them for vulnerabilities (or in the case of FTPs checking if you had anonymous write access), those lists obviously were worth more. The higher level people would have their high-end servers (usually hacked, fast internet was expensive) and would use server to server transfer to go from their high-value FTP to some lower value ftp or IIS server for normal people to download from.
There was a rather scary talk by Lukas Lundgren at defcon 2016 on unauthenticated MQTT ... the things he found exposed were just insane. He also used MASSCAN, a phenomenal tool, which isn't just useful to probe endpoints but also to actually send payloads (with all its performance/speed benefits).
Considering how open, exploitable devices like this represent a significant public risk from their ability to be used to launch attacks on others, it would seem that it is high time for public regulation bureaus with the authority to issue shutdown notices and in extreme cases sequester non-compliant systems. We have radio broadcast regulators that will come physically to a pirate radio station and shut it down. We have registration and inspection systems for vehicles running on public roads to ensure a minimum safety standard. We need to do the same for the public information network.
Synology DiskStation NAS ftpd: 299
What about a state level authority doing this scans, contacting owners, maybe even fining them? That would be like authorities for food safety, etc. It would put pressure on manufacturers because people don't want to buy things that get their owners fined.
Also, piping doesn't mean that cat does all its work and only then will it be passed into wc, cat only acts as a rather tiny buffer.
There are too many to responsibly disclose to the parties affected. Some buildings are so connected one could cause quite a havoc.