[SingCERT] Unsecured Virtual Network Computing (VNC) Configurations

Published on Monday, 23 May 2016 18:30


Virtual Network Computing (VNC) is an open-source desktop sharing technology that enables users to access and control their home computers remotely over the Internet. Examples include enabling remote technical support to critical systems, allowing users to work from home, accessing home surveillance systems remotely from workplace, etc. An unsecured VNC configuration results when users use VNC without a password, thus causing them to be vulnerable to attackers who are constantly scanning the internet for loopholes.

On 29 March 2016, ZDNet published an article to alert readers on how thousands of unsecure remote computers were exposed on the VNC Roulette website. This website displayed a wide range of screenshots of various types of systems that were taken from the unsecured VNC connections, including x-ray scanners, CCTV administrator’s system, server login screens and business transactions or records.

VNC cctv
Image credit: http://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/

How Unsecured VNC Connections Can Be Exploited

exploitation of vnc connections
In this scenario, Bob and Alice used VNC to access their home surveillance system remotely from their workplaces to enable them to regularly check on their elderly mother. Bob installed the VNC Server on a computer connected to the surveillance system and installed a VNC Viewer in his and Alice’s mobile phones. During the VNC installation phase, Bob did not set the password for remote access on the server as he wanted to test if the VNC works. After the system was successfully set up, Bob and Alice were very happy that they could now see how their mother is doing through their mobile phones. Bob had forgotten about the need to set a password.

Meanwhile, an attacker, Eve, carried out a network scan on the Internet for vulnerable computers and discovered the computer that Bob used to install the unsecured VNC. She was able to access the computer remotely and happily took a screenshot of Bob’s home surveillance. To impress her friends, Eve shared the screenshot publicly on the Internet, through a website such as the VNC Roulette Website. (Note: Eve could have carried out a full range of malicious activities such as masquerading as the user to obtain confidential information, since she had access to Bob’s computer and other computers that are on the same network.)

SingCERT Alert

Members of the public are reminded that all VNC server or application cannot be installed without a strong password as this is the most basic protection for users. The request for a password will usually be prompted as part of the installation process for the VNC server.

Recommended Mitigation Measures

SingCERT recommends users the following steps to secure their VNC server(s) and connections:

  1. Adopt the use of strong passwords consisting of at least 8 characters with a combination of alphabets, numbers and symbols. Strong passwords will mitigate password brute-force attempts.

  2. During the installation process, some VNC applications will install itself as a system service by default and will run as long as the computer is turned on. Do remove the VPN application when it is no longer required.

  3. Some VNC applications such as TightVNC can bypass the Windows firewall. Do check the firewall settings to ensure appropriate access controls are provisioned.

  4. To further increase the level of security, users are advised to seek technical assistance if necessary to:

    1. Change the default port numbers (e.g. By default, Port 5800 is used for download requests and Port 5900 is used for connections) that are used in the VNC application so as to avoid revealing it to network scanning attempts

    2. Configure security access to accept only IP addresses known to the user

    3. Establish VNC tunnel connections using encryption

    4. All outbound connections should be logged and monitored to detect attempts of bypassing security restrictions