Gallery: Power Plants and Other Vital Systems Are Totally Exposed on the Internet
01Moldow-System
Equipment at a facility in Mexico appears to have been shut down for a while, based on the red banner at the top of the screen, but that wouldn't necessarily prevent intruders from manipulating the settings. It's unclear what the equipment is, but Moldow, based in Denmark, [makes industrial filter and ventilation systems](http://www.moldow.com/en/) as well as industrial fans.
02Gas-Station
Control panel for a petrol station in India tracks the amount of fuel in storage tanks and includes tabs for the point-of-sale system to record sales transactions. Would-be intruders can learn more about the system's features by [accessing sales literature](www.lsretail.com/files/marketing/brouchures/.net/forecourt_net.pdf) (.pdf) published online.
03Pharmacy
For some reason this pharmacy in Los Angeles was broadcasting its customer prescription records on the internet, a violation of federal HIPPA regulations. An internet scan captured the record of a young woman who had purchased birth control at the pharmacy, exposing her name, address, phone number and birthdate. Researcher Paul McMillan thinks the pharmacy may have been monitoring the computer activity of employees using the remote access program TeamViewer, but then failed to secure the application, allowing anyone else on the internet to view the employee computer screen as well. Contacted by WIRED, the customer said she often filled her prescriptions at three different pharmacies, including one on the University of Southern California campus, and couldn't recall which one she had visited most recently. USC's Office of Compliance told WIRED the IP address did not belong to the university. Although a woman in the compliance office said the university knows the identity of the pharmacy that sold the woman her prescription, her office would not provide the information to WIRED so that the pharmacy could be contacted.
04Casino-Security-Cams
*The view of a casino in the Czech Republic as seen through the surveillance cameras overlooking slot machines and a roulette wheel.*
05Chicago-Metra-Station-Signs
System for monitoring and controlling digital signs at the Irving Park station on Chicago's [Metra rail line](http://metrarail.com/metra/en/home.html). It's unclear if the page would provide access to other controls in the system. WIRED contacted Metra two weeks ago and provided complete information about the unsecured page.
06Bitcoin-Miner
Screenshot of a computer in the United Kingdom taken while the user attempted to log into a bitcoin mining account.
07Hydroelectric
The internet scan found two small hydroelectric plants in New York on the internet that were not secured. The plants supply electricity for the state of New York. WIRED attempted to reach the plants but was unable to connect with anyone to disclose the vulnerability, so the name of the plant in the screenshot has been blurred.
08Email-Patient
Screenshot of a user in California, possibly a worker in a doctor's office, typing an email about a patient. The scan that researcher Paul McMillan conducted searched the internet for any systems with port 5900 enabled. This port is generally used by Virtual Network Computer systems. Many of the systems he found vulnerable had TeamViewer installed on them -- a remote access software that employers sometimes install on systems to track the activity of users. The software had not been password-protected, however, to keep others from also seeing the screen.
09Techni-Cast
Techni-Cast, a foundry located in Los Angeles, had a control system installed for monitoring the generator it uses to produce power for its metal manufacturing processes. The generator is made by a German company, and the control system was set up to allow the German firm a way to monitor the generator's performance from Europe and do troubleshooting. Techni-Cast's systems administrator, Michael Marshall, told WIRED that the monitoring system had TeamViewer installed, but the system was supposed to be protected behind a firewall with authentication. He said the system had recently been upgraded, and the authentication may have been disabled during the upgrade.
10Poland-Home-Surveillance-Cameras
A system for monitoring surveillance cameras and the ventilation system at a home in Poland. The IP address for the computer indicates the home may be in the small town of Giżycko in northeastern Poland. The Whois record for the IP address provided a phone number in Poland, but no email address. The person who answered the phone did not speak English, so WIRED was unable to convey information about the unsecured system.
11Western-Union
Screenshot of a computer in Australia, taken just after someone attempted to conduct a failed Western Union transfer. An icon in the lower right corner shows the person was using a VNC connection at the time the screenshot was captured.
12Creek-Place-Farms
Creek Place Farms is a family-run pig farm owned by Don and Maria Longenecker that specializes in free-roaming, organically fed Berkshire pigs. The control system exposed by Paul McMillan's scan is a German system the farm uses to mix the feed and distribute it to the pigs. Each pig has an RFID chip that the feeder tracks in order to know how much feed the pig has eaten. As each pig enters the feeding tube, the system delivers a portion of food and tracks how long the pig remains in the feeding tube and how much food it consumes. As the pig returns to the feeder throughout the day, more portions are dispensed to the animal until the pig receives all the food allotted for the day. A button at the bottom of the control panel would allow someone to alter the mix of the feed -- changing the recipe to deliver more soy than corn to the animals, for example, or provide too much feed to younger pigs. Maria Longenecker told WIRED that she's so obsessive about the system that she doesn't even allow her husband to access it. The system has TeamViewer installed to allow the German firm to monitor the system remotely and troubleshoot any problems. Longenecker told WIRED that she was alarmed to find out that the system was accessible to anyone online and hadn't been password-protected.
13Point-of-Sale
A point-of-sale system for a drugstore in Colombia. Paul McMillan's scan captured several screens from computers at the store, some with purchasing data exposed.
14Gas-Pipeline-and-Quotes
Screenshot showing the personal desktop of someone who was tracking data on oil and gas pipelines.
15Car-Wash
The scan captured several screens for monitoring and controlling car wash systems.
16Mining-Company-Romania
The monitoring system for a coal mining company in Romania. The panel appears to provide readings for the underground ventilation system, though it's not clear if an intruder could also manipulate the system in some way.
17Bulgarian-Internet-Radio
A screenshot showing what appears to be the control system for an internet radio station in Bulgaria.
