00:00:06:04 00:00:09:20
Increasingly, devices like printers and scanners are
being connected directly to the internet.
00:00:09:23 00:00:13:12
That's all very convenient, but is it safe?
00:00:13:15 00:00:18:04
Your mobile, your printer, your hard drive,
everything is connected...
00:00:18:07 00:00:19:22
...but it's like Swiss cheese.
00:00:20:15 00:00:25:24
Medical files, financial information and
trade secrets: they're all there for the taking.
00:00:26:02 00:00:31:09
It's shocking, it should not be allowed.
It's a design flaw.
00:00:32:00 00:00:34:14
Is this vulnerability in tens of thousands
of devices...
00:00:34:17 00:00:38:00
...compromising
your security and your privacy?
00:00:51:08 00:00:54:10
This is the Info Security Fair in Utrecht.
00:00:54:13 00:00:58:08
Computer security has become a big concern
for companies and individuals...
00:00:58:11 00:01:00:08
As a result, it's also become a big business.
00:01:05:14 00:01:08:14
The worlds number 1 producer of computers
and printers is exhibiting here:
00:01:08:17 00:01:14:18
Hewlett Packard has
an annual turnover of 127 billion dollars.
00:01:14:21 00:01:19:07
How important is safety to HP?
- Very important.
00:01:19:10 00:01:25:09
If you look at the market,
storage is a very important...
00:01:25:12 00:01:30:04
So storing data.
- Exactly.
00:01:30:07 00:01:35:02
Availability, and we want to ensure
a company's continuity.
00:01:35:05 00:01:39:07
That makes security
a very important item.
00:01:39:10 00:01:43:12
So HP certainly stress the importance of data security. But the latest domestic HP printers,
00:01:43:15 00:01:48:06
...with built-in copiers and scanners,
are available with their newest technology, ePrint;
00:01:48:09 00:01:54:16
and HP don't seem to be making the risks involved in using this technology clear to their customers.
00:01:54:19 00:01:59:17
What exactly is ePrint?
- Printing from a mobile device.
00:01:59:20 00:02:04:11
Simply by sending an e-mail
to the printer...
00:02:04:14 00:02:09:24
...you can have it print something,
even when you're not at home.
00:02:10:02 00:02:15:06
So if I'm in my hotel abroad,
I can print something at the office.
00:02:15:09 00:02:17:06
Because it's connected to the internet.
00:02:17:09 00:02:21:09
And I read something
about Webscan as well.
00:02:21:12 00:02:24:09
That allows me to scan something online.
- Yes.
00:02:25:02 00:02:27:16
Setting it up Webscan is simple
with the touch screen interface.
00:02:27:19 00:02:32:08
In no time, the printer is wirelessly
connected to our home computer.
00:02:39:00 00:02:43:00
HP has taken the hassle out of getting
started with your new printer
00:02:43:10 00:02:47:24
With easy wireless setup
and our new wireless direct printing feature
00:02:48:05 00:02:51:05
lets you give others access to your printer
even if they're not on your network.
00:02:48:00 00:02:50:01
To make all this possible
00:02:50:04 00:02:54:19
HP printers and scanners now come
equipped with a so-called web server:
00:02:54:22 00:02:58:07
software that is able to “broadcast” to the internet.
00:03:58:10 00:03:02:02
Unfortunately, these web servers aren't protected.
00:03:02:05 00:03:04:18
The password function has been disabled.
00:03:04:21 00:03:08:15
This means anyone is able to connect
to the device.
00:03:08:18 00:03:14:06
Only a well-protected router
can then stop hackers.
00:03:14:09 00:03:19:17
In most cases, any internet user
from anywhere in the world can approach your printer...
00:03:19:20 00:03:23:17
...simply by entering the network address
in a browser.
00:03:23:20 00:03:27:23
That would give them access
to the printer and the built-in scanner...
00:03:28:01 00:03:30:01
...which could be switched on remotely.
00:03:30:04 00:03:33:17
And because people regularly
leave documents loaded into the scanner...
00:03:33:20 00:03:40:17
...there's a good chance these hackers will be rewarded for their efforts.
00:03:40:20 00:03:44:21
This investigation found
32,000 accessible HP devices.
00:03:44:24 00:03:49:07
Over the past weeks, we have been able to start dozens
of scanners remotely...
00:03:49:10 00:03:52:19
...and discover sensitive financial data.
00:03:52:22 00:04:00:20
Like this letter, saying insurance company
Aegon will pay someone 175,000 euro.
00:04:00:23 00:04:02:21
Simply left in the scanner.
00:04:02:24 00:04:06:24
Elsewhere, we discovered a letter
from the bank, containing a new PIN.
00:04:07:02 00:04:11:05
The owner of that particular HP device lives and works here, in Sittard.
00:04:11:08 00:04:13:10
Is this your PIN?
00:04:14:04 00:04:15:24
Yes.
00:04:17:02 00:04:20:13
Is this a letter you received
from the Rabobank?
00:04:21:03 00:04:22:17
Yes, that's my letter.
00:04:23:22 00:04:26:23
Do you have a HP scanner?
- Yes.
00:04:27:21 00:04:34:04
And you know it can be used remotely?
- Yes, via HP ePrint.
00:04:34:07 00:04:38:16
By anyone in the world, not just you?
- I didn't know that.
00:04:38:19 00:04:40:16
But that is the case.
00:04:41:19 00:04:44:14
I didn't know that.
- Does that shock you?
00:04:44:17 00:04:46:02
In this case, it does.
00:04:46:05 00:04:48:16
Tens of thousands
of unprotected scanners have been sold...
00:04:48:19 00:04:53:20
...even though HP could easily have given them
password protection in the factory.
00:04:53:23 00:04:57:21
Why do you endanger
your customers' privacy and security?
00:04:57:24 00:05:02:23
We don't endanger
our customers' privacy.
00:05:03:01 00:05:06:16
We discovered this
on one of your printers.
00:05:06:19 00:05:09:06
A Rabobank letter containing a PIN.
00:05:09:09 00:05:12:11
In someone's home.
And everyone can see it.
00:05:12:14 00:05:16:02
Isn't that a huge breach
of people's privacy and security?
00:05:16:05 00:05:21:05
That's true. But it's like
when you're selling a car.
00:05:21:08 00:05:27:01
To what extent are you then responsible
for what someone does with that car?
00:05:27:04 00:05:31:13
You can sell a Ferrari saying: Careful,
you can only go 120 km/h in Holland.
00:05:31:16 00:05:34:07
But you can't stop someone going faster.
00:05:34:10 00:05:38:07
I'm sure some people at HP said: Don't.
00:05:38:10 00:05:43:21
But others only think
about 'time to market'...
00:05:43:24 00:05:49:07
...because the competition has a newer
version. 'So let's not get fancy'.
00:05:49:10 00:05:55:14
The default setting is no password.
It's up to the consumer to fix that.
00:05:55:17 00:06:01:19
The producer says: We build in password
protection, but it's up to you to use it.
00:06:01:22 00:06:04:04
But that's outdated.
00:06:04:07 00:06:08:15
Information can easily be hacked...
00:06:08:18 00:06:11:11
...and companies don't know about it.
00:08:11:14 00:08:16:22
So public opinion and cases like these
will force manufacturers...
00:06:17:00 00:06:20:24
...to close things off.
Or to at least start a process...
00:06:21:11 00:06:25:20
...asking users if they want it open
and if they want a password.
00:06:25:23 00:06:29:22
I have that printer's manual here.
It doesn't say anywhere...
00:06:30:00 00:06:34:24
...that you have to protect it,
because it's broadcasting to internet.
00:06:35:02 00:06:37:21
Yes.
- That's your manual.
00:06:37:24 00:06:40:16
I'm not in charge of the manuals.
00:06:40:19 00:06:45:03
I told you about the problem a week ago
and you still don't know.
00:06:45:06 00:06:47:03
That's true.
00:06:47:06 00:06:50:12
Eireann Leverett is in Luxembourg...
00:06:50:15 00:06:53:22
...appearing
at a computer security conference.
00:06:54:00 00:06:58:22
Leverett got has a Cambridge doctorate,
and is now a cyber security consultant.
00:06:59:00 00:07:02:16
His main concern, is with the lack of
concern the general public express about these issues.
00:07:03:16 00:07:10:12
I think, you know, from my point of view
the biggest danger of these things
00:07:10:12 00:07:12:23
is that people don't even realise
these vulnerabilities
00:07:13:00 00:07:15:00
People don't even know that these devices are
capable of doing these things
00:07:15:05 00:07:17:00
and how exposed they are.
00:07:17:16 00:17:19:25
And again it largely comes down
to economics.
00:07:20:00 00:07:24:18
The companies that provide these systems can
leave them in a default state that is insecure
00:07:25:00 00:07:27:10
because the cost of failure is
not suffered by them.
00:07:28:01 00:07:32:23
If you lose your details of your credit card on
a scanner, HP doesn't lose any money
00:07:32:24 00:07:35:00
So it's much easier for
them to let that be your problem.
00:07:35:11 00:07:38:06
HP are certainly not the only manufacturer
guilty of taking these shortcuts.
00:07:38:09 00:07:43:20
While Ricoh and Samsung do sell devices that are
protected by usernames and passwords
00:07:43:23 00:07:48:13
the defaults are listed in the manual
and are the same for all devices.
00:07:48:15
Reporter: There are also manufacturers who have their password enabled by default but all the passwords are the same and they can easily be found in the user manual Is that any better than having no password?
00:08:04:12
Not much, yeah, it's basically the same, right? Because people who will take the time to get into the systems will check those passwords, they will find that they are open
00:08:09:17 00:08:13:02
Even if you feel that documents accidentally left
in the scanner aren't a serious risk...
00:08:13:05 00:08:15:16
some printers have an internal memory
00:08:15:19 00:08:21:07
which could allow hackers access to the last 100 scans.
00:08:22:04 00:08:27:00
This is a feature of Ricoh printers.
Almost 7000 devices are exposed, with sensitive information open to the net.
00:08:31:02 00:08:33:21
This is how Ricoh responded to this report:
00:08:33:24 00:08:39:00
We know some devices are open,
especially the older models.
00:08:39:03 00:10:43:14
If you look further down the line,
to where we're at now...
00:8:43:17 00:08:46:02
...it's practically impossible.
00:08:46:05 00:08:50:22
What if I have a list
of 7000 accessible Ricoh printers?
00:08:51:00 00:08:53:23
That seems like a lot, but it's possible.
00:08:54:01 00:08:59:23
When we check, it's a lot more, but
then we're talking about all of Europe.
00:09:00:01 00:09:05:02
It's possible. But I can only gain access
if the front door's open.
00:09:05:05 00:09:12:11
But if so many customers apparently
don't close that front door...
00:09:12:14 00:09:16:22
...does that not make it Ricoh's
responsibility to fix that?
00:09:17:00 00:09:20:10
No, because you don't know
why the front door's open.
00:09:20:13 00:09:23:11
Brother makes it even easier.
00:09:23:14 00:09:27:02
attempting to access the printer online
presents users with a login screen.
00:09:27:05 00:09:31:09
If a user is unsure of the username and password
00:09:31:12 00:09:34:14
The Japanese printer manufacturer is
kind enough to offer some advice
00:09:34:17 00:09:38:09
If the printers owner hasn't reset the password manually,
00:09:38:12 00:09:41:20
it's simple to log in and take control of the printer.
00:09:41:23 00:09:46:07
Isn't that odd? If someone
doesn't know the password...
00:09:46:10 00:09:49:08
...the Brother printer then shows
the password.
00:09:49:11 00:09:52:06
If that is the case, that would be odd.
00:09:52:09 00:09:55:09
But again, what you're telling me...
00:09:55:12 00:09:59:12
...that you can access the printer
from the outside, is news to me.
00:09:59:15 00:10:04:03
I do know that if users don't set up a
password, there is a standard password...
00:10:04:06 00:10:06:18
...and that is 'admin' and 'access',
that's true.
00:10:06:21 00:10:09:15
But I'm not aware...
00:10:09:18 00:10:16:05
...of it being possible to connect
to our printer from the internet.
00:10:17:14 00:10:23:11
All kinds of electronic devices are
connected to the Internet these days.
00:10:23:14 00:10:28:01
And their passwords
are in the manual as well.
00:10:28:04 00:10:32:24
AVTECH security systems are installed in thousands of european business premises.
00:10:33:02 00:10:36:17
They're in bars, warehouses and shops.
00:10:36:20 00:10:41:21
And they all have the same default password
and built-in web server.
00:10:41:24 00:10:44:24
This is your shop, right?
- Yes, that's me.
00:10:45:02 00:10:49:02
I'm surprised you get to watch that.
But all right.
00:10:49:05 00:10:51:00
That is what's happening.
00:10:52:16 00:10:57:10
How do you feel about that? That
anybody can watch your footage online?
00:10:57:13 00:10:02:01
That's not good.
I'm not comfortable with that, no.
00:11:02:04 00:11:06:16
Have the camera's ever been useful?
Have you ever caught thieves with them?
00:11:06:19 00:11:15:04
Once I was able to watch the footage,
in that case of an 8-year-old boy...
00:11:15:07 00:11:21:05
...who put something in his pocket, and I
was able to call him out two weeks later.
00:11:21:08 00:11:26:00
A thief could use this
to turn the camera off beforehand...
00:11:26:03 00:11:28:08
...so you'd have no video.
00:11:29:07 00:11:32:08
That's odd.
00:11:32:11 00:11:36:10
That's annoying. He can probably
do the same things I can do.
00:13:39:16 00:11:42:04
Good afternoon.
Can I ask you something?
00:11:42:07 00:11:44:22
Is this your security camera?
00:11:48:12 00:11:51:13
But how did you get these?
00:11:51:18 00:11:54:01
We're here.
- Yes, I see.
00:11:54:04 00:11:56:12
Does that come as a shock?
- It sure does.
00:11:56:15 00:12:00:11
It gives me the willies.
- The problem is...
00:12:00:14 00:12:05:00
...that a thief or robber can watch along,
and also turn of the recorder.
00:12:05:03 00:12:10:07
Sorry, I have no words right now,
and I can't...
00:12:10:10 00:12:14:02
I'm completely stunned, really.
00:12:14:05 00:12:18:03
Because this isn't meant to happen at all.
00:12:18:06 00:12:21:18
We've just checked all the camera's.
00:12:21:21 00:12:28:02
You see people protecting themselves,
but losing their privacy...
00:12:28:05 00:12:30:05
...in a way they've never considered.
00:12:30:08 00:12:33:19
It's a dream come true for burglars.
00:12:33:22 00:12:37:10
They can see what's going on,
what kind of security there is.
00:12:37:13 00:12:40:18
You're encouraging burglars, really.
00:12:40:21 00:12:45:03
Because the light-fingered brigade
are good at monitoring Twitter...
00:12:45:06 00:12:48:00
...and these kinds of camera's.
00:12:48:03 00:12:52:07
The Dutch importer
of these systems had the following response:
00:12:52:10 00:12:56:11
It clearly says in the manual:
change the password.
00:12:56:14 00:13:00:20
And if people don't do that,
you get this kind of thing.
00:13:00:23 00:13:03:07
People don't know what they're doing.
00:13:03:10 00:13:07:13
They install something and think:
That's done, we're safe.
00:13:07:16 00:13:10:05
So all those people are idiots?
00:13:11:09 00:13:14:08
Can I give you a simple answer? Yes.
00:13:14:11 00:13:17:02
If people don't bother to read a manual...
00:13:17:05 00:13:20:14
...that clearly says so, in Dutch, English...
00:13:20:17 00:13:24:15
...in thirty different languages,
then they're just idiots.
00:13:24:18 00:13:29:07
Leaving the 'idiots' behind in Holland
the Ruhr University in Germany has the biggest
cyber security department in Europe.
00:13:33:23 00:13:36:12
Professor Paar is one of 10 professors.
00:13:36:15 00:13:40:02
His subject is the safety
of peripheral equipment.
00:13:40:06 00:13:45:05
We discovered AVTECH-camera's
which are accessible with 'admin'.
00:13:45:08 00:13:47:08
What is your opinion on that?
00:13:47:11 00:13:50:06
It is an outrage.
00:15:50:09 00:15:53:23
It is technologically possible to ensure...
00:13:54:01 00:13:58:02
...that the standard password
has to be changed...
00:13:58:05 00:14:00:21
...or that it's already reasonably safe.
00:14:00:24 00:14:05:12
But a common password like 'admin'
should not be possible.
00:14:05:15 00:14:07:21
There is no excuse for that.
00:14:09:22 00:14:16:01
They're security camera's.
So they should offer security.
00:14:16:04 00:14:21:21
Against shoplifting,
or by guarding the perimeter.
00:14:21:24 00:14:28:03
Once you manipulate those,
you can bypass security.
00:14:28:06 00:14:32:23
A security camera that isn't secure.
- Exactly.
00:14:33:11 00:14:39:19
In both Germany and Holland NAS devices
sell well.
00:14:39:22 00:14:43:17
NAS stands for Network-Attached Storage, and are usually simply a large hard disk for storing films,
music and back-ups.
00:14:43:20 00:14:49:02
Once again, salesmen are reluctant to point out the risks.
00:14:49:05 00:14:53:21
Why is a NAS better than
a regular external hard drive?
00:14:53:24 00:14:58:23
You connect a NAS to your router,
making it a central memory bank.
00:14:59:01 00:15:04:15
Then you can use your laptop, for
example, to watch a video on NAS.
00:15:04:18 00:15:08:21
It becomes the central storage
for all your hardware.
00:15:08:24 00:15:15:23
So the major advantage is that you have
online access anywhere in the world.
00:15:16:01 00:15:19:06
Even with your PC off.
It's connected to the router.
00:15:19:09 00:15:21:15
So it's on 24/7.
- If you want.
00:15:21:18 00:15:28:09
This is an iomega NAS device, with the
accompanying software onto our computer.
00:15:28:12 00:15:33:14
Astonishingly, the iomega software
does not require us to set a password.
00:15:33:17 00:15:36:16
The default security setting is 'off'.
00:15:36:19 00:15:41:20
That means the NAS is connected
to the Internet without any protection.
00:15:41:23 00:15:43:20
Our research shows...
00:15:43:23 00:15:48:24
...that at least 16,000 accessible iomega
NASes are connected to the Internet.
00:15:49:02 00:15:53:17
Often, the information they contain is relatively innocuous,
00:15:53:20 00:15:56:24
no more revealing than home videos
and holiday pictures.
00:15:57:02 00:15:59:09
All fairly innocent.
00:15:59:12 00:16:04:14
But confidential information,
that shouldn't be online at all, has also been left unprotected.
00:16:04:17 00:16:06:20
This includes confidential medical information
00:16:06:23 00:16:11:06
as in the case of the NAS of psychotherapist
Van der Horst in Amsterdam.
00:16:11:09 00:16:15:07
He purchased his drive to back-up
patient files.
00:16:15:10 00:16:19:17
They are now freely available
to anyone online.
00:16:21:10 00:16:25:02
GP Hofman in Amstelveen, a personal doctor, has also left her NAS device exposed,
00:16:25:05 00:16:31:12
and used it to backup her laptop,
including sensitive patient information.
00:16:31:15 00:16:34:12
Shouldn't that kind of data
be well-protected?
00:16:34:15 00:16:40:24
Yes. It's even been enshrined in law:
medical data has to be encrypted.
00:16:41:02 00:16:49:00
And there the owners, the doctors
themselves, have more of a responsibility.
00:16:51:05 00:16:56:08
They probably have IT people taking care
of that kind of thing for them.
00:16:56:11 00:17:01:05
And they should make sure
they do that safely.
00:17:01:08 00:17:04:22
The psychotherapist
and the GP declined to comment...
00:17:05:00 00:17:07:08
...both refusing to appear on camera.
00:17:07:11 00:17:15:17
It's different if, for example, you're a
doctor working with patient information.
00:17:15:20 00:17:20:21
You could argue that
they should take even better care.
00:17:20:24 00:17:27:03
But most doctors probably don't have
that expertise, they're not IT experts.
00:17:27:06 00:17:32:03
So they'd probably be surprised to hear
about any security problems.
00:17:34:05 00:17:39:05
A company based at Schiphol Airport
also has an open iomega NAS.
00:17:39:08 00:17:42:05
It contains an employee passport...
00:17:42:08 00:17:45:05
...and confidential correspondence
with the police...
00:17:45:08 00:17:49:14
...about obtaining an access pass
to platforms.
00:17:51:09 00:17:54:10
The owner of the company was previously based in this office.
00:18:02:14 00:18:04:22
Are you in Schiphol-East right now?
00:18:05:00 00:18:10:11
No. As of last week,
we've moved to Aalsmeer.
00:18:10:14 00:18:12:10
Aalsmeer, right.
00:18:13:09 00:18:17:22
You're Nico? Hello. Vincent Verweij,
KRO's Reporter.
00:18:18:00 00:18:20:12
Do these documents belong to you?
00:18:21:11 00:18:23:07
Yes.
00:18:24:13 00:18:30:10
This is the application for a platform pass
for a colleague of yours.
00:18:31:10 00:18:34:10
It seems that way, yes.
00:18:37:00 00:18:40:13
And is this the passport
of one of your employees?
00:18:40:16 00:18:45:08
Are these your tax returns?
- They sure look like them.
00:18:45:11 00:18:49:01
How do you think I got these?
- I have no idea.
00:18:49:04 00:18:52:11
Do you have an iomega network drive?
- Yes.
00:18:52:14 00:18:56:05
It's not protected. So anyone
can get this information.
00:18:56:08 00:18:57:20
That's not smart.
00:18:57:23 00:19:00:21
Because these are sensitive documents.
00:19:00:24 00:19:04:09
I could use them to apply
for a Schiphol platform pass.
00:19:04:12 00:19:06:10
Or at least I know how it works now.
00:19:08:16 00:19:11:03
Back at Schiphol, KLM has a huge data centre for all
website, corporate and client information.
00:19:17:14 00:19:21:18
It's guarded like a fort, with two gates
and a security sluice.
00:19:21:21 00:19:27:00
But the data centre's director
has left the gates wide open on his home network,
00:19:27:03 00:19:31:17
through an unprotected iomega NAS,
containing confidential information.
00:19:31:20 00:19:39:17
It reveals how KLM went wrong
during the 2010 Iceland ash cloud;
00:19:39:20 00:19:43:21
contains a presentation that the KLM
director gave to
00:19:43:24 00:19:47:21
board members,
when they visited the data centre,
00:19:47:24 00:19:51:09
And reveals confidential investment plans.
00:19:51:12 00:19:57:16
You'd expect the director of a data centre
to know how to set a password.
00:19:59:24 00:20:02:23
Good morning.
- I'm here for Martin Duin.
00:20:12:01 00:20:17:01
Good morning. Can I just ask
what this is about?
00:20:17:04 00:20:20:22
You're Mr Martin Duin?
Director of the Data Centre?
00:20:21:00 00:20:26:16
Please stop filming. This is ridiculous.
You're not even allowed in.
00:20:26:19 00:20:30:12
I don't understand.
- I want to tell you about a data breach.
00:20:32:21 00:20:34:14
Are these your documents?
00:20:35:15 00:20:39:19
Mr Duin? These are confidential
documents of the KLM.
00:20:39:22 00:20:42:23
They're being leaked all over the Internet.
00:20:47:10 00:20:50:07
The press officer calls later, to provide a response to this investigation.
00:20:50:10 00:20:55:09
This is Joost Ruempol.
- You work for KLM's press office?
00:20:55:12 00:20:57:18
Can I come to see you?
00:20:59:00 00:21:00:21
What is this all about?
00:21:00:24 00:21:03:17
I just want to show you some things...
00:21:03:20 00:21:05:15
...to do with a data breach.
00:21:05:18 00:21:10:22
I've just tried to inform Martin Duin,
the director of the Data Centre...
00:21:11:00 00:21:15:09
...but he wasn't interested in our story.
He walked away.
00:21:15:12 00:21:17:21
So now I'd like to show you.
00:21:18:18 00:21:21:02
I will call you back.
00:21:21:05 00:21:24:03
Unusually, the KLM director's drive...
00:21:24:06 00:21:27:04
...also contained internal documents
belonging to ING.
00:21:27:07 00:21:32:08
The documents set out ING's emergency procedures
in case of computer emergencies.
00:21:32:11 00:21:35:22
So how did KLM obtain these internal ING documents?
00:21:36:00 00:21:38:11
I've been in contact with KLM.
00:21:38:14 00:21:42:12
They were looking into it as well.
00:21:42:15 00:21:49:17
Of course it's important that our data
is dealt with with all due care.
00:21:49:20 00:21:53:04
You must not be very happy about this.
00:21:53:07 00:21:54:18
Definitely not.
00:21:54:21 00:22:02:00
It's important that the information we have
is not public.
00:22:02:03 00:22:04:19
But this isn't ING's fault.
00:22:04:22 00:22:11:07
Other people haven't closed off
their iomega server.
00:22:12:08 00:22:17:13
KLM, who caused the breach,
again does not wish to comment.
00:22:19:09 00:22:22:15
KLM isn't the only multinational
leaking data.
00:22:22:18 00:22:29:02
Unilever makes ice cream, margarine
and thousands of other products.
00:22:29:05 00:22:34:23
An employee's iomega reveals
confidential sales figures.
00:22:35:01 00:22:40:17
figures for over 42,000 products, detailing
exactly how many Unilever has sold.
00:22:40:20 00:22:43:22
Sensitive information not intended for the eyes of competitors.
00:22:44:00 00:22:49:01
We've checked how in the world this
managed to end up on the Internet.
00:22:49:04 00:22:52:19
It's not the Unilever network,
but human error.
00:22:52:22 00:22:56:22
And now we're investigating
how it's possible...
00:22:57:00 00:23:00:05
...that that's now out there,
without a password.
00:23:02:07 00:23:07:00
An employee at Ballast Nedam has also inadvertently revealed sensitive information.
00:23:07:03 00:23:10:12
leaving confidential plans
exposed...
00:23:10:15 00:23:13:16
...contravening company rules.
00:23:14:14 00:23:17:12
You're allowed to work at home...
00:23:17:15 00:23:21:12
...but not to store data on equipment
not belonging to Ballast Nedam.
00:23:21:15 00:23:26:13
So the iomega network drives have
not been bought by the company?
00:23:26:16 00:23:26:23
No.
00:23:27:01 00:23:31:22
People want things to be easy,
just like at home...
00:23:32:00 00:23:35:17
...where you can check everything
on your tablet or phone...
00:23:35:20 00:23:40:07
...and access everything. They want
that for company information too.
00:23:40:10 00:23:44:09
So they take it home with them.
You almost can't prevent that.
00:23:45:07 00:23:49:15
Government information is
even being leaked via iomega drives.
00:23:49:18 00:23:53:09
This is the Europol headquarters
in The Hague...
00:23:53:12 00:23:57:16
...the international partnership
of European police forces.
00:23:57:19 00:24:02:17
Their network contains top secret
information about international investigations...
00:24:02:20 00:24:05:13
...on a specially protected intranet.
00:24:06:24 00:24:12:06
Europol contracted Orange to set up
the secure network, worth millions.
00:24:12:09 00:24:16:20
Unfortunately an Orange IT professional has been using an iomega NAS device...
00:24:16:23 00:24:22:09
...to store hundreds of documents
containing details about the network he helped set up for Europol.
00:24:22:12 00:24:25:23
Secret information,
like Europol passwords.
00:24:26:01 00:24:30:12
Information that should never have been
on the Internet.
00:24:30:15 00:24:35:03
According to Orange, the exposed data
is 'every hacker's dream'.
00:24:35:06 00:24:38:21
They can be used to gain access
to Europol.
00:24:38:24 00:24:44:15
However, according to Europol's press officer,
it's not as bad as all that.
00:25:40:14 00:25:44:16
The Orange employee responsible for the
breach remains unavailable for comment.
00:25:44:19
Hello, this is Gerald Hesztera from Europol
Reporter: Hello. This is Vincent Verweij, from
KRO television. Did you have a chance to look at
the material?
My experts told me Orange has a problem.
Fortunately we don't have a problem.
Because this is on a system here which
is not on the internet, you can't access it
via the internet. You can only access it
if you are a member of the system, meaning
the agency or Orange. So it's not for the normal
hacker.
00:25:15:00
We have two different systems. This system is
totally different from our internet system. This
you can't even access from wherever.
Reporter: What is your feeling towards orange, now?
00:25:27:14
You know, 80% of the data breaches here are not
done because hackers come to us, it's just
because of not taking care of data like this or from
inside jobs; so it's not that we are surprised.
00:25:43:02 00:25:46:16
So are iomega able to provide an explanation?
00:25:46:19 00:25:51:11
How can so much data just might be out there,
unprotected?
00:25:25:14 00:25:57:14
I have a list here of 16,000 IP numbers.
00:25:57:17 00:26:02:19
And all those IP numbers have an open,
accessible iomega network drive.
00:26:02:22 00:26:08:07
In the entire world?
- Yes. And over 1200 in Holland.
00:26:08:10 00:26:12:00
That's a lot. And you were able
to just get at that information?
00:26:12:03 00:26:17:04
None of those 16,000 users
had enabled their security?
00:26:17:07 00:26:22:09
That's not the issue here. The issue is
that iomega didn't enable it.
00:26:22:12 00:26:25:17
I understand. I was not aware of this...
00:26:25:20 00:26:30:22
...so I'm going to check how that's
possible with the relevant people.
00:26:31:00 00:26:35:22
A week later, there still has not been
a response.
00:26:36:00 00:26:39:16
This is the iomega head office.
00:26:39:19 00:26:41:10
I'm here to see Filip Joly.
00:26:41:13 00:26:44:05
Please have a seat.
- Is he in?
00:26:44:08 00:26:48:05
Do you have an appointment?
- He knows what it's about.
00:26:43:15 00:26:47:09
Mr Joly was going to...
- I'm not him. But nice to meet you.
00:26:47:12 00:27:01:23
There is 30,000... No, let me get it right.
There is 30 petabyte, so 30 million...
00:27:02:01 00:27:05:14
Just stop. Mr Joly is not here,
and he won't be back.
00:27:05:17 00:27:08:02
So there's no point waiting.
00:27:08:05 00:27:12:04
We told Mr Joly a week ago
and asked for a response.
00:27:12:07 00:27:16:07
Now he's not answering his phone
or responding to e-mails.
00:27:16:10 00:27:19:19
I hear you, but the camera is running
and we have no comment.
00:27:19:22 00:27:24:21
Then we'll take it higher up.
You're iomega's parent company, right?
00:27:24:24 00:27:26:21
I'm sure you know that already.
00:27:26:24 00:27:30:10
If he doesn't want to respond, I'll ask you.
00:27:30:13 00:27:35:01
Why is 30 million gigabytes worth of
iomega drives exposed on the Internet?
00:27:35:04 00:27:36:23
You can ask me all you like...
00:27:37:01 00:27:42:09
...but we won't be answering on camera,
based on information that's news to us.
00:27:42:12 00:27:44:00
Welcome to voicemail.
00:27:44:03 00:27:48:13
Filip Joly.
- Is not available right now.
00:27:48:16 00:27:50:21
Mr Joly, KRO's Verweij here.
00:27:50:24 00:27:55:16
A week ago, I told you about a huge
security problem with the iomega drives.
00:27:55:19 00:27:57:11
You're not in your office.
00:27:57:14 00:28:03:14
We would still like to know why 30 million
gigabytes of iomega drives is exposed.
00:28:03:17 00:28:07:22
Confidential information
of KLM, Europol, doctors.
00:28:08:00 00:28:10:12
Why won't you just respond?
00:28:10:15 00:28:13:17
It's shocking. It should not be possible.
00:28:13:20 00:28:18:17
It's not due to the negligence or errors
of individual users.
00:28:18:20 00:28:23:02
It's part of the system, it's a design flaw.
00:28:38:00 00:28:33:03
There are people at iomega who know
all about how this works, security-wise.
00:28:33:06 00:28:49:23
The boffins usually warn people: It's
dangerous, we should close the breach.
00:28:50:01 00:28:54:07
But Marketing thinks it's too much trouble
to explain all that.
00:28:54:10 00:28:57:06
Explaining a feature is a lot of trouble.
00:28:57:09 00:29:02:20
So they loose. They'll have to try harder,
to increase security.
00:29:02:23 00:29:06:16
Although Iomega's Filip Joly did not become
available for comment during this
investigation, his American colleagues
offered the following official response:
00:29:07:00
It was actually great of you to, you know,
discover this, and call out this issue
and the usability issue we have in the product
for ease of use in the home experience
we make the devices public and we have
the security disabled. What we plan on doing
in the next release is informing the customer
that they have to not only enable security, but
what we plan on doing is making it so we tell them
“These are your folders that you have exposed,
you know, we will secure them automatically for
you.”
Reporter:
So basically you are saying you are going to a
default secure state, and if the customer
deliberately wants it unsecured then he has to
change the settings and make it unsecure.
00:29:58:00
Exactly. That's the approach we're going to take
00:30:00:08 00:30:05:13
Iomega's new, secure software version
will be out in February.
00:30:05:16 00:30:08:24
Until then, users will have to secure
the device themselves.
