While several of these were IoT devices which the owners probably didn't realize were online, several were things where it had to be deliberately configured this way, or at least some particular action would have had to have been taken to set it up (though it is likely that a lot of those doing the setups had no idea of the implications of their actions). One of the best examples of this is of a power plant in Italy where:
- The embedded system controlling the gas turbines, which he found in 2016, is managed through a standard (i.e., not real-time) edition of Windows 95
- Someone decided to put a VNC client on it (given that there is no native VNC support in Win95)
- The person who set up the VNC client probably had to deliberately disable password access control (since VNC clients usually default to use a password)
The pizza parlor story is particularly disturbing when you consider the Louise Ogborn case. Or, imagine something like a repeat of WebcamGate in which someone not in the school administration finding out that the webcams were unsecured, and using it to spy on teens for the purpose of making kiddie porn. That should give anyone pause. It is bad enough that the school was spying on the students and lying about it; the prospect of them doing so in a way that left them vulnerable to any prankster or perv shoulder-surfing that spying is horrifying.
But that's small-time compared to the potential for attacks on industrial controllers like the gas turbine mentioned above. He found a web interface to a dam's control system - an interface which included the ability to open the floodgates. The interface? Built in Frontpage of all things. And he mentioned that this had in fact been exploited to cause flooding, before he found it. Twice. And they ignored his warning about it for another year after he reported it.
He also found things like license plate readers, security pass card printers, and government records databases. All with web interfaces, all completely unsecured, often in ways that had to be intentionally made insecure by someone who thought their convenience took priority over every other consideration.