By submitting this form, you agree to receive RealVNC education content, special offers, exciting news and product updates. You can withdraw your consent at any time. We respect your data, see our Privacy policy.

The Dangers of Open Source VNC-based Software

Eden Jefford | 28 May 2019

ErrorBox

Everybody loves a freebie, from a sample of chocolate at the mall to a promotional stress ball, but is it always a good idea? When it comes to sweets and sundries, we’re not going to stop you unless you’re taking them from a stranger in a van, but for software, there might be more risks than you think.

While the stranger in the van of candy” scenario presents fairly obvious risks, using an open source program with no price tag can seem on paper much less dangerous. It does the job you need it for, doesn’t break your budget, and it has glowing reviews from people who greatly appreciate its most attractive feature: not costing any money – what could go wrong? We’ve put together a list of a few good reasons why open source VNC-based software can be a wolf in sheep’s clothing.

Publicity of exploits

Open source at its core means that all the code behind the program is visible for anyone on the internet. This can work out great when bugs arise – lots of passionate eyes on the code means potential issues could be spotted quicker, and therefore patched quicker – but it can also pose a very real security risk for those using the program. While most users in the community will be purely focused on improving the software, some will be examining the code for ways to exploit and hack into any vulnerabilities.

Especially with remote access software, a well-placed hack can be devastating, and expose whole networks to the hacker without them needing to be anywhere near your computers in person. However, with closed source (also known as proprietary) software, the source code is not published outside of the organization with the rights to it.

This makes it far less vulnerable than open source, as not just anyone can scrutinize the code, therefore making it much more difficult to crack into. Think of it like trying to complete a 10,000-piece jigsaw in the dark – it’s still technically possible to do, but it’ll be a lot easier if the light is on!


Lack of support

While a community with a broad range of skills and expertise can be great for finding solutions to problems you’re encountering, it can also have its downsides. Every user on a support forum for open source software is a volunteer. They have no obligation to respond to queries, or to even check for new questions in the first place.

This means that you’re fully reliant on the goodwill of the internet to provide support, and when using the software is critical for your business, that can mean not only lost time, but lost revenue too.

With proprietary software, you can pick up the phone, send an email, or use a live chat knowing that a dedicated and highly trained person will get back to you as soon as possible, and do everything they can to help: in fact, helping you solve a problem is literally their job. Additionally, customer service agents are made accountable for the advice they provide – on a forum, an anonymous username can very easily give deliberately wrong or harmful ‘advice’ with no consequences.


Indemnity

Data breaches are unfortunately an ever present risk, and there seems to be a new one in the news every other day. Especially with recent data protection laws, such as the GDPR for those doing business in Europe, the repercussions for such leaks can also be catastrophic.

As open source software isn’t owned by anyone, and is offered under a General Public License (GPL), there isn’t a company to guarantee for its security (or lack thereof). If a data breach happens through that software, it’s all on the user, aka you or your business. You would be responsible for any legal or financial impact the leak causes, the fallout of which could be considerable depending on the size of the breach and the sensitivity of the data exposed.

Even if your company has professional indemnity insurance, if you are using software that is not secure and compliant with data protection regulations in your industry, your insurance can be rendered invalid due to willful negligence. Not to mention the reputational damage.


Compliance with industry governance

Compliance is a great concern for many industries, with many having very specific requirements in order to meet the necessary standard, be it HIPAA, PCI-DSS, GDPR, or any other regulatory laws. With records now being almost entirely digital, it is more important than ever for software to comply with industry governance, and not all software is going to fit the bill.

Open source software can be added to by anyone, with no thorough testing or vetting, and is not compliant with regulations by default. This not only negates the savings of using free software by requiring custom code (skillful coders aren’t cheap!) but can also leave you vulnerable through a lack of updates.

For instance, open source VNC-based software runs on the last publicly available release of the RFB (Remote Frame Buffer) protocol – v3.8, which came out in 2010: to put it into perspective, the current version of RFB is v6, and was released in early 2019.

Technology has moved at lightning speed over the last decade, and regular updates are vital to keeping software secure. Using a highly outdated version of any software can be dangerous when it comes to security, and fines for non-compliance with standards can be considerable. Can you afford to take that risk when you really don’t need to?


Low level of security

Brute force password attacks are still the easiest way hackers can gain access to your accounts and data, as many people use simple passwords that are very quick for an automated program to crack, especially with so many cracked passwords circulating on the internet.

Using longer and more complex passwords along with Multi-Factor Authentication (2FA/MFA) are the best ways to combat this vulnerability, but with open source VNC-based software, passwords have a hard limit of 8 characters, and there is no native 2FA/MFA. Open source VNC-based software does not encrypt any session data, but on proprietary software all sessions are now 128/256-bit AES encrypted. This is again due to the outdated version of the RFB protocol mentioned earlier, and is probably the most dangerous part of open source VNC-based software on this list.

Using proprietary remote access software, security tools are built in and updated regularly, as security is the biggest concern within the remote access industry. High levels of encryption, complex password capabilities, 2FA/MFA, and rich session permissions are now built in as standard with many paid remote access services, giving you and your company peace of mind you just can’t get with open source.

Not user friendly

Open source projects are primarily built and updated with only developers in mind, so the usability for people less technologically savvy can suffer considerably. From clunky and confusing user interfaces, to complicated installation and setup, they just aren’t designed to be used by the layman.

This can result not only in a poor experience for the user, but also in additional vulnerabilities. With a baffling UI, an inexperienced user could easily end up giving access to unauthorized people, getting stuck in strange glitches, and opening a portal to the underworld, all in a single session.



Open your eyes, not your source!

Consider the total cost of ownership (TCO) rather than the upfront cost – while free is appealing, it could easily end up costing much more than a paid service in the long run. Your business is worth the investment, and the freeware is not worth the possible risks.


eBook: What can you do better with remote access

Eden Jefford

Written by Eden Jefford

Topics:

All

 

Comments