[bluedino]

>> I found 3567 servers that were unprotected.

That's pretty low for scanning the whole internet. Either VNC isn't used that much or I was simply expecting 10 times as many servers.

[allthetime]

I run an unprotected VNC server at home, but its not open to the world because I'm using a router that doesn't expose local ports, like most people.

[iancarroll]

Unprotected VNC servers != all VNC servers, or even weak VNC servers. You could probably brute force into a lot more, but that's definitely illegal.

[achillean]

It is low, Shodan has found more than 10,000 VNC that have disabled authentication:

https://www.shodan.io/search?query=rfb+authentication+disabl...

And there are roughly 550,000 VNC servers on the Internet:

https://www.shodan.io/search?query=rfb