XSS Can Take Down Your IoT Wind Turbine

An anonymous reader writes: ISC-CERT is warning of a critical vulnerability (score 9.8 out of 10) in Internet-enabled XZERES 442SR wind turbines. According to CERT, the Web administration portal of these portals is subject to the simplest XSS attacks (modifying IDs for admin access), which even the most basic n00b-level hackers can perform. This is yet another security bug in critical IoT equipment, like the Midas gas detector.

Re:Why IoT ?

[Mr+D+from+63]

Most solar panels, even those not connected, have a security flaw. Its called the 'tossed brick' vulnerability. Its hard to believe they have ignored this threat for so long.

Ingenuity over Security == usually wins

[adosch]

The whole IoT movement is ridiculously scary IMHO. It certainly champions innovation, creativity and sense of coolness to your technical engineering feat, but having new ideas, making cool devices you can interact with over a network/lan/internet unfortunately will always be the lower hanging fruit to becoming even an amateur fly-by-night web/os/network security expert, even with the gobs of free security tools out there to scan your device and mitigate the easiest of attack vectors.

It's honestly almost too easy anymore for anyone at any level to grab an Arduino, RPi, some turn-key sensor solutions and with a handful of pre-written code off Github or a blog post, be excited about 'look what I did' while Johnny Hacker owns it and makes it a part of his Botnet network.

Bring back the physical serial port to manage it all, man! Like "more cowbell", we need "more RS-232" ....totally kidding.