XSS Can Take Down Your IoT Wind Turbine

An anonymous reader writes: ISC-CERT is warning of a critical vulnerability (score 9.8 out of 10) in Internet-enabled XZERES 442SR wind turbines. According to CERT, the Web administration portal of these portals is subject to the simplest XSS attacks (modifying IDs for admin access), which even the most basic n00b-level hackers can perform. This is yet another security bug in critical IoT equipment, like the Midas gas detector.

Re:If your critical stuff is IOT....

[Fire_Wraith]

Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore. You know, places that it's not exactly easy to send a technician out to, in order to do things like change a setting. It's not just about monitoring "while on vacation" - there are often significant distances involved simply due to the sheer nature of these things.

This isn't to say that stuff like remote access doesn't need to be looked at very very hard as to whether it's a valid use case, but you can't simply handwave away the real world factors that are contributing to that executive suggesting it's necessary. If he/she is your boss, you need to be able to state clearly what the concerns are, and figure out a way to present those security concerns as a counterweight - and be prepared that they may not outweigh the cost of physical only access. Hopefully, though, by raising security as a concern, you can at least get it taken into account so as not to be a completely soft target.

Re:If your critical stuff is IOT....

[Lumpy]

Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone. They are on their own secured private network that uses secure VPN tunneling through the internet to data centers where the SCADA system controls and monitors them.

Quite hilarious if you think that commercial and industrial uses IOT.