XSS Can Take Down Your IoT Wind Turbine

An anonymous reader writes: ISC-CERT is warning of a critical vulnerability (score 9.8 out of 10) in Internet-enabled XZERES 442SR wind turbines. According to CERT, the Web administration portal of these portals is subject to the simplest XSS attacks (modifying IDs for admin access), which even the most basic n00b-level hackers can perform. This is yet another security bug in critical IoT equipment, like the Midas gas detector.

Re:Ingenuity over Security == usually wins

People are confusing simple network access with ZOMG TEH INTERNET!. These 'insecure' devices are perfectly fine and dandy if your network design is correct. Tons of IP camera installs on their own little network with only a HTTP\RTSP proxy between them and the local intranet. So Internet VPN Intranet Proxy\DVR insecure cam net. Why would I give a crap about the default password on each local camera at that point?

To use your RS232 example, imagine the FIELD DAY "hackers" these days would have with such an "insecure" technology without the proper context of where and how it should be used. Unencrypted, ASCII encoded, with no access-control protocol for critical systems?!?!?! THE SKY IS FALLING!