XSS Can Take Down Your IoT Wind Turbine

An anonymous reader writes: ISC-CERT is warning of a critical vulnerability (score 9.8 out of 10) in Internet-enabled XZERES 442SR wind turbines. According to CERT, the Web administration portal of these portals is subject to the simplest XSS attacks (modifying IDs for admin access), which even the most basic n00b-level hackers can perform. This is yet another security bug in critical IoT equipment, like the Midas gas detector.

Re:Why IoT ?

[Mr+D+from+63]

Most solar panels, even those not connected, have a security flaw. Its called the 'tossed brick' vulnerability. Its hard to believe they have ignored this threat for so long.

Ingenuity over Security == usually wins

[adosch]

The whole IoT movement is ridiculously scary IMHO. It certainly champions innovation, creativity and sense of coolness to your technical engineering feat, but having new ideas, making cool devices you can interact with over a network/lan/internet unfortunately will always be the lower hanging fruit to becoming even an amateur fly-by-night web/os/network security expert, even with the gobs of free security tools out there to scan your device and mitigate the easiest of attack vectors.

It's honestly almost too easy anymore for anyone at any level to grab an Arduino, RPi, some turn-key sensor solutions and with a handful of pre-written code off Github or a blog post, be excited about 'look what I did' while Johnny Hacker owns it and makes it a part of his Botnet network.

Bring back the physical serial port to manage it all, man! Like "more cowbell", we need "more RS-232" ....totally kidding.

Re:Ingenuity over Security == usually wins

[Lumpy]

IOT movement is based on the highly uneducated that think they are being clever. Then they hire guys that are just as uneducated as them to work on it. Because anyone with a clue will tell them, "Um, that is a bad idea" so they dont hire them.

Re:Ingenuity over Security == usually wins

[Sique]

On the other hand: remote control of and communication between infrastructure items is nothing new. The VMEbus ANSI/IEEE 1014-1987 does the same, it just uses no 802.x link layer and no IP protocol.

Re:Ingenuity over Security == usually wins

People are confusing simple network access with ZOMG TEH INTERNET!. These 'insecure' devices are perfectly fine and dandy if your network design is correct. Tons of IP camera installs on their own little network with only a HTTP\RTSP proxy between them and the local intranet. So Internet VPN Intranet Proxy\DVR insecure cam net. Why would I give a crap about the default password on each local camera at that point?

To use your RS232 example, imagine the FIELD DAY "hackers" these days would have with such an "insecure" technology without the proper context of where and how it should be used. Unencrypted, ASCII encoded, with no access-control protocol for critical systems?!?!?! THE SKY IS FALLING!

Hard To Believe

[JimSadler]

Just how can such a thing as a massive, expensive, wind turbine have such a security flaw? Is it penny pinching or just sell it and get it out of here, mentality causing this type of mess?

Re:Hard To Believe

[prunus.avium]

Primarily it's the "I have a hammer. Every problem is a nail." syndrome. HTTP is being used for everything and HTTP is a really bad protocol.

Okay, HTTP is a pretty good protocol for what it was designed: stateless, plain-text, request/reply with no authentication or encryption. It was designed to be open not locked down.

The problem is we've been trying to find ways to lock down the protocol and use it in ways far beyond what it was meant for. SSL fixes the encryption problem but it can't fix inherent weaknesses in the protocol itself.

Now, imagine you have a nifty new device that you decide needs to be on the Internet. What's the simplest way to go? Design a server program that uses the socket interface or just install a web server (Apache, nginx, ...)?

If your critical stuff is IOT....

[Lumpy]

Then you are a complete idiot. Wind turbine, solar, etc DO NOT NEED any kind of IOT. let it spit out read only data to a public facing web server if you REALLY need to monitor your wind turbine while on vacation. and if you do, then you bought a really shitty turbine.

Honestly all IOT designers and programmers need to be beaten with a sack of doorknobs until they stop being idiots or have some sense beaten into them. and if you hear any executive talk about IOT, instantly kick them in the groin as hard as you can.

Re:If your critical stuff is IOT....

[Fire_Wraith]

Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore. You know, places that it's not exactly easy to send a technician out to, in order to do things like change a setting. It's not just about monitoring "while on vacation" - there are often significant distances involved simply due to the sheer nature of these things.

This isn't to say that stuff like remote access doesn't need to be looked at very very hard as to whether it's a valid use case, but you can't simply handwave away the real world factors that are contributing to that executive suggesting it's necessary. If he/she is your boss, you need to be able to state clearly what the concerns are, and figure out a way to present those security concerns as a counterweight - and be prepared that they may not outweigh the cost of physical only access. Hopefully, though, by raising security as a concern, you can at least get it taken into account so as not to be a completely soft target.

Re:If your critical stuff is IOT....

[Lumpy]

Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone. They are on their own secured private network that uses secure VPN tunneling through the internet to data centers where the SCADA system controls and monitors them.

Quite hilarious if you think that commercial and industrial uses IOT.

Re:If your critical stuff is IOT....

[Fire_Wraith]

No - they should be, but my experience tells me that "should be" isn't always the same as "actually are". Ideally people are following best security practices, but this is the real world, and there are often other factors in the equation that weaken that. If everything on the internet was as secure as marketing tells us it, and everyone followed best practices, IT security wouldn't be anywhere near as big of a problem as it is.

I was also talking primarily about remote access, because your original post suggested that these systems need to be "read only". Whether or not you consider it to be IOT or ICS or whatever new buzzword comes into use for a computer hooked to a physical device is largely irrelevant here, because if you need to make a change on that wind turbine, you either need write access remotely, or you're going to have an engineer hopping in a truck or boat to head out to the physical turbine, and that's a problem.

Re:Why IoT ?

[KGIII]

My solar and wind both have a box that display output, current storage, what's going out over the mains, etc. It has a history and all that. I can connect to it via a browser but I can't do it from outside of my LAN. If the source traffic isn't from within the local network, it's not getting there. Yes, there is a firewall and a NAT router between them and the 'net. Hell, I'm pretty sure one of the settings will let me configure it so that I can only connect to it with a specific IP address and then I still need user/password to view it. I'd also add, I can't actually *do* anything to it from the information panel. That requires that I go down and use physically use the controller in the basement.

So, no... I don't think XSS can take down my wind turbine. It just doesn't seem likely. It might take down somebody else's but the odds of it taking down mine are pretty damned slim. I might not be the most intelligent person on the planet and that's my saving grace. See, I know that I'm not intelligent enough to put it on the internet safely.