XSS Can Take Down Your IoT Wind Turbine

An anonymous reader writes: ISC-CERT is warning of a critical vulnerability (score 9.8 out of 10) in Internet-enabled XZERES 442SR wind turbines. According to CERT, the Web administration portal of these portals is subject to the simplest XSS attacks (modifying IDs for admin access), which even the most basic n00b-level hackers can perform. This is yet another security bug in critical IoT equipment, like the Midas gas detector.

Re:Why IoT ?

[Mr+D+from+63]

Most solar panels, even those not connected, have a security flaw. Its called the 'tossed brick' vulnerability. Its hard to believe they have ignored this threat for so long.

Ingenuity over Security == usually wins

[adosch]

The whole IoT movement is ridiculously scary IMHO. It certainly champions innovation, creativity and sense of coolness to your technical engineering feat, but having new ideas, making cool devices you can interact with over a network/lan/internet unfortunately will always be the lower hanging fruit to becoming even an amateur fly-by-night web/os/network security expert, even with the gobs of free security tools out there to scan your device and mitigate the easiest of attack vectors.

It's honestly almost too easy anymore for anyone at any level to grab an Arduino, RPi, some turn-key sensor solutions and with a handful of pre-written code off Github or a blog post, be excited about 'look what I did' while Johnny Hacker owns it and makes it a part of his Botnet network.

Bring back the physical serial port to manage it all, man! Like "more cowbell", we need "more RS-232" ....totally kidding.

Re:If your critical stuff is IOT....

[Fire_Wraith]

Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore. You know, places that it's not exactly easy to send a technician out to, in order to do things like change a setting. It's not just about monitoring "while on vacation" - there are often significant distances involved simply due to the sheer nature of these things.

This isn't to say that stuff like remote access doesn't need to be looked at very very hard as to whether it's a valid use case, but you can't simply handwave away the real world factors that are contributing to that executive suggesting it's necessary. If he/she is your boss, you need to be able to state clearly what the concerns are, and figure out a way to present those security concerns as a counterweight - and be prepared that they may not outweigh the cost of physical only access. Hopefully, though, by raising security as a concern, you can at least get it taken into account so as not to be a completely soft target.

Re:If your critical stuff is IOT....

[Lumpy]

Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone. They are on their own secured private network that uses secure VPN tunneling through the internet to data centers where the SCADA system controls and monitors them.

Quite hilarious if you think that commercial and industrial uses IOT.