Things you should not connect to the Internet, Part LXXIII: Wind Turbines

The "Internet of Things" is mostly a bad idea being pushed by companies that want to control your stuff and snoop on you. Very few systems with physical actuators or sensors should be accessible from the public internet -- maybe an intranet at best. Here's a great example why.

Script Kiddies Can Now Launch XSS Attacks Against IoT Wind Turbines (softpedia)

After presenting the case of a gas detector that had two critical issues in its firmware, a recent ICS-CERT advisory has now drawn our attention to the XZERES 442SR, a smart wind turbine that comes equipped with a Web-based administration panel.

According to the ICS-CERT advisory, this administration panel is vulnerable to XSS (cross-site scripting) attacks that allow even the lowest-skilled hacker to take advantage of them....

...

By exploiting this attack point, hackers can lower the turbine's efficiency, indirectly cutting electrical power to the systems in accordance with its power output. Depending on what kind of systems are connected to the turbine, this can be a nuisance but can also cause a loss of sensitive equipment or even human life.
Script kiddies rejoice, an IoT hack that's n00b-friendly

While ISC-CERT and the manufacturer say that there have been no attacks carried out by this technique until now, the expertise needed to exploit this flaw is at an entry level for any InfoSec researcher.

Tags: 

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
To prevent automated spam submissions leave this field empty.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.