Things you should not connect to the Internet, Part LXXIII: Wind Turbines

Posted on: Wed, 12/09/2015 - 14:26 By: Tom Swiss

The "Internet of Things" is mostly a bad idea being pushed by companies that want to control your stuff and snoop on you. Very few systems with physical actuators or sensors should be accessible from the public internet -- maybe an intranet at best. Here's a great example why.

Script Kiddies Can Now Launch XSS Attacks Against IoT Wind Turbines (softpedia)

After presenting the case of a gas detector that had two critical issues in its firmware, a recent ICS-CERT advisory has now drawn our attention to the XZERES 442SR, a smart wind turbine that comes equipped with a Web-based administration panel.

According to the ICS-CERT advisory, this administration panel is vulnerable to XSS (cross-site scripting) attacks that allow even the lowest-skilled hacker to take advantage of them....

...

By exploiting this attack point, hackers can lower the turbine's efficiency, indirectly cutting electrical power to the systems in accordance with its power output. Depending on what kind of systems are connected to the turbine, this can be a nuisance but can also cause a loss of sensitive equipment or even human life.
Script kiddies rejoice, an IoT hack that's n00b-friendly

While ISC-CERT and the manufacturer say that there have been no attacks carried out by this technique until now, the expertise needed to exploit this flaw is at an entry level for any InfoSec researcher.