XSS Can Take Down Your IoT Wind Turbine (softpedia.com) 68
An anonymous reader writes: ISC-CERT is warning of a critical vulnerability (score 9.8 out of 10) in Internet-enabled XZERES 442SR wind turbines. According to CERT, the Web administration portal of these portals is subject to the simplest XSS attacks (modifying IDs for admin access), which even the most basic n00b-level hackers can perform. This is yet another security bug in critical IoT equipment, like the Midas gas detector.
Why IoT ? (Score:1)
Now solar arrays require Internet connectivity. What happens when that company flames out, and your 25K USD investment sits there with a 00:00 blinking on its clock?
None of this needs connectivity. Too many Millenials.
Re:Why IoT ? (Score:4, Funny)
Re: (Score:2)
That probably won't bring down the entire array though; just reduce its output slightly. Plus, "tossing bricks" requires a physical presence (I don't think any commercially available drones can carry bricks yet, although if people start stealing Amazon drones, I guess they will...) so has much higher risk.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
My solar and wind both have a box that display output, current storage, what's going out over the mains, etc. It has a history and all that. I can connect to it via a browser but I can't do it from outside of my LAN. If the source traffic isn't from within the local network, it's not getting there. Yes, there is a firewall and a NAT router between them and the 'net. Hell, I'm pretty sure one of the settings will let me configure it so that I can only connect to it with a specific IP address and then I still
Comment removed (Score:4, Funny)
Re: (Score:3)
IOT movement is based on the highly uneducated that think they are being clever. Then they hire guys that are just as uneducated as them to work on it. Because anyone with a clue will tell them, "Um, that is a bad idea" so they dont hire them.
Re: (Score:2)
FTFY. There's a difference between value and cost, and most of the time the only thing people think about is cost.
Re: (Score:2)
you cant unhire them when you make sure you only hire people that blindly agree and follow to begin with.
Re: (Score:3)
Re: (Score:2, Interesting)
People are confusing simple network access with ZOMG TEH INTERNET!. These 'insecure' devices are perfectly fine and dandy if your network design is correct. Tons of IP camera installs on their own little network with only a HTTP\RTSP proxy between them and the local intranet. So Internet VPN Intranet Proxy\DVR insecure cam net. Why would I give a crap about the default password on each local camera at that point?
To use your RS232 example, imagine the FIELD DAY "hackers" these days would have with such a
Re: (Score:2)
Like a zillion other hacks, the probability of an attack is perhaps low.
The probability increases when you get a payload as a .jar or zip or whatever in an email that drops a json or REST sequence onto your network, taking down an industrial control set-- in this case instructions to do stupid stuff-- to gear you or your company owns.
The important conclusion for this is that people are turning out super-crap code, and although various protections might help, most civilians don't know what those protections
Re: (Score:2)
The whole IoT movement is ridiculously scary IMHO. It certainly champions innovation, creativity and sense of coolness to your technical engineering feat, but having new ideas, making cool devices you can interact with over a network/lan/internet unfortunately will always be the lower hanging fruit to becoming even an amateur fly-by-night web/os/network security expert, even with the gobs of free security tools out there to scan your device and mitigate the easiest of attack vectors.
I would agree with you for most consumer applications like a IoT refrigerator. In the case of wind turbines, it is somewhat vital to be on a network.For example, controlling the turbines to change directions as wind conditions change. Some of them are located in remote areas and they do require maintenance. Signalling that maintenance may need to be performed via a network as opposed to a worker having to climb up each turbine periodically to figure out if there is something wrong.
Re: (Score:2)
Yes, a lot of things just want to be able to report if they are malfunctioning or not. Once you do that though you end up with feature creep. Now they want to know turbine temperature every minute with less than a minute lag over a PLC link.
Re: (Score:2)
The problem is that there are really good reasons for IoT stuff, and yet all of the hype is over stuff that's utterly irrelevant. Consumer IoT is just stupid in my mind, and most of that stuff isn't really IoT if it's just a bluetooth connection to a phone but everyone wants to slap on that label. But IoT has been around a long time, for things like smart meters, traffic cameras, and so forth. Back in the 80s I had a job interview for devices that were meant to be put in the middle of nowhere that would
Hard To Believe (Score:3)
Re: (Score:2)
FTFY. There is no shortage of STEM workers, there is a shortage of STEM employers that are willing to pay market salaries. They'd rather go without an engineer than pay one enough to support themselves.
Re: (Score:2)
These are small turbines, 10kW for running your cabin or ranch, not the big boys you see strung out on mountains and oceans. They cost around $40k.
Still unacceptable, but I suspect the monitoring controller was wanged on with a hammer using an off-shelf SoC controller and some Linux OS kit with a design wizard.
Re: (Score:2)
> Is it penny pinching or just sell it and get it out of here
OR, not XOR, of course, so yes. Secure & fast is expensive. Secure and slow can be cheaper. Insecure and cheap tends to be fast.
But the root cause is that the manufacturers have little downside to doing this. Each wronged individual has no financial incentive to seek restitution due to the legal fees involved, and class actions are a load of horseshit. Iceland used marketable torts for about four hundred years (the wronged gets a sma
Re: (Score:2)
Primarily it's the "I have a hammer. Every problem is a nail." syndrome. HTTP is being used for everything and HTTP is a really bad protocol.
Okay, HTTP is a pretty good protocol for what it was designed: stateless, plain-text, request/reply with no authentication or encryption. It was designed to be open not locked down.
The problem is we've been trying to find ways to lock down the protocol and use it in ways far beyond what it was meant for. SSL fixes the encryption problem but it can't fix inherent we
Re: (Score:2)
Which TCP Protocol is the wrong network layer to point the finger at. Creating a socket interface is not inherently more secure and just adds labor hours to creating the UI. Badly formed authentication is one angle to attack with. The other is having the thing only remotely accessible when it joins itself to a VPN - which takes a lot of the security burden off yourself. Because there is no reason to have it open to the public Internet directly.
Re: (Score:1)
The other is having the thing only remotely accessible when it joins itself to a VPN
Sure. There are a number of ways to lock down the access before the HTTP traffic with firewalls or TLS and certificate validation. But the point of IoT is that users will have these things in their homes connected to their home internet connection. Joe User generally has no clue about setting up a firewall and I'm not sure he should be expected to.
Your way puts an extra burden on Joe User. I want that extra burden placed on the IoT developers so Joe User can still have - as ESR put it - the luxury of ig
Re: (Score:2)
You have to set up your firewall to have an inbound HTTP port too. The dummy-proof way is to go the Nest route - which is a method I hate - and that's outbound connections only and everything is managed by a central server. It means your device is dead when/if the company goes under.
Re: (Score:1)
Re: (Score:2)
If your critical stuff is IOT.... (Score:3)
Then you are a complete idiot. Wind turbine, solar, etc DO NOT NEED any kind of IOT. let it spit out read only data to a public facing web server if you REALLY need to monitor your wind turbine while on vacation. and if you do, then you bought a really shitty turbine.
Honestly all IOT designers and programmers need to be beaten with a sack of doorknobs until they stop being idiots or have some sense beaten into them. and if you hear any executive talk about IOT, instantly kick them in the groin as hard as you can.
Re:If your critical stuff is IOT.... (Score:4, Informative)
This isn't to say that stuff like remote access doesn't need to be looked at very very hard as to whether it's a valid use case, but you can't simply handwave away the real world factors that are contributing to that executive suggesting it's necessary. If he/she is your boss, you need to be able to state clearly what the concerns are, and figure out a way to present those security concerns as a counterweight - and be prepared that they may not outweigh the cost of physical only access. Hopefully, though, by raising security as a concern, you can at least get it taken into account so as not to be a completely soft target.
Re:If your critical stuff is IOT.... (Score:4, Informative)
Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone. They are on their own secured private network that uses secure VPN tunneling through the internet to data centers where the SCADA system controls and monitors them.
Quite hilarious if you think that commercial and industrial uses IOT.
Re: (Score:3)
I was also talking primarily about remote access, because your original post su
Re: (Score:2)
Isn't that a semantic difference? Sure, you'll throw a little embedded firewall in front - almost certainly with VPN. But it's not as if those little firewalls haven't had vulnerabilities, and the windmill itself is still a "thing" on the internet.
Re: (Score:2)
Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone.
Oh boy are you going to be disappointed when you find out what SCADA companies are pushing right now.
Re: (Score:2)
Wind farms ARE NOT IOT
Buzzwords become meaningless. "The cloud" is just anything that's not on your LAN. It doesn't necessarily even mean virtualization technology is in use.
Re: (Score:2)
They call it IoT even if it's on a private network. It happens to use IPv4/IPV6 so it's "internet" as far as executives are concerned. Some part of the back haul link may be on the actual internet as well.
The problem is that "IoT" is a poorly defined concept.
Re: (Score:2)
Addendum, in some places there is not good connectivity but there happens to be cellular data coverage so an expensive phone plan may be used to get data from a device to the back office. Of course there's security. But a lot of companies want to get rid of expensive leased telephone lines and choose something slightly less expensive.
Re: (Score:2)
Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore.
These vulnerable turbines aren't even utility scale like you are picturing. These are backyard farm turbines and the like. Those turbines do use secure interfaces and protected networks. But hey lets shit on the IoT because one small time vendor screwed up.
Re: (Score:2)
Even with this security problems, in a "real" wind farm and not the item in this discussion (which is smaller intended for a home type) you would network all these together and have access only via vpn per farm area.
Still does not excuse the problem of inadequate security, but direct access to internet from a large wind turbine would be a no-no for sure.
Re: (Score:2)
Wind turbine, solar, etc DO NOT NEED any kind of IOT.
What the hell is IoT? If you're talking about some kids toys with a funky web interface then yes you don't need that. If you're talking about remote network based control and data feedback then you've just mentioned the few things that most definitely do need that kind of functionality.
Re: (Score:2)
That's just subjective feelings on what the name means. I would consider the Nest thermostat to be an IoT device, but it has no open ports to the Internet. It as an outbound HTTP connection to the manufacturer's servers. And yes, there are plenty of problems with that setup, including the possible future of an already purchased product just going dead one day due to no longer being supported.
Cloud computing just means a server on the Internet - though plenty of people imbue it with all sorts of ideas abo
Re: (Score:2)
Because it is amazingly expensive to send a union technician on a 100 mile road to see if the turbine is still spinning or not. I work with smart meters, and electric utilities get really annoyed if they have to send a tech out to look at a meter that's only a couple miles away.
csrf not xss (Score:1)
The bug report states it is a Cross-site request forgery vulnerability, not xss:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0985
Some things should not be on the open Internet (Score:1)
Insecure device directly accessible from the open Internet? BAD.
If that device can be programmed to hurt or kill someone or take away a critical service, VERY BAD.
Insecure device sitting comfortably behind a dedicated security device whose only job is to protect the one insecure device? POSSIBLY OKAY for an at-home-save-buying-electricity-from-the-evil-power-company wind turbine but probably insufficient for industrial equipment or for your home-nuclear-bunker wind turbine.
Insecure device on a private netw