Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

XSS Can Take Down Your IoT Wind Turbine (softpedia.com) 68

An anonymous reader writes: ISC-CERT is warning of a critical vulnerability (score 9.8 out of 10) in Internet-enabled XZERES 442SR wind turbines. According to CERT, the Web administration portal of these portals is subject to the simplest XSS attacks (modifying IDs for admin access), which even the most basic n00b-level hackers can perform. This is yet another security bug in critical IoT equipment, like the Midas gas detector.
This discussion has been archived. No new comments can be posted.

XSS Can Take Down Your IoT Wind Turbine

Comments Filter:
  • by Anonymous Coward

    Now solar arrays require Internet connectivity. What happens when that company flames out, and your 25K USD investment sits there with a 00:00 blinking on its clock?

    None of this needs connectivity. Too many Millenials.

    • by Mr D from 63 ( 3395377 ) on Wednesday December 09, 2015 @09:36AM (#51087715)
      Most solar panels, even those not connected, have a security flaw. Its called the 'tossed brick' vulnerability. Its hard to believe they have ignored this threat for so long.
      • That probably won't bring down the entire array though; just reduce its output slightly. Plus, "tossing bricks" requires a physical presence (I don't think any commercially available drones can carry bricks yet, although if people start stealing Amazon drones, I guess they will...) so has much higher risk.

        • even though this whole branch of the replies is in jest, there are many drones available that can carry a brick. Specifically getting one designed to carry and drop something may reduce the field of available options, but still there and commercially available. Still...requires relatively (compared to internet) close physical presence.
    • These items don't need WAN access, they really just need LAN access, though to most people that's the same thing. It's a lot easier if I can remotely check the status and health of the turbine from the ground rather than having to climb a tower and plug in a USB cable.
      • by KGIII ( 973947 )

        My solar and wind both have a box that display output, current storage, what's going out over the mains, etc. It has a history and all that. I can connect to it via a browser but I can't do it from outside of my LAN. If the source traffic isn't from within the local network, it's not getting there. Yes, there is a firewall and a NAT router between them and the 'net. Hell, I'm pretty sure one of the settings will let me configure it so that I can only connect to it with a specific IP address and then I still

  • by adosch ( 1397357 ) on Wednesday December 09, 2015 @09:49AM (#51087761)

    The whole IoT movement is ridiculously scary IMHO. It certainly champions innovation, creativity and sense of coolness to your technical engineering feat, but having new ideas, making cool devices you can interact with over a network/lan/internet unfortunately will always be the lower hanging fruit to becoming even an amateur fly-by-night web/os/network security expert, even with the gobs of free security tools out there to scan your device and mitigate the easiest of attack vectors.

    It's honestly almost too easy anymore for anyone at any level to grab an Arduino, RPi, some turn-key sensor solutions and with a handful of pre-written code off Github or a blog post, be excited about 'look what I did' while Johnny Hacker owns it and makes it a part of his Botnet network.

    Bring back the physical serial port to manage it all, man! Like "more cowbell", we need "more RS-232" ....totally kidding.

    • by Lumpy ( 12016 )

      IOT movement is based on the highly uneducated that think they are being clever. Then they hire guys that are just as uneducated as them to work on it. Because anyone with a clue will tell them, "Um, that is a bad idea" so they dont hire them.

      • by BVis ( 267028 )

        Because anyone with a clue will want fair compensation so they dont hire them.

        FTFY. There's a difference between value and cost, and most of the time the only thing people think about is cost.

    • by Sique ( 173459 )
      On the other hand: remote control of and communication between infrastructure items is nothing new. The VMEbus ANSI/IEEE 1014-1987 does the same, it just uses no 802.x link layer and no IP protocol.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      People are confusing simple network access with ZOMG TEH INTERNET!. These 'insecure' devices are perfectly fine and dandy if your network design is correct. Tons of IP camera installs on their own little network with only a HTTP\RTSP proxy between them and the local intranet. So Internet VPN Intranet Proxy\DVR insecure cam net. Why would I give a crap about the default password on each local camera at that point?

      To use your RS232 example, imagine the FIELD DAY "hackers" these days would have with such a

      • Like a zillion other hacks, the probability of an attack is perhaps low.

        The probability increases when you get a payload as a .jar or zip or whatever in an email that drops a json or REST sequence onto your network, taking down an industrial control set-- in this case instructions to do stupid stuff-- to gear you or your company owns.

        The important conclusion for this is that people are turning out super-crap code, and although various protections might help, most civilians don't know what those protections

    • The whole IoT movement is ridiculously scary IMHO. It certainly champions innovation, creativity and sense of coolness to your technical engineering feat, but having new ideas, making cool devices you can interact with over a network/lan/internet unfortunately will always be the lower hanging fruit to becoming even an amateur fly-by-night web/os/network security expert, even with the gobs of free security tools out there to scan your device and mitigate the easiest of attack vectors.

      I would agree with you for most consumer applications like a IoT refrigerator. In the case of wind turbines, it is somewhat vital to be on a network.For example, controlling the turbines to change directions as wind conditions change. Some of them are located in remote areas and they do require maintenance. Signalling that maintenance may need to be performed via a network as opposed to a worker having to climb up each turbine periodically to figure out if there is something wrong.

      • Yes, a lot of things just want to be able to report if they are malfunctioning or not. Once you do that though you end up with feature creep. Now they want to know turbine temperature every minute with less than a minute lag over a PLC link.

    • The problem is that there are really good reasons for IoT stuff, and yet all of the hype is over stuff that's utterly irrelevant. Consumer IoT is just stupid in my mind, and most of that stuff isn't really IoT if it's just a bluetooth connection to a phone but everyone wants to slap on that label. But IoT has been around a long time, for things like smart meters, traffic cameras, and so forth. Back in the 80s I had a job interview for devices that were meant to be put in the middle of nowhere that would

  • by Jim Sadler ( 3430529 ) on Wednesday December 09, 2015 @09:50AM (#51087767)
    Just how can such a thing as a massive, expensive, wind turbine have such a security flaw? Is it penny pinching or just sell it and get it out of here, mentality causing this type of mess?
    • These are small turbines, 10kW for running your cabin or ranch, not the big boys you see strung out on mountains and oceans. They cost around $40k.

      Still unacceptable, but I suspect the monitoring controller was wanged on with a hammer using an off-shelf SoC controller and some Linux OS kit with a design wizard.

    • > Is it penny pinching or just sell it and get it out of here

      OR, not XOR, of course, so yes. Secure & fast is expensive. Secure and slow can be cheaper. Insecure and cheap tends to be fast.

      But the root cause is that the manufacturers have little downside to doing this. Each wronged individual has no financial incentive to seek restitution due to the legal fees involved, and class actions are a load of horseshit. Iceland used marketable torts for about four hundred years (the wronged gets a sma

    • Primarily it's the "I have a hammer. Every problem is a nail." syndrome. HTTP is being used for everything and HTTP is a really bad protocol.

      Okay, HTTP is a pretty good protocol for what it was designed: stateless, plain-text, request/reply with no authentication or encryption. It was designed to be open not locked down.

      The problem is we've been trying to find ways to lock down the protocol and use it in ways far beyond what it was meant for. SSL fixes the encryption problem but it can't fix inherent we

      • Which TCP Protocol is the wrong network layer to point the finger at. Creating a socket interface is not inherently more secure and just adds labor hours to creating the UI. Badly formed authentication is one angle to attack with. The other is having the thing only remotely accessible when it joins itself to a VPN - which takes a lot of the security burden off yourself. Because there is no reason to have it open to the public Internet directly.

        • The other is having the thing only remotely accessible when it joins itself to a VPN

          Sure. There are a number of ways to lock down the access before the HTTP traffic with firewalls or TLS and certificate validation. But the point of IoT is that users will have these things in their homes connected to their home internet connection. Joe User generally has no clue about setting up a firewall and I'm not sure he should be expected to.

          Your way puts an extra burden on Joe User. I want that extra burden placed on the IoT developers so Joe User can still have - as ESR put it - the luxury of ig

          • You have to set up your firewall to have an inbound HTTP port too. The dummy-proof way is to go the Nest route - which is a method I hate - and that's outbound connections only and everything is managed by a central server. It means your device is dead when/if the company goes under.

    • Having worked with a number of offshore software developers, I can say that penny pinching was the driver for flaws of this type. It's likely preventing "the simplest XSS attacks" was not explicitly named in the code specification along with a outline on how to accomplish it.
    • Security isn't prioritized. That's basically the reason.
  • by Lumpy ( 12016 ) on Wednesday December 09, 2015 @09:53AM (#51087785) Homepage

    Then you are a complete idiot. Wind turbine, solar, etc DO NOT NEED any kind of IOT. let it spit out read only data to a public facing web server if you REALLY need to monitor your wind turbine while on vacation. and if you do, then you bought a really shitty turbine.

    Honestly all IOT designers and programmers need to be beaten with a sack of doorknobs until they stop being idiots or have some sense beaten into them. and if you hear any executive talk about IOT, instantly kick them in the groin as hard as you can.

    • by Fire_Wraith ( 1460385 ) on Wednesday December 09, 2015 @10:05AM (#51087851)
      Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore. You know, places that it's not exactly easy to send a technician out to, in order to do things like change a setting. It's not just about monitoring "while on vacation" - there are often significant distances involved simply due to the sheer nature of these things.

      This isn't to say that stuff like remote access doesn't need to be looked at very very hard as to whether it's a valid use case, but you can't simply handwave away the real world factors that are contributing to that executive suggesting it's necessary. If he/she is your boss, you need to be able to state clearly what the concerns are, and figure out a way to present those security concerns as a counterweight - and be prepared that they may not outweigh the cost of physical only access. Hopefully, though, by raising security as a concern, you can at least get it taken into account so as not to be a completely soft target.
      • by Lumpy ( 12016 ) on Wednesday December 09, 2015 @10:33AM (#51087959) Homepage

        Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone. They are on their own secured private network that uses secure VPN tunneling through the internet to data centers where the SCADA system controls and monitors them.

        Quite hilarious if you think that commercial and industrial uses IOT.

        • No - they should be, but my experience tells me that "should be" isn't always the same as "actually are". Ideally people are following best security practices, but this is the real world, and there are often other factors in the equation that weaken that. If everything on the internet was as secure as marketing tells us it, and everyone followed best practices, IT security wouldn't be anywhere near as big of a problem as it is.

          I was also talking primarily about remote access, because your original post su
        • Isn't that a semantic difference? Sure, you'll throw a little embedded firewall in front - almost certainly with VPN. But it's not as if those little firewalls haven't had vulnerabilities, and the windmill itself is still a "thing" on the internet.

        • Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone.

          Oh boy are you going to be disappointed when you find out what SCADA companies are pushing right now.

        • Wind farms ARE NOT IOT

          Buzzwords become meaningless. "The cloud" is just anything that's not on your LAN. It doesn't necessarily even mean virtualization technology is in use.

        • They call it IoT even if it's on a private network. It happens to use IPv4/IPV6 so it's "internet" as far as executives are concerned. Some part of the back haul link may be on the actual internet as well.

          The problem is that "IoT" is a poorly defined concept.

          • Addendum, in some places there is not good connectivity but there happens to be cellular data coverage so an expensive phone plan may be used to get data from a device to the back office. Of course there's security. But a lot of companies want to get rid of expensive leased telephone lines and choose something slightly less expensive.

      • Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore.

        These vulnerable turbines aren't even utility scale like you are picturing. These are backyard farm turbines and the like. Those turbines do use secure interfaces and protected networks. But hey lets shit on the IoT because one small time vendor screwed up.

      • Even with this security problems, in a "real" wind farm and not the item in this discussion (which is smaller intended for a home type) you would network all these together and have access only via vpn per farm area.

        Still does not excuse the problem of inadequate security, but direct access to internet from a large wind turbine would be a no-no for sure.

    • Wind turbine, solar, etc DO NOT NEED any kind of IOT.

      What the hell is IoT? If you're talking about some kids toys with a funky web interface then yes you don't need that. If you're talking about remote network based control and data feedback then you've just mentioned the few things that most definitely do need that kind of functionality.

    • Because it is amazingly expensive to send a union technician on a 100 mile road to see if the turbine is still spinning or not. I work with smart meters, and electric utilities get really annoyed if they have to send a tech out to look at a meter that's only a couple miles away.

  • by Anonymous Coward

    The bug report states it is a Cross-site request forgery vulnerability, not xss:

    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0985

  • Insecure device directly accessible from the open Internet? BAD.
    If that device can be programmed to hurt or kill someone or take away a critical service, VERY BAD.

    Insecure device sitting comfortably behind a dedicated security device whose only job is to protect the one insecure device? POSSIBLY OKAY for an at-home-save-buying-electricity-from-the-evil-power-company wind turbine but probably insufficient for industrial equipment or for your home-nuclear-bunker wind turbine.

    Insecure device on a private netw

"The trouble with doing something right the first time is that nobody appreciates how difficult it was." -- Walt West

Working...