CERT Warns Wind Turbines Open to Compromise

Wind turbines made by the firm XZERES are vulnerable to web-based cross site scripting attacks, the Department of Homeland Security has warned. This isn't the first time the company's products have been cited.
Wind turbines made by the firm XZERES are vulnerable to web-based cross site scripting attacks, the Department of Homeland Security has warned. This isn’t the first time the company’s products have been cited.

In-brief: Wind turbines made by the UK firm XZERES Wind are susceptible to common, web-based attacks including cross site scripting, according to a warning published by the Industrial Control System CERT (ICS-CERT). 

The Industrial Control System Cyber Emergency Response Team (ICS-CERT) warned this week about a critical vulnerability in the web-based control panel of a wind turbine from XZERES Wind, which could be exploited by an attacker to cut the power to all systems connected to it.

The vulnerable device is 442SR, a small wind turbine designed to generate renewable energy at low maintenance costs. It can be used for both off and on-grid energy systems. The product can connect to the wider web for remote management using a computer or a mobile device. According to the manufacturer, the product is currently in use across the world.

Independent security researcher Karn Ganeshen found that the web interface used to manage the XZERES Wind turbines was designed to accept POST and GET HTTP requests for data input. A knowledgeable attacker could use that feature to hijack the web session of an authenticated administrator, changing the default user ID, which comes with administrator rights for the entire system, via a GET request sent to the web management interface. A successful attack would allow the malicious actor to lock out a legitimate administrator and take control of the device.

The vulnerability has been assigned the unique identifier CVE-2015-0985. It is rated critical, with a base score of 9.8 out of 10 (), calculated by the latest revision of the Common Vulnerability Scoring System (CVSS). The high severity rating is attributed to the fact that the vulnerability is easy to exploit by an attacker who does not need to be authenticated to the device, or have direct physical access to it.  On Thursday, ICS-CERT added two updates to the advisory clarifying that the operating system of the turbine fails to properly validate user input, leaving room for malicious action.

Xzeres makes small wind turbines for use by businesses and residences, as well as in industries like agriculture. The company is headquartered in the United Kingdom, with U.S. headquarters in Wilsonville Oregon. According to ICS-CERT, Xzeres was informed of this problem and has prepared a software fix for it However, XZERES turbines do not support automatic updates, meaning that owners of affected systems will have to download and manually apply the fix, an approach very likely to leave some turbines vulnerable long after the patch has been made available.

[Read more Security Ledger coverage of security risks to critical infrastructure.]

Anyone having trouble plugging the security hole can seek help from the XZERES Service Team by calling 1-877-404-9438 (option 4) for instructions and support.

The DHS ICS-CERT notes that there is no knowledge of public exploits of the wind turbine vulnerability. However, the flaw means that common XSS (cross-site scripting) attacks used against web pages could be adapted to attack the XZERES 442SR wind turbine’s administration panel, setting a low bar for attacks, ICS-CERT warns.

This is not the first time that XZERES turbines have been found vulnerable to web-based vulnerabilities and attacks. In June, ICS-CERT published an advisory on a CSRF (cross-site request forgery) vulnerability affecting the turbine in exactly the same way as CVE-2015-0985. That flaw, CVE-2015-3950, was identified by a different security researcher, Maxim Rupp, and it received the highest severity score by the CVSS v2 standard.

Rupp is also credited for finding another CSRF vulnerability in XZERES 442SR that allowed an unauthorized third-party to change the default user password. The report from ICS-CERT was published in March using the same CVE identifier as the latest one (CVE-2015-0985). Both previous flaws received patches that could be applied manually by calling the XZERES support desk.

Calls to patch the vulnerable turbines appear to have fallen on deaf ears. A search using the Shodan search engine for Internet-connected devices currently shows 10 XZERES turbines (eight in the UK and two in the US) with unfettered access to the login page and whose current state can be freely monitored.

By accessing the right IP address, one can see the energy exported by the turbine or how much time it’s been operating for. Furthermore, the diagnostics page shows real-time values (temperature, consumption rate, rotations per minute) for the different components of the system (alternator, boost converter, inverters) and check details for each of them.

Systems in the energy sector are constantly probed by powerful adversaries, and although the XZERES 442SR is built for generating power on a small-scale, they could become the target of less experienced threat actors as they are used in some residential areas or off-grid business applications.

Vulnerabilities in web interfaces to embedded devices – including connected infrastructure – is a major source of risk. In a recent study, three-quarters of embedded systems that sport web interfaces tested by researchers at universities in Germany and France contained serious security vulnerabilities, according to a new study.

The researchers, from EURECOM and Ruhr University Bochum in Germany emulated and tested 246 separate instances of embedded device firmware with web interfaces. Of those, 185 (75%) were discovered to have “high impact” vulnerabilities, according to a report, “Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces,” which was published on the web site arxiv.org.