Article Image

IPFS News Link • Science, Medicine and Technology

Some Wind Turbines Can Be Hacked by Anyone With an Internet Connection

• http://motherboard.vice.com

The age of the Internet of Things, where everything from fridges to wind turbines are connected to the Internet, is coming. These smart devices can be controlled remotely, optimizing efficiency and power production—but they can also be hacked.

In mid March, a researcher fou?nd a vulnerability that allowed anyone to hack the operator of the XZERES 442SR, a small scale wind turbine for homes or farms, allowing the attacker to potentially take it over. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory for the vulnerability, suggesting everyone to patch their turbines since, as ICS-CERT put it, "crafting a working exploit for this vulnerability would be easy."

But as it turns out, you might not need to exploit a vulnerability to hack these wind turbines.

"I don't know why you'd need to put your wind turbine on the Internet with a web interface."

Some of these XZERES 442SR wind turbines, in fact, are easy to find on Shodan, a search engine that crawls the Internet for connected devices. When Motherboard performed a search a couple of week ago, we found more than 100 of these turbines; as of Thursday, there were still 83.

And if you're wondering, no, they probably shouldn't be on the Internet.

"It's funny," Billy Rios, a security researcher who specializes in critical infrastructure, told Motherboard. "I don't know why you'd need to put your wind turbine on the Internet with a web interface."

In fact, you can monitor a stranger's turbine yourself.

With the right URL, you could access the control panel, which is simply protected by a username and password. And the catch is that most of these devices are probably still set up with the default password, Rios said.

XZERES did not answer to Motherboard's request for comment.

So not only you can monitor a stranger's wind turbine, you can probably mess with it too.

There are some risks inherent with leaving these turbines online, obviously. By simply being connected to the Internet with no firewall and just protected by a password—likely the default one—anyone could potentially take them over and mess with them, Rios said.

"People don't realize how easy it is to get into one of these devices and take it over."

"It's pretty straight forward to get into these machines, people don't realize how easy it is to get into one of these devices and take it over," he said.

For example, a hacker could mess with the power supply, turning the turbines off.


Agorist Hosting