Researcher Finds CSRF Bug in Wind Turbine Software

UPDATE–Wind turbines have been popping up across the United States in great numbers of late, and many of them are connected to the Internet. That, of course, means that these turbines are going to be natural targets for attackers and researchers.

A security researcher named Maxim Rupp has discovered a cross-sire request forgery vulnerability in the operating system that runs wind turbines manufactured by XZERES. The vulnerability can allow an attacker to cut the power to all of the systems attached to the target system. The vulnerability exists in the operating system that runs the model 442SR wind turbines. 

The company that manufactures the turbines, XZERES, says it has customers in a number of countries, including the U.S., the UK, Italy, Japan, Vietnam and others.

“Successful exploitation of this vulnerability allows the ID to be retrieved from the browser and will allow the default ID to be changed. This exploit can cause a loss of power for all attached systems,” an advisory from ICS-CERT says.

“The 442SR OS recognizes both the POST and GET methods for data input. By using the GET method, an attacker may retrieve the ID from the browser and will allow the default user ID to be changed. The default user has admin rights to the entire system.”

The XZERES 442SR is on the smaller end of the wind turbine scale, not the massive turbines found in the huge wind farms. The company describes it as a highly efficient small turbine.

“The XZERES 442SR wind turbine is designed to generate low cost renewable energy through efficiency, reliability, and longevity. Its simple design of few moving parts reduces services and maintenance costs, as well as allows for easy installation,” the company’s product description says.

While there isn’t a known exploit for this vulnerability, ICS-CERT’s advisory says it would not be difficult to create one.

“Crafting a working exploit for this vulnerability would be easy. There is no public exploit for this exact vulnerability. However, code exists online that can be easily modified to initiate a CSRF with this vulnerability,” the advisory says.

The company has developed a patch for the CSRF vulnerability, but the fix has to be manually deployed. Hospira said in a statement that the company has been working with DHS and FDA on the bugs.

“Supporting safe and effective delivery of medication is Hospira’s priority. In the interest of patient safety, Hospira has been actively working with the Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA) regarding reported vulnerabilities in our infusion pumps. The company has communicated with customers on how to address the vulnerabilities following recent advisories from the FDA and DHS. There are no instances of cybersecurity breaches of Hospira devices in a clinical setting,” the statement said.

This story was updated on June 10 to add Hospira’s statement.

Suggested articles