The energy grid is once again found to be vulnerable, with a serious flaw in the Nova-Wind Turbine human-machine (HMI) interface, which would allow remote code execution.
At issue: The software stores user credentials for logging in, in plaintext. No encryption, no other protection. And that means that an attacker with very little pwning skill could pretty easily recover the file. From there, they could use the credentials to authenticate with the HMI and make changes to the configuration—essentially hijacking the turbines.
ICS-CERT said that the manufacturer, RLE, seems unconcerned with the fact that its windmills are wide-open to attackers, who could shut off the power that they generate entirely.
“Independent researcher Maxim Rupp has identified an unsecure credential vulnerability in the RLE International GmbH Nova-Wind Turbine HMI,” an advisory from ICS-CERT explained. “RLE has been unresponsive in validating or addressing the alleged vulnerability. ICS-CERT is releasing this advisory to warn and protect critical asset owners of this serious issue.”
It added, “ICS-CERT has attempted on multiple occasions to contact the vendor regarding this serious flaw and have according to our vulnerability disclosure policy now produced this advisory. Insecure credential vulnerabilities create a serious risk to asset owners. ICS-CERT strongly recommends ensuring that the impacted product is not connected to the internet or any network as this vulnerability is remotely exploitable,” the advisory says.
Fortunately there are no known exploits—yet.
The news comes just a week after a cross-site request forgery vulnerability was found to affect small wind turbines manufactured by a company called XZERES.
“Successful exploitation of this vulnerability allows the ID to be retrieved from the browser and will allow the default ID to be changed. This exploit can cause a loss of power for all attached systems,” an advisory from ICS-CERT explained in the advisory for that instance.