The age of the Internet of Things, where everything from fridges to wind turbines are connected to the Internet, is coming. These smart devices can be controlled remotely, optimizing efficiency and power production—but they can also be hacked.
In mid March, a researcher found a vulnerability that allowed anyone to hack the operator of the XZERES 442SR, a small scale wind turbine for homes or farms, allowing the attacker to potentially take it over. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory for the vulnerability, suggesting everyone to patch their turbines since, as ICS-CERT put it, “crafting a working exploit for this vulnerability would be easy.”
Videos by VICE
But as it turns out, you might not need to exploit a vulnerability to hack these wind turbines.
“I don’t know why you’d need to put your wind turbine on the Internet with a web interface.”
Some of these XZERES 442SR wind turbines, in fact, are easy to find on Shodan, a search engine that crawls the Internet for connected devices. When Motherboard performed a search a couple of week ago, we found more than 100 of these turbines; as of Thursday, there were still 83.
And if you’re wondering, no, they probably shouldn’t be on the Internet.
“It’s funny,” Billy Rios, a security researcher who specializes in critical infrastructure, told Motherboard. “I don’t know why you’d need to put your wind turbine on the Internet with a web interface.”
In fact, you can monitor a stranger’s turbine yourself.
With the right URL, you could access the control panel, which is simply protected by a username and password. And the catch is that most of these devices are probably still set up with the default password, Rios said.
XZERES did not answer to Motherboard’s request for comment.
So not only you can monitor a stranger’s wind turbine, you can probably mess with it too.
There are some risks inherent with leaving these turbines online, obviously. By simply being connected to the Internet with no firewall and just protected by a password—likely the default one—anyone could potentially take them over and mess with them, Rios said.
“People don’t realize how easy it is to get into one of these devices and take it over.”
“It’s pretty straight forward to get into these machines, people don’t realize how easy it is to get into one of these devices and take it over,” he said.
For example, a hacker could mess with the power supply, turning the turbines off.
It’s clearly not life-or-death scenario, but it’s a good reminder that we’re connecting devices to the Internet without really thinking about the consequences or thinking how they could be protected from hackers.
What’s worse, most of these devices don’t even come with systems to detect if they’ve been hacked, so someone could control your wind turbine and you’d never know about it, Rios said.
And that’s if the owners even realize they’re online.
The lesson for these companies, as always, is think twice before connecting something to the Internet.
“It’s silly that they were put on the internet, but people do silly things,” Michael Toecker, an engineer at Context Industrial Security, told Motherboard. “If companies want to play in the Internet of Things space, they need to up their security game.”
Jon Chittenden contributed reporting for this story