On the heels of Secretary of Defense Leon Panetta scaring the crap out of everyone regarding cyberattacks, SophosLabs’ NakedSecurity blog linked to a Homeland Security alert which warns that hackers could take control of solar energy plants.
Plant administrators use the vulnerable software to control energy-generating solar plants. However the programming wasn’t written with security in mind; it’s a swiss cheese of SQL injection holes:
According to information released by the researchers Robert Paleari and Ivan Speziale, the Sinapsi eSolar product contains a number of critical security vulnerabilities that make the devices easily exploitable by remote attackers, who could gain administrative privileges and run arbitrary commands and code on vulnerable eSolar devices.
Those security holes include a slew of SQL injection vulnerabilities in webpages included with the device firmware. Among other things, the researchers found they could exploit SQL injection holes in the web based management interface to access the underlying MySQL database, gaining access to usernames and passwords for the device.
Coders turned the stupid up a notch by storing passwords in plaintext.
Sinapsi, the company that makes the software, has known about the problems for months but never responded to the researchers who discovered it, so those researchers made their findings public a few days ago.
Attackers who took over vulnerable systems could control facilities around the world, including several in California and Arizona.
As far as we know, the sun itself still sports ironclad encryption.
