Taking remote control over industrial generators
Generators are an important part of today’s modern world. They can keep your lights on when the power goes out and keep hospitals running when disaster strikes, but what if someone else could potentially control them remotely and even shut them down when they are needed most? This was the reality with a vulnerability I discovered back in 2023 and am finally getting around to sharing.
Important note: This platform was a pilot project at a company that is not being named. It ran into 2024 and is no longer active today. There were only a handful of customers and generators registered. Despite that, this should be a fun, cautionary tale that API security must be taken as a priority from day one to avoid big consequences later!
Powering Up
When you visit the site, you are asked to log in or sign up. Public registration was open:
Unfortunately, once signed in, you don’t have access to anything:
When looking at the underlying network traffic, it is clear why – the useraccess API response is supposed to include a list of permissions, but instead had no content:
The permissions control which parts of the site you have access to and are named after the corresponding pages. With that in mind, the way forward was to make a modification to client-side JavaScript to manually insert the permissions:
With that done, it was finally possible to proceed. However, the site still ran into some issues loading information.
Undeterred, the next step was to dig deeper into the underlying JavaScript code to see if there were any APIs that would return any interesting data.
Mapping the grid
The site utilizes a variety of APIs, all of which happily accept our token, even when it’s used on APIs intended for administrators. The APIs required a valid token but did not check whether the user was admin or not before accessing more privileged APIs. This is known as Broken Function Level Authorization (BFLA). Here are 2 examples where all users and generators could be retrieved:
The key part in the second screenshot is the system IDs for the generators. With those, you can manually input them into the URL to get a working page:
Going a bit deeper, you could access commands to start and stop the generator. Important to note is that these commands were not tested. It would have been irresponsible to test critical functionality like this, and it could have been a safety hazard. Despite that, given the authorization failures in all the other APIs, it is very likely these commands would have gone through!
Lastly, it was possible to view a lot of historical data about the generator, like oil temperature over time:
Timeline
- August 7, 2023: Reported
- August 16, 2023: Response received confirming team members are looking into it.
- September 11, 2023: Requested an update from the company.
- October 11, 2023: After no response, another update was requested. They respond same-day confirming the issues have been patched.
- October 6, 2025: Published. The delay was caused due to the prioritization of other security work and general busyness.