Endpoint Security , Governance & Risk Management , Internet of Things Security
Photovoltaic Platform Flaws Threatened Global Solar Grid
Software used to manage a fifth of the world's solar electricity contained flaws enabling full access to attackers, risking grid overloads and blackouts, said threat researchers.
Solar power still accounts for a sliver of overall U.S. electricity generation but is poised to grow exponentially until it makes up half of domestic electricity generation by 2050, according to a federal government projection.
Researchers from Bitdefender said Wednesday they discovered flaws in two major solar management platforms that include hard coded credentials and an application programming interfaces that allowed attackers to generate authorization tokens for any account.
See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines
The cybersecurity firm said it contacted platform manufacturers Solarman and Deye and received assurances that the issues were fixed before going public.
Solarman and Deye platforms together coordinate the production operations of millions of solar installations worldwide, contributing to an output of approximately 195 gigawatts of solar power, a number that's 20% of the world's total solar output.
Flaws in the Solarman photovoltaic monitoring and management platform included:
- Full Account Takeover: Attackers could generate authorization tokens for any account via the platform's API, allowing them to gain control over regular and business accounts and modify inverter parameters.
- Token Reuse Across Platforms: JWT tokens issued by the Deye Cloud platform were valid on the Solarman platform, granting unauthorized access across both platforms.
- Excessive Data Exposure: The platform's API endpoints returned excessive information about organizations, including private details such as email addresses and phone numbers.
Deye's solar grid inverter platform converts direct current electricity generated by solar panels into alternating current electricity. The inverter also ensures grid synchronization, maintaining the phase and frequency of the AC output to match the grid's standards.
The detailed flaws were:
- Hard-Coded Credentials: The platform used a hard-coded account with the password
123456
to access device data, exposing sensitive information. - Information Leakage: API endpoints returned excessive private information about users, making it easier for attackers to exploit this data.
- Authorization Token Generation: Similar to the Solarman platform, the Deye platform API allowed the generation of JWT tokens.
Unauthorized control over solar inverters could result in disruptions to power generation, voltage fluctuations and even widespread blackouts.