A series of now-patched bugs in a leading photovoltaic (PV) plant management platform exposed a fifth of the world’s solar power output to blackout-inducing attacks, researchers claim.
Newly discovered vulnerabilities in the platform operated by China-based company Solarman would have enabled threat actors to control essential power grid settings, allowing attackers to cause blackouts, Bitdefender researchers announced during the Black Hat USA 2024 conference.
Solarman is a major player in the global solar energy market. It is responsible for coordinating the production operations of millions of solar installations worldwide, which generate a whopping 20% of global solar energy production.
IKEA, Huawei, AEG, and many others are listed among Solarman’s global partners. What’s worse, Bitdefender researchers claim that attackers could have exploited the bugs to severely destabilize power grids.
“What we’re seeing in this particular case with solar power generation is that somebody could take the grid down or overload it. That’s all real,” Dan Berte, Bitdefender’s director of Internet of Things (IoT) security, told Cybernews.
Crucial component affected
According to the researchers, the team looked into data loggers made by Solarman, which are often used to monitor inverter units of Deye, another major China-based player in the PV market.
Inverters are crucial solar power grid components that convert the direct current (DC) electricity generated by solar panels into alternating current (AC) electricity, which is used by most homes and businesses.
Meanwhile, data loggers record and transmit information on the solar power system and its performance, enabling real-time monitoring, fault detection, and remote management.
Without data loggers, solar panels operate in the dark, and without inverters, solar energy cannot reach the grid. However, if attackers took over the control of enough inverters, they could, at least in theory, destabilize the delicate balance of the electricity grid.
“The scale of affected solar output points there are obviously industrial customers involved. Some of these generators are likely stationed in large industrial parks. It’s not people with just two panels trying to cater for themselves,” Berte explained.
Moreover, researchers explained, Solarman’s software is integrated and reused by numerous other market players, potentially expanding the scale of the flaws’ impact.
“When you tap into this kind of vulnerability and you can affect a grid, the issue becomes collective. In a sense, this becomes a national security issue," Berte said.
Darkness-inducing bug
After analyzing the Solarman platform, researchers identified three vulnerabilities. The most dangerous one, an account takeover vulnerability, allows attackers to generate authorization tokens for any account, regular and business.
“This means that a malicious user could iterate through all accounts, take over any of them, and modify inverter parameters or change how the inverter interacts with the grid,” researchers claim.
In essence, attackers could remotely tinker with inverter settings, pushing more power to the grid when it shouldn’t. Since business accounts, usually employed to control large sets of solar panels, are exposed, threat actors could simultaneously impact many inverters, destabilizing the power grid.
Berte extrapolates that his teams’ findings expose an IoT-based loophole for attackers to penetrate power grids. Traditional power-producing capabilities, which provide baseload, a steady, constant supply that meets the minimum electricity demand, are often closely guarded against intrusions and are less connected.
Meanwhile, renewable energy monitoring platforms are essential because solar energy production varies during the day and must be monitored in real-time so that grid operators can prevent grid-destabilizing power generation fluctuations.
“And for that, you’re going to need inverters to be connected to the internet. And here’s where things go wrong. Because all of a sudden, the grid becomes part of this great and vulnerable IoT ecosystem,” Berte explained.
Excessive data exposure
Other vulnerabilities researchers identified allow the reuse of tokens across different platforms. Researchers claim that tokens issued by the “Deye Cloud platform are also valid on the Solarman platform, granting full access to the accounts based on their ID.”
The third Solarman-focused flaw excessively exposes data. Researchers discovered that the Solarman platform’s API endpoints “return excessive information about organizations, including private details such as email addresses and phone numbers.”
Since many companies employ a modified version of Solarman’s API, attackers could use the flaw to harvest data about a wide selection of companies worldwide, including GPS coordinates of solar installation locations and their real-time production capacity.
Meanwhile, Deye-related vulnerabilities are related to hard-coded credentials, excessive information exposure, and authorization token generation. Bitdefender’s researchers claim that hard-coded credentials allow for obtaining information authorization tokens “that grant access to any device, exposing sensitive information such as software versions, WiFi credentials, and more.”
Similarly to the Solarman-related bug, Deye’s information leakage vulnerability affected the API endpoint, which returns excessive private information about users, including names, email addresses, phone numbers, and user IDs.
Researchers claim that the vulnerabilities allow attackers to take over accounts and disrupt power generation, potentially causing dangerous power fluctuations in the energy grid.
Moreover, since bugs excessively reveal user information, data breach risks are severely increased, which could lead to information harvesting and targeted phishing attacks.
Bitdefender disclosed its findings to Solarman and Deye before going public, and both companies issued fixes to mitigate the issue. Researchers urge users to ensure they are running the latest software updates for both Solarman and Deye.
Your email address will not be published. Required fields are markedmarked