A massive fleet of vulnerable solar inverters has been discovered online. Almost 35,000 solar power devices have internet-exposed management interfaces and can be targeted using a range of known vulnerabilities.
For owners, it is convenient to check their solar panels' generation statistics online, but this functionality comes with a massive risk – hackers can access the devices, too.
Cybersecurity researchers at Forescout Research – Vedere Labs unveiled 35,000 exposed solar power devices, including inverters, data loggers, monitors, gateways, and other equipment from 42 vendors.
Attackers can readily discover these devices using the Shodan search engine.
The researchers themselves have found 46 new vulnerabilities in the devices and cataloged an additional 93 known vulnerabilities. Exposed devices may be susceptible to many other vulnerabilities.
They warn that attackers could exploit them to achieve a blackout effect, potentially similar to the massive power grid failure that affected Spain earlier this year.
“Since these systems are rapidly becoming essential elements of power grids throughout the world, this represents a growing risk to grid stability,” the report reads.
The most exposed solar devices were produced by SMA Solar Technology (12,434), Fronius International (4,409), Solare Datensysteme (3,832), Contec (2,738), and Sungrow (2,132). The researchers note that these are not the same as the top vendors based on market share. Notable omissions include Huawei and Ginlong Solis.
SMA Sunny Webbox seems to be the most popular exposed device. They have contained a hardcoded vulnerability since December 2014.
Over three-quarters of the exposed devices (76%) are in Europe, followed by 17% in Asia, 5% in the Americas, and the rest 2% elsewhere. Germany and Greece each account for 20% of the total exposed devices worldwide.
“Being exposed on the internet is usually not an inherent vulnerability of a device, but the result of users configuring port forwarding, something that is discouraged by vendors,” the researchers explain.
They also found that threat actors frequently target exposed IoT devices. At least 43 IP addresses recently targeted SolarView Compact devices, which use 27 unique firmware versions, with no exposed devices running the latest up-to-date firmware.
Most of the malicious IPs are known botnets, however, some lead to Tor exit nodes.
“We still see thousands of these devices exposed online and often unpatched, opening them up to being hijacked by threat actors,” Forescout warns.
The researchers recommend keeping the devices updated and removing direct internet access to management interfaces.
Reuters previously reported that many Chinese-made solar devices contain “unexplained communication equipment,” adding to the bucket of risks imposed by solar devices.
Your email address will not be published. Required fields are markedmarked