The solar power infrastructure has added significant complexity to the management and security of the electricity grid. Couple that with a network of connected things that are pulling data from these devices and sending it to clouds for analysis, and the complexity—and risk—is magnified.
In this episode of the Nexus Podcast, BitDefender Director of IoT Security Dan Berte joins to discuss research his team conducted on the security of two platforms responsible for 20 percent of the planet’s solar power output.
Berte and his team uncovered vulnerabilities in photovoltaic monitoring and management platforms sold by Solarman and Deye. An attacker successfully exploiting these security flaws could disrupt or manipulate inverter settings that could overload parts of the grid and initiate blackouts.
“Its growth has been incredible for obvious reasons. Now it's getting so much cheaper to install solar. It's beaten everything in terms of cost per power generation, a dollar invested in power output,” Berte said of the rise of solar energy and its impact on the grid. “So it makes so much sense, especially with the governmental incentives around the world and the flurry of manufacturers that are now putting different systems out there. And we know there's a lot of vendors that are heavily competing against each other to put the most affordable but the best feature.”
Berte said that Solarman and Deye are responsible for significant solar power generation. Their devices, especially inverters, which convert direct current electricity generated by solar panels into alternating current electricity that can be used in business and homes, are discoverable as IoT devices online. Solarman licenses its technology to other manufacturers, including Deye. Given their market share, Berte said Bitdefender went to work researching its attack surface.
They found issues in the Deye inverter and Solarman data logger that could be exploited. Those vulnerabilities include a full account takeover bug via manipulation of an authorization token. According to Bitdefender’s report: “An attacker can modify the [JSON Web Token] to include the userId of any desired account, resulting in unauthorized access and full control over the account.”
A second vulnerability was found in JWT tokens issued by the Deye cloud platform that are also valid on Solarman. An attacker can reuse the same token to gain full access to accounts in one platform even if the ID corresponds to another account in the other platform.
Finally, an information leak in the API endpoint returns names, email addresses, userIDs and more information about accounts.
All three vulnerabilities were addressed by the respective vendors.
“Not to say that [solar is] inherently bad or risky. It's just that the prevalence now that's expected to rise, because it's so cheap and amazing, it's going to make it that a lot more generation is going to be renewable, potentially photovoltaic,” Berte said. “And a lot of barriers have been removed. Exactly. So now we're going to have to gear up to understand how to protect this new grid from potential risks, including cyber attack.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.