Cybersecurity flaws risk US solar power, now patched
Bitdefender has disclosed that 20% of the world's solar panel output, sufficient to power the United States, had been at risk of manipulation by cybercriminals. This revelation comes after extensive research conducted on rooftop solar plant management platforms run by Solarman and Deye, a Chinese solar equipment manufacturer that uses Solarman's platform.
The security firm found that vulnerabilities existed across millions of solar installations globally, which collectively produce approximately 195 gigawatts of solar power. Bitdefender stated, "If exploited, these vulnerabilities could allow an attacker to control inverter settings that could take parts of the grid down, potentially causing blackouts." The affected companies have successfully patched the identified weak points to prevent any misuse.
The study unveiled several critical flaws in the systems used by Solarman, which is one of the world's leading photovoltaic (PV) monitoring and management platforms, managing over 2 million active PV plants and involving more than 10 million devices in over 190 countries and territories. Deye is known to utilise Solarman's infrastructure up until a recent spin-off into its own data centre, incorporating its unique user base.
Key issues identified included the potential for full account takeovers through vulnerabilities in the Solarman platform's OAuth token endpoint. Bitdefender's report explains, "The Solarman platform's /oauth2-s/oauth/token API endpoint lets attackers generate authorisation tokens for any account. By modifying the JSON payload, attackers can gain control over any regular or business account." This would have enabled malicious users to control inverter parameters or change the way the inverter interacts with the grid.
Another significant flaw was the ability to reuse JSON web tokens (JWT) across platforms. JWT tokens issued by the Deye Cloud platform were also valid on Solarman's platform. This cross-platform vulnerability allowed unauthorised access to accounts based on their ID.
In addition, excessive data exposure was also a concern. The report notes, "The Solarman platform's API endpoints return excessive information about organisations, including private details such as email addresses and phone numbers. This information can be harvested to exploit the platform's users and organisations." Furthermore, the collected data could provide GPS coordinates for solar installations and their real-time production capacity.
The Deye platform was found to have its own set of vulnerabilities, including the use of hard-coded credentials, which could grant unauthorised access to device data. Furthermore, an API endpoint on Deye's platform also allowed for the generation of authorisation tokens that could pose future risks if not adequately patched.
Bitdefender's timeline of disclosure highlights that they first contacted Solarman and Deye in May 2024, leading to initial fixes by the end of June and further patches implemented by mid-July. The vulnerabilities have since been acknowledged and addressed by the affected vendors.
The findings underscore the potential risks of integrating solar energy into the power grid, despite its numerous benefits. Solar power significantly contributes to reducing dependency on fossil fuels and lowering greenhouse gas emissions. However, its decentralised nature and reliance on Internet of Things (IoT) devices increase the complexity of managing these systems safely.
Security experts emphasise the importance of maintaining robust cybersecurity measures in the infrastructure of solar energy systems to prevent potential blackouts and disruptions. Bitdefender researchers pointed out that protecting devices interacting with the grid from cyber threats is crucial for ensuring reliable and secure power distribution.
Bitdefender commended Solarman and Deye for their prompt actions in rectifying the vulnerabilities, illustrating the value of coordinated efforts in enhancing the security of essential infrastructure. As the world continues to adopt renewable energy solutions, ongoing vigilance and proactive measures are essential to safeguard these advancements against evolving cyber threats.