Cybersecurity researchers [4], including Bitdefender, recently identified security vulnerabilities in the Solarman and Deye photovoltaic system management platforms [4].

Description

These vulnerabilities, which have since been addressed, included issues such as hard-coded accounts [4], information leaks [1] [4], and unauthorized token generation [4]. Weak API endpoints on both platforms allowed unauthorized access to user settings and control of inverters [1]. For example, Solarman’s /oauth2-s/oauth/token API endpoint could generate authorization tokens for any account [1], exposing personally identifiable information and GPS coordinates of solar installations [1]. Deye Cloud used a hardcoded account with a default password to access devices [1], exposing sensitive information such as software versions and Wi-Fi credentials [1]. Exploiting these vulnerabilities could allow attackers to take control of accounts [4], access private information [4], and disrupt power generation [4], potentially causing blackouts [3] [4] [5]. Bitdefender researchers also found security flaws in Solarman’s API architecture [3], exposing entry points for multiple companies selling inverters and PV equipment [3]. The Solarman platform is linked to various equipment and brands [3], with some customers using the platform as a service [3]. Deye has customised its implementation of the Solarman infrastructure [3]. The Solarman platform has two types of accounts: regular reporting and business accounts for authorised installation companies [3]. The affected vendors have been notified and the vulnerabilities have been fixed [2].

Conclusion

Solar energy plays a significant role in the power grid [3] [5], with solar panels converting sunlight into clean power that can be used immediately or fed into the grid [5]. Solar setups are often decentralised [3] [5], presenting challenges and opportunities for grid management [3] [5]. The discovery of severe security vulnerabilities in the Solarman platform, used by millions of solar installations worldwide [5], highlights the potential risks to grid security. It is crucial for vendors and users to remain vigilant, implement necessary security measures, and stay informed about emerging threats to ensure the continued reliability and safety of solar energy systems.

References

[1] https://cyberdaily.co.uk/2024/08/12/photo-voltaic-energy-installations-worldwide-open-to-cloud-api-bugs/
[2] https://energycentral.com/c/pip/60-hurts-second-%E2%80%93-how-we-got-access-enough-solar-power-run-united-states
[3] https://itwire.com/business-it-news/security/60-hurts-per-second-%E2%80%93-how-we-got-access-to-enough-solar-power-to-run-the-united-states-202408090246.html
[4] https://thehackernews.com/2024/08/researchers-uncover-vulnerabilities-in.html
[5] https://itwire.com/guest-articles/guest-research/60-hurts-per-second-%E2%80%93-how-we-got-access-to-enough-solar-power-to-run-the-united-states.html