DIVD exposes vulnerabilities in solar panels and inverters

DIVD exposes vulnerabilities in solar panels and inverters

24 July 2022, by Lucinda Sterk

The inverters of nearly a million solar panels installations world wide have been highly vulnerable to cyber attacks due to poorly secured back-end systems in China. At least 42,000 of these systems are based in the Netherlands. Researchers of the Dutch Institute for Vulnerability Disclosure were able to access the management account of the Chinese company Solarman via the “Super Admin” account credentials previously leaked on GitHub. Solarman is a Chinese company which manages inverters for solar panels, data loggers and batteries.

Solarman is a supplier of equipment and has a platform that monitors energy generated and delivered back to the grid for consumer owned solar panels. DIVD researchers were able to view lists of thousands of names and addresses via the super admin account. In theory, they could create or delete customer accounts and view all data including the amount of power generated, whether the panels were connected to the internet, and whether there were any faults in the system.

A cybercriminal with access to this administrator account could, in theory, download firmware, modify it and the upload this new firmware to these inverters. With this the inverters could potentially be turned it into a botnet with potentially disastrous consequences for the power grid. Switching large numbers of inverters off and on again quickly at would seriously disrupt an electricity grid.

DIVD has contacted Solarman in various ways to report these findings and to report the company that their systems are vulnerable, but there has been no response. Ultimately, the Chinese CERT, CN-CERT and Dutch NCSC played a positive crucial role in informing Solarman who then took prompt action. The login details have subsequently been changed. This research started in April 2021 and the situation was resolved on the 2nd of July 2022. It and was presented on the 24th of July 2022 during the hacker camp “MCH2022” in the Dutch town of Zeewolde. More information can be found in the DIVD case file.

Last modified: 27 Sep 2022 13:32