Summary:
Researchers have discovered critical flaws in software that manages 20% of the world's solar electricity, posing significant risks of grid overloads and blackouts. Although solar power currently represents a minor share of U.S. electricity generation, it is projected to grow exponentially and potentially make up half of domestic electricity generation by 2050. Bitdefender researchers identified these vulnerabilities in two major solar management platforms: Solarman and Deye. The flaws included hard-coded credentials and insecure application programming interfaces (APIs), which allowed attackers to generate authorization tokens for any account, leading to full account takeovers and unauthorized control.


The cybersecurity firm contacted Solarman and Deye, who assured that the issues were fixed before going public. These platforms together coordinate millions of solar installations worldwide, contributing approximately 195 gigawatts of solar power, about 20% of the world's total solar output. Specific flaws in the Solarman platform included the ability for attackers to generate authorization tokens for any account, allowing them to gain control over accounts and modify inverter parameters. Additionally, JWT tokens issued by the Deye Cloud platform were valid on the Solarman platform, granting unauthorized access across both platforms. The platform's API endpoints also returned excessive information about organizations, including private details such as email addresses and phone numbers.


Security Officer Comments:
In the Deye platform, specific flaws included the use of a hard-coded account with the password "123456" to access device data, exposing sensitive information. The platform's API endpoints returned excessive private information about users, making it easier for attackers to exploit this data. Similar to the Solarman platform, the Deye platform's API allowed the generation of JWT tokens. Deye's solar grid inverter platform converts direct current electricity generated by solar panels into alternating current electricity and ensures grid synchronization, maintaining the phase and frequency of the AC output to match the grid's standards. Unauthorized control over solar inverters could result in power generation disruptions, voltage fluctuations, and even widespread blackouts, severely affecting grid stability and user privacy.


Suggested Corrections:
Integrating solar power into the grid offers immense benefits, but it also introduces attack surfaces that equipment makers must take into account. The security flaws found in the Deye and Solarman platforms highlight the need for robust cybersecurity in managing solar energy systems, as well as in general IoT setups.


Link(s):
https://www.databreachtoday.com/photovoltaic-platform-flaws-threatened-global-solar-grid-a-25963


https://www.bitdefender.com/blog/la...-enough-solar-power-to-run-the-united-states/