Cybersecurity researchers have identified several security flaws in photovoltaic system management platforms run by Chinese firms Solarman and Deye. These vulnerabilities might allow hackers to initiate disruptions, including power outages.
Bitdefender researchers said, “If exploited, these vulnerabilities could allow an attacker to control inverter that could takeparts of the grid down, potentially causing blackouts.”
As of July 2024, both Solarman and Deye have taken steps to resolve these weaknesses after a responsible disclosure on May 22, 2024. Bitdefender, a Romanian cybersecurity company that examined the two PV monitoring and management platforms, noted a range of issues that could lead to account takeovers and information disclosure.
Here’s a brief overview of the identified issues:
- Full Account Takeover via Authorization Token Manipulation Using the /oauth2-s/oauth/token API endpoint
- Deye Cloud Token Reuse
- Information Leak through /group-s/acc/orgs API Endpoint
- Hard-coded Account with Unrestricted Device Access (account: “SmartConfigurator@solarmanpv.com” / password: 123456)
- Information Leak through /user-s/acc/orgs API Endpoint
- Potential Unauthorized Authorization Token Generation
If these vulnerabilities are successfully exploited, attackers could take control over any Solarman account. They could also reuse JSON Web Tokens (JWTs) from Deye Cloud for unauthorized access to Solarman accounts and collect private data about registered organizations.
Moreover, hackers would be able to access information concerning any Deye device, retrieve confidential user data, and generate authentication tokens for any user on the platform. This would severely undermine the confidentiality and integrity of the system.
Researchers stated, “Attackers can take over accounts & control solar inverters, disrupting power generation and potentially causing voltage fluctuations”. They warned that “Sensitive information about users & organizations can be leaked, leading to privacy violations, information harvesting, targeted phishing attacks or other malicious activities.” By altering settings on solar inverters, attackers have the potential to cause significant disruptions in power distribution. Thisimpacts grid stability and could lead to power blackouts.
