August 12, 2024Ravie LakshmananCritical Infrastructure / Vulnerability

Cybersecurity researchers have identified a number of security flaws in photovoltaic system management platforms from Chinese companies Solarman and Deye that could allow malicious actors to cause disruptions and power outages.

“If exploited, these vulnerabilities could allow an attacker to modify inverter settings, potentially taking out parts of the power grid and causing blackouts,” Bitdefender researchers said in an analysis published last week.

The vulnerabilities were addressed by Solarman and Deye in July 2024, following a responsible disclosure on May 22, 2024.

The Romanian cybersecurity vendor, which analyzed the two PV monitoring and management platforms, indicated that they face a number of issues that could lead to account takeovers and information disclosure, among other things.

Below is a brief description of the issues:

• Full account takeover via manipulation of authorization tokens using the API endpoint /oauth2-s/oauth/token
• Reuse of Deye Cloud Token
• Information leak via /group-s/acc/orgs API endpoint

• Hard-coded account with unlimited device access (account: “[email protected]” / password: 123456)
• Information leak via /user-s/acc/orgs API endpoint
• Possible generation of unauthorized authorization tokens

If the above vulnerabilities are successfully exploited, attackers could gain control over any Solarman account, reuse Deye Cloud JSON Web Tokens (JWTs) to gain unauthorized access to Solarman accounts, and collect private information about all registered organizations.

They were also able to obtain information about any Deye device, access confidential registered user data, and even generate authentication tokens for any user on the platform, seriously compromising its confidentiality and integrity.

“Attackers can take over accounts and gain control of solar inverters, disrupting power generation and causing voltage fluctuations,” the researchers said.

“Sensitive information about users and organizations can be leaked, leading to privacy breaches, information harvesting, targeted phishing attacks, or other malicious activities. By gaining access to and changing settings on solar inverters, attackers can cause widespread disruptions to power distribution, affecting grid stability and potentially leading to blackouts.”