A recent analysis of two widely used technologies in residential and commercial solar installations found multiple vulnerabilities in their cloud APIs that, if exploited, could potentially allow attackers to take down parts of the connected electrical grid.

Bitdefender researchers discovered the issues on Solarman, one of the world’s largest platforms for managing solar energy systems, and on Deye Cloud, a system for managing inverters from China’s Ningbo Deye Inverter Technology. Both have since addressed the issues reported to them by Bitdefender.

A inverter is a device that the direct current (DC) electricity produced by solar panels into alternating current (AC) electricity, the standard form used in homes and the electrical grid. They can also monitor and report on the performance of the solar system.

“In grid-tied solar systems, the inverter synchronizes the phase and frequency of the AC output with the grid,” Bitdefender said in a reportThe goal is to ensure that solar-generated energy is compatible with the grid and can be safely exported. Because phase and voltage differences can crash the grid“Energy providers and governments view any deliberate attempt to circumvent these grid security measures as a threat to national security,” Bitdefender said.

Solarman’s platform enables residential and commercial users of Deye and other inverter brands to remotely monitor their devices in real time. Several other photovoltaic (PV) equipment vendors also use Solarman’s platform to connect users to their respective products via the cloud. Among other things, Solarman offers a data logger that collects statistics such as the total power of a solar array, as well as voltage and current.

“This management feature improves system performance, increases reliability and supports informed decision-making,” Bitdefender said. Approximately 2.5 million photovoltaic installations are currently connected to the Solarman platform, from more than 190 countries. Together they produce a total of more than 195 gigawatts of power — or about 20% of the total solar electric production worldwide.

Broken Cloud APIs

“The problem we discovered lies in the cloud APIs that connect the hardware to the user,” both on the Solarman platform and on Deye Cloud, said Bogdan Botezatu, Director of Threat Research and Reporting at Bitdefender. “These APIs have vulnerable endpoints that could allow an unauthorized third party to change settings or otherwise control the inverters and data loggers via the vulnerable Solarman and Deye platforms,” he said.

For example, Bitdefender found that the Solarman platform’s /oauth2-s/oauth/token API endpoint would allow an attacker to generate authorization tokens for any regular or corporate accounts on the platform. “This means that a malicious user could iterate through all accounts, take over any one of them, and modify inverter parameters or change how the inverter communicates with the grid,” Bitdefender said in its report. The security vendor also found that Solarman’s API endpoints exposed an excessive amount of information, including personally identifiable information, about organizations and individuals on the platform. The extensive data exposure through these API endpoints would have allowed attackers to obtain the GPS coordinates of solar installations and their real-time production capacity, Bitdefender said.

“A worst case scenario would be that too much power is forced into the grid to destabilize the normal operating parameters of the grid“, Botezatu notes. “This in turn could lead to possible service disruptions or partial loss of power on the affected grid segments.”

Since the solar energy production facilities connected to the Solarman cloud are spread across the world, isolating the misbehaving devices would not have been a viable solution, he says.

Multiple attack options

Meanwhile. Until at least early this year, China-based Ningbo Deye Inverter Technology Co. used Solarman’s platform to connect customers to its inverter products. But recently, it appears to have started using its own data center and platform to manage its customers, according to Bitdefender. The security vendor’s analysis of Deye’s platform showed that it was using a hardcoded account and a base password (123456) to access devices. “This account can obtain an authorization token that grants access to any device, exposing sensitive information such as software versions, Wi-Fi credentials, and more,” Bitdefender said. Similar to the Solarman platform, API endpoints on Deye Cloud were also returning excessive private information. Bitdefender’s analysis showed that the platform’s OAuth token API endpoint was generating a valid, signed, but defective token.

“The result of a successful attack (via such vulnerabilities) would be the collection of large amounts of personally identifiable information or tampering with the inverter settings,” says Botezatu. “In addition to misconfiguring grid injection parameters, an attacker could instruct some inverter arrays to draw power from the grid to charge batteries during peak demand times, which would also have financial implications.”