The Dutch hacker Jelle Ursem discovered the password in April 2021. At that time, the login details had been publicly available online for more than a year and a half. Anyone who knew where to find them could access the administrator panel of the Chinese brand SolarMAN.
Inverters are needed to convert generated electricity into usable electricity. Without these devices, solar panels are useless.
‘Very unprofessional’
“A password that was accessible to everyone. We’re not that stupid, are we?” says Aiko Pras, professor of internet security at the University of Twente. “So it happens anyway. The mistakes are even dumber than you can imagine.”
Hacker Ursem notified the Chinese company last year, after which the password would be changed quickly. But when the ethical hacker tries to log in again with the old password in February this year, he just comes back in. Professor Pras judges that it is very unprofessional that the Chinese company treats its security in this way.
–
–
In the online environment of SolarMAN you can see exactly where the inverters are located. In the Netherlands there are more than 40,000 places. Worldwide, this involves more than a million locations, mainly in China and Australia.
Sabotaging solar panels
It was also possible to download, modify and upload the technical controls of the devices to the inverters, says Frank Breedijk of the Dutch Institute of Vulnerability Disclosure (DIVD) to RTL Nieuws.
“If you can adjust the software of the devices, you can do nasty things,” says Georgios Smaragdakis, professor of cybersecurity at TU Delft. This way you could turn off the devices remotely. As a result, you can no longer use generated solar energy for your own home or feed it back into the power grid. Expensive solar panels are therefore useless.
–
–
The DIVD
The Dutch Institute for Vulnerability Disclosure (DIVD) is an organization of hackers and security researchers who want to make the internet safer. They do this by informing companies and organizations about vulnerabilities present.
In this case, the DIVD collaborated with the National Cyber Security Center (NCSC) of the Dutch government. He contacted the Chinese authorities in February and April to reach the company behind SolarMAN.
On July 2, the password was changed again and the page where it was online was removed. SolarMAN says in a response to RTL Nieuws that it was only aware of the matter at the beginning of July.
–
–
If a malicious person controls enough inverters, it would also be possible to strain the power grid. “With tens of thousands of devices, probably spread all over the Netherlands, it was difficult to really damage the power grid in this case,” says Smaragdakis. “You’ll need hundreds of thousands for that.”
–
–
That doesn’t mean there wasn’t a danger. “A hacker can adjust the security settings around the voltage in such a way that the thing catches fire,” says Pras of the University of Twente.
–
–
The Telecom Agency confirms the vulnerabilities mentioned. If devices are not properly secured, people can lose income from solar energy, among other things. The regulator also points out a fire hazard and, in the worst case, blackouts on the power grid.
–
–
“If the inverter is connected to your own WiFi network, a hacker can also shut down your internet,” says the internet security professor.
“If you can completely reprogram an inverter, you can also break it or exclude the supplier,” says Breedijk of the DIVD, who presented the case today on a stage at a hackers festival in Zeewolde. “Actually, you can make the device dance to your liking.”
Bigger problem
It is not the first time that equipment around solar panels has turned out to be vulnerable. In 2017, hacker Willem Westerhof showed at the same hacker festival that he could hack a German manufacturer of inverters.
–
–
“I then consciously went looking for a company that, in my opinion, would be the best secured,” the hacker recalls. “I wanted to show that the situation with the rest would probably be much worse.”
It won’t be the last time, experts predict. “It’s naive to think that this is the only manufacturer that handles security unprofessionally,” says Pras.
‘More and more dangerous’
“There is a good chance that we will see this more often,” says Smaragdakis of TU Delft. “Next time it might be a hack of hundreds of thousands of devices.”
Smaragdakis: “Unfortunately, more and more devices are connected to the internet. That’s where the problems start. Anyone from all over the world can connect to it.”
“That’s the problem,” says Westerhof. “This shows that someone who can do a little Googling can suddenly get into our devices. That could be anyone who wants to cause damage. This is getting more and more dangerous.”
–
–
Response SolarMAN
SolarMAN says in a response that the password only gave access to a test environment. Nevertheless, data from real customers could be seen there, such as the municipality of Vlissingen. He says that he has disconnected the inverters from the internet.
The Chinese company confirms that it was indeed possible to modify the software of the inverters, but indicates that there were additional safeguards to take control.
As far as is known, the incident did not cause any real damage and the leak has now been closed. SolarMAN indicates that it is working with the DIVD to make their products safe.
–
–