Researchers specializing in cybersecurity have recently uncovered a total of 46 security vulnerabilities in products from three prominent solar inverter manufacturers: Sungrow, Growatt, and SMA. These vulnerabilities have the potential to be exploited by malicious actors to gain control of devices or execute code remotely, thereby posing significant risks to electrical grids.
The discovered vulnerabilities have been collectively referred to as SUN:DOWN by Forescout Vedere Labs, a leading cybersecurity research organization.
According to Forescout, “The newly discovered vulnerabilities can be leveraged to execute arbitrary commands on devices or the vendor’s cloud, compromise accounts, establish a foothold in the vendor’s infrastructure, or assume control of inverter owners’ devices.” This information was shared with The Hacker News through a comprehensive report.
Some of the key vulnerabilities identified in the report include:
- Attackers can upload .aspx files to SMA’s web server (sunnyportal[.]com), potentially leading to remote code execution.
- Unauthenticated attackers can perform username enumeration via the exposed “server.growatt.com/userCenter.do” endpoint.
- Unauthenticated attackers can obtain a list of plants and devices belonging to other users via the “server-api.growatt.com/newTwoEicAPI.do” endpoint, resulting in device takeover.
- Unauthenticated attackers can obtain the serial number of a smart meter using a valid username via the “server-api.growatt.com/newPlantAPI.do” endpoint, leading to account takeover.
- Unauthenticated attackers can access information about EV chargers, energy consumption, and other sensitive data via the “evcharge.growatt.com/ocpp” endpoint, and remotely configure EV chargers, potentially causing information disclosure and physical damage.
- The Android application associated with Sungrow uses an insecure AES key for client data encryption, making it vulnerable to interception and decryption by attackers.
- The Android application associated with Sungrow ignores certificate errors, making it susceptible to adversary-in-the-middle (AitM) attacks.
- Sungrow’s WiNet WebUI contains a hardcoded password that can be used to decrypt all firmware updates.
- Sungrow’s handling of MQTT messages is vulnerable to remote code execution or denial-of-service (DoS) conditions.
According to Forescout, an attacker who gains control of a large fleet of Sungrow, Growatt, and SMA inverters using these vulnerabilities could potentially disrupt power grids and cause significant instability.
In a hypothetical attack scenario targeting Growatt inverters, an attacker could guess account usernames through an exposed API, hijack accounts by resetting passwords to the default “123456,” and perform further exploitation.
The hijacked fleet of inverters could then be controlled as a botnet to amplify the attack, leading to grid disruption and potential blackouts. Following responsible disclosure, all vendors have addressed the identified issues.
As noted by Forescout, an attacker controlling a large number of devices can alter their settings to send more or less energy to the grid, potentially exposing it to cyber-physical ransomware attacks.
Daniel dos Santos, Head of Research at Forescout Vedere Labs, recommends enforcing strict security requirements when procuring solar equipment, conducting regular risk assessments, and ensuring full network visibility into these devices to mitigate the risks.
Recently, serious security flaws were discovered in production line monitoring cameras made by Japanese company Inaba Denki Sangyo, which could be exploited for remote surveillance and preventing the recording of production stoppages.
Although the vulnerabilities remain unpatched, the vendor has advised customers to restrict internet access and ensure the devices are installed in a secure area accessible only to authorized personnel.
According to Nozomi Networks, “These flaws enable various attacks, allowing an unauthenticated attacker to remotely and secretly access live footage for surveillance or disrupt the recording of production line stoppages, preventing the capture of critical moments.”
In recent months, Nozomi Networks has also disclosed multiple security defects in the GE Vernova N60 Network Relay, Zettler 130.8005 industrial gateway, and Wago 750-8216/025-001 programmable logic controller (PLC) that could be exploited by an attacker to gain full control of the devices.
