heise PlusAbo
Anzeige

New security vulnerabilities detected in photovoltaic systems

IT security researchers have looked at PV systems and uncovered 46 vulnerabilities. They can put power grids at risk.

listen Print view
Man dances in front of solar panel with inverter attacked by malware

(Image: Erstellt mit KI in Bing Creator von heise online / dmk)

5 min. read
Security
By
Contents

IT researchers from the IT security company Forescout have looked at photovoltaic systems and discovered a total of 46 new security vulnerabilities. These could endanger power grids, the IT researchers say.

Forescout is taking the same line as the BSI, which expressed concerns about the security of inverter manufacturer clouds at the beginning of the year. However, the IT security authority sees the danger that "the central government in Beijing could exert direct influence on a system-relevant part of the German power supply" via the internet-enabled components of solar power systems. The Forescout researchers see the threat more as coming from malicious actors in the grid, who could control the electricity feed-in via the vulnerabilities that have now been found and thus influence the stability of the electricity grid.

Investigation of inverters from several manufacturers

The IT researchers summarize their findings in a blog post. They first collected and evaluated older vulnerabilities that had already been reported. They identified 93 vulnerabilities, 80 percent of which were classified as "critical" or "high" risk. They found the most vulnerabilities in solar monitor systems (38%) and the cloud backends behind them (25%). Inverters, on the other hand, had fewer vulnerabilities (15 percent).

The IT researchers selected the top six of the ten largest inverter providers for their analyses: Ginlong Solis, GoodWe, Growatt, Huawei, SMA and Sungrow. Of these, they examined devices for different purposes – for home use, for solar parks and for industry. They discovered new security vulnerabilities at Growatt, SMA and Sungrow.

The newly discovered vulnerabilities enable scenarios that have an impact on the stability of the power grid and privacy. Some vulnerabilities allow other smart devices in home networks to be taken over. However, the good news is that manufacturers have now patched the security gaps.

Videos by heise

Attack scenarios against power grids

One of the attack scenarios is quite simple: malicious actors gain access to account usernames, can take over the account with the password reset function and use this access to manipulate inverter settings – for example, to change the limitation of the power feed-in. If several devices are taken over, for example with a botnet, the coordinated shutdown of the devices at a specific time is also conceivable. While individual inverters have little effect, such an attack on several devices at the same time is more of a relevant threat – depending on how quickly emergency generators can step in.

Regarding the European power grid, previous research has shown that controlling 4.5 gigawatts of generated solar power would be enough to lower the grid frequency to 49 Hertz –, which would require load shedding. In Europe, 270 gigawatts of solar power generation are installed, so that the control of 2 percent of the inverters is sufficient to provoke such a situation.

Concrete weak points

In the more comprehensive report, the Forescout researchers go into more detail about the vulnerabilities found. For example, they found several "Insecure Direct Object References" (IDOR) in the APIs that allowed unauthorized access to resources on the providers' cloud platforms. They also found general authorization defects. The web apps had some cross-site scripting vulnerabilities, and some cloud web apps allowed unlimited file uploads, which could be abused to inject and execute malicious code.

One mobile app was equipped with hardcoded access data and also relied on inadequate certificate verification. A WLAN dongle apparently made it possible to abuse a buffer overflow. In addition, some devices used unauthenticated over-the-air (OTA) firmware updates, which attackers could abuse to inject and execute malicious code and take over affected devices completely.

In the limited time in which they carried out the tests, the IT researchers did not find any vulnerabilities in devices from Ginlong Solis, GoodWe or Huawai. However, this does not mean that the devices are more secure than others, but that the IT researchers did not have test access or decided against spending more time on further analysis. In Growatt devices, the analysts found gaps that allowed accounts and devices to be taken over – and a data leak. At the European provider SMA, it was possible to execute malicious code from the network in the cloud platform. At Sungrow, the takeover of devices and a data leak were also possible. Not all vulnerabilities have yet received a CVE entry, but the report lists all findings. Interested parties can also find more in-depth technical analyses.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten