Balcony power plants: security gaps found in the Solarman management platform
The Solarman management platform, particularly for balcony power plants with Deye inverters, had glaring security gaps.
(Image: heise online / dmk)
There were serious security gaps in the Solarman management platform, which Deye uses for logging, visualization and configuration of inverters for balcony power plants, for example. This was reported by the IT security company Bitdefender.
The Solarman platform receives data from the inverter loggers via API access and enables real-time monitoring of the installed systems. Administrators can also make inverter settings and view sensitive data. Solarman operates two versions of the portal, one for end customers and one for business customers or resellers, who can use it to manage multiple systems. In addition to Deye, other providers also rely on the portal, some with customized user interfaces. According to Bitdefender, Solarman manages more than ten million devices from two million systems, with a total output of 195 gigawatts from more than 190 countries. This corresponds to around 20 percent of the "solar energy available worldwide".
Vulnerabilities allowed far-reaching access
Tokens generated for the Deye platform could be used on the Solarman platform, and hard-coded user data was also stored for access to device information. This allowed attackers to read device information and wireless network configurations, for example, the IT researchers explain. An API endpoint allowed such information as stored names and telephone numbers to be read, and authorization tokens could also be generated. In general, complete account takeovers were possible.
However, the configuration was apparently also accessible. The business version of the Solarman portal in particular allows the setting of numerous inverter parameters, including safety limits for excessively high or low grid voltage, maximum feed-in power and similar values. It even used to be possible to set stand-alone operation - but this is no longer possible, at least for customers in Germany. Attackers could have used it to cause real damage by grouping local systems and then targeting several at the same time, the IT security researchers explain. This could have had an impact on network stability.
The IT researchers from Bitdefender describe the details in a blog post. However, the analysts do not say whether attacks actually occurred. According to the report, the security-relevant errors in Solarman have been corrected since the beginning of July this year. The blog post also lists other names of smaller manufacturers that use Solarman with their own branding.
(dmk)